metasploit | 62eb3e3c2e6bbec787239feb4d9e95211959d60eaa1ffa69fd15b7dcbe506652

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62eb3e3c2e6bbec787239feb4d9e95211959d60eaa1ffa69fd15b7dcbe506652.exe
Size

2.3MB
MD5

10aa9bd22f5bec44cf8f7f6e114289b2
SHA1

11a17c156c2f95241b99bdbd8adfb142c2926ab1
SHA256

62eb3e3c2e6bbec787239feb4d9e95211959d60eaa1ffa69fd15b7dcbe506652
SHA512

713d65f6c6ec265392c57f3937a45945842c71edd5b821bd4bc1a3fdaff0e6e838d79bd6d379a6100873923efb5f2b2f58bb553d4b2f3f0ce5c36b34151af6ba
SSDEEP

49152:eb6YlxiqHeqFkZuBc1L2rN6Imv6XM1aXD7Z9PZkf2Ot6ZdzWFG:I6YlFeAUL4YImv6XnzXPI2Oo7SA

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.100.49:5555

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-0-0x000000013F1B0000-0x000000013F477000-memory.dmp	upx
behavioral1/memory/2308-1-0x000000013F1B0000-0x000000013F477000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2372	2308	62eb3e3c2e6bbec787239feb4d9e95211959d60eaa1ffa69fd15b7dcbe506652.exe	31
PID 2308 wrote to memory of 2372	2308	62eb3e3c2e6bbec787239feb4d9e95211959d60eaa1ffa69fd15b7dcbe506652.exe	31
PID 2308 wrote to memory of 2372	2308	62eb3e3c2e6bbec787239feb4d9e95211959d60eaa1ffa69fd15b7dcbe506652.exe	31

C:\Users\Admin\AppData\Local\Temp\62eb3e3c2e6bbec787239feb4d9e95211959d60eaa1ffa69fd15b7dcbe506652.exe
"C:\Users\Admin\AppData\Local\Temp\62eb3e3c2e6bbec787239feb4d9e95211959d60eaa1ffa69fd15b7dcbe506652.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2308 -s 40
  2⤵
  PID:2372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2308-0-0x000000013F1B0000-0x000000013F477000-memory.dmp

Filesize
2.8MB

Download
memory/2308-1-0x000000013F1B0000-0x000000013F477000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads