metasploit | bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 02:17

Target

bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f.exe
Size

758KB
MD5

74ca33d330c3536d1d0ca4d35971f257
SHA1

bbdb8080407ce6a96fa85d4531babd83fc795f79
SHA256

bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f
SHA512

24c45c37d99606d53d0f51c865d3b24458d39250b7470aef15d5585d34e206aafa22273efa3203e32f6633127e9a9150f2ed5af5e46ef1a064860557e8f86d8f
SSDEEP

6144:Jv7Wc41yC7dXNBzn68YoC+6VoQSkgrpZHqk61peBN1L+I8pfezYeWHMzyy14pL1k:JvSbxxPRC+XQSxb6Dc7RwIWHeGL7GOK

Score

10^/10

Family

metasploit

Version

metasploit_stager

172.16.85.133:4444

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1608 2056 WerFault.exe bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f.exe

pid	pid_target	process	target process
1608	2056	WerFault.exe	bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f.exe

description	pid	process	target process
PID 2056 wrote to memory of 1608	2056	bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f.exe	WerFault.exe
PID 2056 wrote to memory of 1608	2056	bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f.exe	WerFault.exe
PID 2056 wrote to memory of 1608	2056	bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f.exe	WerFault.exe
PID 2056 wrote to memory of 1608	2056	bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f.exe
"C:\Users\Admin\AppData\Local\Temp\bff47951616eef6c58a23e2b26b71dadfd3c263a8d9931ac39ff29efc4b42c9f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 184
2⤵
- Program crash
PID:1608

memory/2056-0-0x0000000001000000-0x00000000010C0000-memory.dmp

Filesize
768KB

Download