Analysis
-
max time kernel
105s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:23
Static task
static1
Behavioral task
behavioral1
Sample
373e842add73b4a027719d13973412c68439746e09a972bbc33631f2a86a5a40N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
373e842add73b4a027719d13973412c68439746e09a972bbc33631f2a86a5a40N.exe
Resource
win10v2004-20241007-en
General
-
Target
373e842add73b4a027719d13973412c68439746e09a972bbc33631f2a86a5a40N.exe
-
Size
2.5MB
-
MD5
bc4b78ea6cf4202079a897daef37f450
-
SHA1
fed436250222eae2964c4dac39e44d111d1233da
-
SHA256
373e842add73b4a027719d13973412c68439746e09a972bbc33631f2a86a5a40
-
SHA512
ec0ae258d192740d0af462166a0e055e7c97e7109d750e9f6c94af3b2b32099cbe1b42b152098532f7dc138c1a018dd0116d2f9b35cc76f53bf31f249081286a
-
SSDEEP
49152:J7t9umhoj35iGpviEhwuZ3ZX3AVKAW4kliQvscLaq:gmirqGwuZ3ZnAB+iJcH
Malware Config
Extracted
metasploit
metasploit_stager
192.168.146.128:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 1 IoCs
pid Process 1500 payload_12345.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4932 wrote to memory of 3920 4932 373e842add73b4a027719d13973412c68439746e09a972bbc33631f2a86a5a40N.exe 84 PID 4932 wrote to memory of 3920 4932 373e842add73b4a027719d13973412c68439746e09a972bbc33631f2a86a5a40N.exe 84 PID 3920 wrote to memory of 1500 3920 cmd.exe 85 PID 3920 wrote to memory of 1500 3920 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\373e842add73b4a027719d13973412c68439746e09a972bbc33631f2a86a5a40N.exe"C:\Users\Admin\AppData\Local\Temp\373e842add73b4a027719d13973412c68439746e09a972bbc33631f2a86a5a40N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\payload_12345.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\payload_12345.exeC:\Users\Admin\AppData\Local\Temp\payload_12345.exe3⤵
- Executes dropped EXE
PID:1500
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5104e2e8a4cc873dd46a4053dcee51342
SHA1a7cb3ccedf1d45ae90e1e9cdd926f6b56923e097
SHA256c67ed55d8bd1aabfd10ca1285a967f528682962a1ac4210f67331f87dccc5aa6
SHA51212cd1d89032774b866adbff4a741d9b16c626f7f8c3117c3854be25c920c5f2294a0c23df45093d4ebb3fe985d49320797878119c62f78b5d78b87b73465cb09