metasploit | 716b65a42612f32fa410f3365eae3e348b9f046d5678e280f8e448d8c6e7b852

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 17:02

Target

download.exe
Size

4KB
MD5

512c08286e3d66c21987e05f09ce7125
SHA1

5a5970be0883565aeef9ab152713d6a41ac7daf6
SHA256

716b65a42612f32fa410f3365eae3e348b9f046d5678e280f8e448d8c6e7b852
SHA512

b20db24435d54afdbb4f89a307212622739ea9a63bd2c668214f0493e92d38edde0bf59aece36f89f7152a0039ba06169313a7cca0f671c645d00b8a50012cac
SSDEEP

96:pxd6xaXg+9n+O0Kv5jhB5IJuG7XZgD6tYTB9X:LM0dp+BKvhhEuG7peDB1

Score

10^/10

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.81.130.178:8080/ransomware.exe

Family

metasploit

Version

encoder/shikata_ga_nai

Family

metasploit

Version

windows/exec

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2344 powershell.exe
Downloads MZ/PE file
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2344 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2344 powershell.exe

flow	pid	process
4	2344	powershell.exe

pid	process
2344	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2344	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

download.exe

description	pid	process	target process
PID 2088 wrote to memory of 2344	2088	download.exe	powershell.exe
PID 2088 wrote to memory of 2344	2088	download.exe	powershell.exe
PID 2088 wrote to memory of 2344	2088	download.exe	powershell.exe
PID 2088 wrote to memory of 2344	2088	download.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\download.exe
"C:\Users\Admin\AppData\Local\Temp\download.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088

memory/2088-0-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2088-2-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2344-5-0x00000000743C1000-0x00000000743C2000-memory.dmp

Filesize
4KB

Download
memory/2344-6-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-7-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-8-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-9-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-10-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-11-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download