metasploit | 473554339f94766234e9da39429e9877f0e3868c007a2e171b765d3fe03effbb

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/12/2024, 03:29

Target

473554339f94766234e9da39429e9877f0e3868c007a2e171b765d3fe03effbb.exe
Size

14KB
MD5

eb303aef56b76c4a8df476b204675d59
SHA1

54a7d4d42032c0847e560cc3ee7ef267cdcf917c
SHA256

473554339f94766234e9da39429e9877f0e3868c007a2e171b765d3fe03effbb
SHA512

ac6722d4a30e3766d9a624164fc07bc4aea179749b434f32b9e879e17723b9bef7444d793edf83ec17fd08e85cedf52dd994cdf34896ce4b2360207fb6307eb8
SSDEEP

192:pO9ZTxj4jSIpMdg5wGWEQP+sN9UaaIYCYbM0bDUY4:pOBj4jSIqi3QUDnb1b

Score

10^/10

Family

metasploit

Version

windows/download_exec

http://192.168.196.144:10010/IPab

Attributes

headers User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 772	1164	473554339f94766234e9da39429e9877f0e3868c007a2e171b765d3fe03effbb.exe	31
PID 1164 wrote to memory of 772	1164	473554339f94766234e9da39429e9877f0e3868c007a2e171b765d3fe03effbb.exe	31
PID 1164 wrote to memory of 772	1164	473554339f94766234e9da39429e9877f0e3868c007a2e171b765d3fe03effbb.exe	31

C:\Users\Admin\AppData\Local\Temp\473554339f94766234e9da39429e9877f0e3868c007a2e171b765d3fe03effbb.exe
"C:\Users\Admin\AppData\Local\Temp\473554339f94766234e9da39429e9877f0e3868c007a2e171b765d3fe03effbb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1164 -s 36
  2⤵
  PID:772

memory/1164-0-0x000000013FD70000-0x000000013FD7C000-memory.dmp

Filesize
48KB

Download