Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 08:00
Behavioral task
behavioral1
Sample
7979ec8cfc277cfd77512e5c1732126f6663015275258a0f20171dd2a4a84352.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
7979ec8cfc277cfd77512e5c1732126f6663015275258a0f20171dd2a4a84352.exe
Resource
win10v2004-20241007-en
General
-
Target
7979ec8cfc277cfd77512e5c1732126f6663015275258a0f20171dd2a4a84352.exe
-
Size
12KB
-
MD5
d19a92ba44d74527de27f408ba7e7984
-
SHA1
2e5020ae61addc4c1ca43f13620dad45d0e85fe1
-
SHA256
7979ec8cfc277cfd77512e5c1732126f6663015275258a0f20171dd2a4a84352
-
SHA512
09b3bb31ce54eb717f365dbfdaa417dbddfcd91887f8f33ebf6ce8b7aec98e89fa3060c1f5d67172e44f0b8059c88df755a95f9fad6fd3c8baae8c4d80fe81b9
-
SSDEEP
192:RcU6wvQWrvUuyje4Vx7ve+6gbjz3Q5tf/rZj:myQWrvITViaH3
Malware Config
Extracted
metasploit
windows/download_exec
http://192.168.189.142:1234/RsRE
- headers User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7979ec8cfc277cfd77512e5c1732126f6663015275258a0f20171dd2a4a84352.exedescription pid Process procid_target PID 108 wrote to memory of 352 108 7979ec8cfc277cfd77512e5c1732126f6663015275258a0f20171dd2a4a84352.exe 31 PID 108 wrote to memory of 352 108 7979ec8cfc277cfd77512e5c1732126f6663015275258a0f20171dd2a4a84352.exe 31 PID 108 wrote to memory of 352 108 7979ec8cfc277cfd77512e5c1732126f6663015275258a0f20171dd2a4a84352.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7979ec8cfc277cfd77512e5c1732126f6663015275258a0f20171dd2a4a84352.exe"C:\Users\Admin\AppData\Local\Temp\7979ec8cfc277cfd77512e5c1732126f6663015275258a0f20171dd2a4a84352.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 108 -s 402⤵PID:352
-