metasploit | 308a0f3257bf6ad05f5207594b0261c39f61c57066d2be0c29398e2156758c5c

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

308a0f3257bf6ad05f5207594b0261c39f61c57066d2be0c29398e2156758c5c.exe
Size

4.2MB
MD5

c675dc6b639e1a3d7e2f3a694c486a5f
SHA1

944ffd88a42adab46743899233741e7feedd0d00
SHA256

308a0f3257bf6ad05f5207594b0261c39f61c57066d2be0c29398e2156758c5c
SHA512

0bdb20eb207b76f800e52512097558608d109c76f2ca93489bee2366b9be5bc2297d8a51ea849abd16da137ec6e7349b90d63cae0b33516f720a429453a58c2c
SSDEEP

98304:cb3UWflOTIqC3ySgD2fG2+MdcFfHZK2GKfezy+abyUl1OkmIospc:kNIcqCCBDATofM2Dmu+aXl1lmEc

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

192.168.17.158:9000

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1868-0-0x0000000140000000-0x0000000140729000-memory.dmp	upx
behavioral1/memory/1868-1-0x0000000140000000-0x0000000140729000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

308a0f3257bf6ad05f5207594b0261c39f61c57066d2be0c29398e2156758c5c.exe

description	pid	process	target process
PID 1868 wrote to memory of 1728	1868	308a0f3257bf6ad05f5207594b0261c39f61c57066d2be0c29398e2156758c5c.exe	WerFault.exe
PID 1868 wrote to memory of 1728	1868	308a0f3257bf6ad05f5207594b0261c39f61c57066d2be0c29398e2156758c5c.exe	WerFault.exe
PID 1868 wrote to memory of 1728	1868	308a0f3257bf6ad05f5207594b0261c39f61c57066d2be0c29398e2156758c5c.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\308a0f3257bf6ad05f5207594b0261c39f61c57066d2be0c29398e2156758c5c.exe
"C:\Users\Admin\AppData\Local\Temp\308a0f3257bf6ad05f5207594b0261c39f61c57066d2be0c29398e2156758c5c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1868 -s 196
2⤵
PID:1728

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-0-0x0000000140000000-0x0000000140729000-memory.dmp

Filesize
7.2MB

Download
memory/1868-1-0x0000000140000000-0x0000000140729000-memory.dmp

Filesize
7.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads