metasploit | 3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5

General

Target

3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps1
Size

814KB
MD5

c925822c6d5175c30ba96388b07e9e16
SHA1

dd10c4c9a71b5850c23fde513525cac86943523e
SHA256

3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5
SHA512

754f9cd80df7f78bbc1ea1bf0b4bfddcff815702649c8227defa62308cee96e5db1c526739a2caf4b50e784f60d131e49b078ba94cd1c0656f44d08efd02ec53

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://157.230.184.142:443/ST/TWGRYKf0/d/du92w/RUk/Z2l.htm

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1340 280 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeWerFault.exe

pid process

280 powershell.exe
1340 WerFault.exe
1340 WerFault.exe
1340 WerFault.exe
1340 WerFault.exe
1340 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 280 powershell.exe
Token: SeDebugPrivilege 1340 WerFault.exe

pid	pid_target	process	target process
1340	280	WerFault.exe	powershell.exe

pid	process
280	powershell.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1340	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 280 wrote to memory of 1064	280	powershell.exe	csc.exe
PID 280 wrote to memory of 1064	280	powershell.exe	csc.exe
PID 280 wrote to memory of 1064	280	powershell.exe	csc.exe
PID 1064 wrote to memory of 816	1064	csc.exe	cvtres.exe
PID 1064 wrote to memory of 816	1064	csc.exe	cvtres.exe
PID 1064 wrote to memory of 816	1064	csc.exe	cvtres.exe
PID 280 wrote to memory of 1340	280	powershell.exe	WerFault.exe
PID 280 wrote to memory of 1340	280	powershell.exe	WerFault.exe
PID 280 wrote to memory of 1340	280	powershell.exe	WerFault.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkywclmr\rkywclmr.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA61F.tmp" "c:\Users\Admin\AppData\Local\Temp\rkywclmr\CSC7FBA6451522541D1BF3781DA8AE1EE44.TMP"
3⤵
PID:816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 280 -s 1348
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA61F.tmp
MD5
998ebf6ec27f8f67c98bfc7c62defe80

SHA1
e262d62817833a4aa8c808f05ce8e9fd871af969

SHA256
e6958208258f1386999340740a439587b5a3e0338f69945f6ecd9c6e6fc0bd45

SHA512
f4e65178dcba77ff09a735ab64c1a40e28512f107dc524953c5e94edcead7765e8ed1be548e60f132c369c56705be50a352d74602432e596318dea0a0613248a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkywclmr\rkywclmr.dll
MD5
e979512e03556b986018e1228289445e

SHA1
6633e49a49f3ebe404fa34dc53dadfbdb5e84f81

SHA256
7a21d903c41d417f97dd904f668fa654d316bfda9916cf87415fe22541f2e7d9

SHA512
cf8173c1aefb2214ff94f076f25b841b74d404846f88e825128cb8feb127fdec6c9afff01ebd3121468d3a9ca6a07b394cbe14b06090a96829a443f18da2db92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rkywclmr\CSC7FBA6451522541D1BF3781DA8AE1EE44.TMP
MD5
556d200922dd6281f6bea33259466415

SHA1
7652682b7b653db27501dbb873986dc23cd4bdf1

SHA256
7f87d2cbe4a06a5fe41789fd2584d0f875c32644ba95d6c745e5f5b977314ed8

SHA512
e646b68e3a4a90f35ae617bb242a11365dbe9e6d685f7da1d2217ea20e6da890c1240d0849fe049c0a7fbccea3557bb57bb504e8f113d29cd22565093898fd04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rkywclmr\rkywclmr.0.cs
MD5
a389a7ef15e3b09cfb3690bc909266d5

SHA1
2bd8c9a9a96fffff27f81306a8bc91e4fca7fa15

SHA256
ebf32f279e139576b159cafcf9cc217ca43b9e342d882471c8da84a243206ac9

SHA512
9797b728fec11e2e359051cbc0049e3abfbd8396a819dbeed0b2d8bd083b1a5bf45c04243fb44e4a8c99388177e46161fb5d449028d16d504dfd35888cff591c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rkywclmr\rkywclmr.cmdline
MD5
aa2c6ffa49f9c4d28dc3d10d22b2d6bf

SHA1
c6dc70de55c5041a89712ebb11ff211c0f9e2959

SHA256
d018d8179160d5889c82639ef39117a5d6847de9ac84ce4a7e2f33df95e90908

SHA512
65ef014958ecac64a0d7db50ad251cb17a3fe8b84665bcfc0dc8fa2abb2d1cd7820bc79b9ca42b673345fb7f4c3b7fb5bb420a2a07d7eac438349b7f16091ce1

Download Submit
memory/280-64-0x000000001AB90000-0x000000001AB92000-memory.dmp

Filesize
8KB

Download
memory/280-63-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/280-67-0x000000001C630000-0x000000001C631000-memory.dmp

Filesize
4KB

Download
memory/280-78-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/280-65-0x000000001AB94000-0x000000001AB96000-memory.dmp

Filesize
8KB

Download
memory/280-60-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/280-75-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/280-66-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/280-62-0x000000001AC10000-0x000000001AC11000-memory.dmp

Filesize
4KB

Download
memory/280-61-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/816-71-0x0000000000000000-mapping.dmp

Download
memory/1064-68-0x0000000000000000-mapping.dmp

Download
memory/1340-76-0x0000000000000000-mapping.dmp

Download
memory/1340-79-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads