metasploit | 58e4fa8e72bb969c8066f16e78d3d71eb7225b508c9841e07c4858c6ac76ef29

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 03:23

Target

2024-09-18_01215203bc95b91916b8cea76d6ec349_cobalt-strike_ryuk.exe
Size

1.6MB
MD5

01215203bc95b91916b8cea76d6ec349
SHA1

65274df9bf9bb4c9de43817cd6689b883d59fcbe
SHA256

58e4fa8e72bb969c8066f16e78d3d71eb7225b508c9841e07c4858c6ac76ef29
SHA512

36f2ca145ef54fa714567cc175c64b7a7f2fdfb315ab50070ddba68c9149a29e3a1a50e69cf55ad4368e6c9079580b161bf9d576bbad1262a90dba2120936770
SSDEEP

49152:8lp9tHfYoEaTSiz23THT3WSMpDgF/qB07j6KIeVSc/zui+:8X/LEQkF/qBO6K2c/ii+

Score

10^/10

Family

metasploit

Version

windows/shell_bind_tcp

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 1668	584	2024-09-18_01215203bc95b91916b8cea76d6ec349_cobalt-strike_ryuk.exe	31
PID 584 wrote to memory of 1668	584	2024-09-18_01215203bc95b91916b8cea76d6ec349_cobalt-strike_ryuk.exe	31
PID 584 wrote to memory of 1668	584	2024-09-18_01215203bc95b91916b8cea76d6ec349_cobalt-strike_ryuk.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-09-18_01215203bc95b91916b8cea76d6ec349_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-18_01215203bc95b91916b8cea76d6ec349_cobalt-strike_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 584 -s 152
  2⤵
  PID:1668

memory/584-0-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download