metasploit | 0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 19:22

Target

0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe
Size

30KB
MD5

e662d796271b9e498d0b4bccb70d3edd
SHA1

d39a3498cb5fb45a99f4cc969e2353679430ed8a
SHA256

0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b
SHA512

12e2390538e5f316e14c499c9386971e18c42de08c0ea8dc656f05732b85fe6c7548a34f359dabd55015f165e28da1dd1d4a24c2942f8011d7afa077be4d4c3b
SSDEEP

384:ZFXXmCSIIV7J7oC8UUTMyZkSEyga0YsorLujTYon7bkV+2EjsCpol+/oddpmWFif:PnRIFR1CBVsoHuvlnvp2isC2p90X+2p

Score

10^/10

Family

metasploit

Version

metasploit_stager

192.168.191.103:4444

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1212	2112	0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe	30
PID 2112 wrote to memory of 1212	2112	0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe	30
PID 2112 wrote to memory of 1212	2112	0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe	30
PID 1212 wrote to memory of 2324	1212	0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe	31
PID 1212 wrote to memory of 2324	1212	0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe	31
PID 1212 wrote to memory of 2324	1212	0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe	31

C:\Users\Admin\AppData\Local\Temp\0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe
"C:\Users\Admin\AppData\Local\Temp\0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe
  C:\Users\Admin\AppData\Local\Temp\0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe
    C:\Users\Admin\AppData\Local\Temp\0233fdb00236ac7629c8dd317ef59e0fc5131196731ef51cab5e2252f0a0982b.exe
    3⤵
    PID:2324

memory/1212-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1212-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2112-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2112-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2324-1-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2324-4-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2324-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download