metasploit | 3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5

General

Target

3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps1
Size

814KB
MD5

c925822c6d5175c30ba96388b07e9e16
SHA1

dd10c4c9a71b5850c23fde513525cac86943523e
SHA256

3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5
SHA512

754f9cd80df7f78bbc1ea1bf0b4bfddcff815702649c8227defa62308cee96e5db1c526739a2caf4b50e784f60d131e49b078ba94cd1c0656f44d08efd02ec53

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://157.230.184.142:443/ST/TWGRYKf0/d/du92w/RUk/Z2l.htm

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2792 784 WerFault.exe powershell.exe

pid	pid_target	process	target process
2792	784	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exeWerFault.exe

pid	process
784	powershell.exe
784	powershell.exe
784	powershell.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 784 powershell.exe
Token: SeDebugPrivilege 2792 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	2792	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 784 wrote to memory of 4056	784	powershell.exe	csc.exe
PID 784 wrote to memory of 4056	784	powershell.exe	csc.exe
PID 4056 wrote to memory of 2736	4056	csc.exe	cvtres.exe
PID 4056 wrote to memory of 2736	4056	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0znjyact\0znjyact.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DF9.tmp" "c:\Users\Admin\AppData\Local\Temp\0znjyact\CSC77484ED132DE4165A48CA949FFECCC51.TMP"
3⤵
PID:2736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 784 -s 1960
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0znjyact\0znjyact.dll
MD5
c7fa67a55201060ecb893f37b37ae3ed

SHA1
f3d6c23fc22353c8c4f92c44f361cee64c1cb686

SHA256
93541bd78813f13209088e11b98d0683f572e152c74253c98ea9bc850f59457e

SHA512
1b7af9c63e0da25fd9546cd6582db3bdac2c256e4b86c3b99a2daa50387d9b78d5099d10fb1c58717fd404f6110414620eeaf7d570939093b906ff3c0611ca20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3DF9.tmp
MD5
5eb0870d4b0966364c690f2253084796

SHA1
55e1437c91d937ae95f287209b0bb15c3adc6652

SHA256
157a1c79b8ffa99d081d2f7246e1f44a3de74c8ceeff8496c63b8ade46219936

SHA512
69d16a161a8dd2c0c280e8b8fd18c6ea62dce0df38003b708768fe3100f3a25e534a7e982fcfc94c7127765de9b0609f71ef05a1f622bd51cd0d02419a573f75

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0znjyact\0znjyact.0.cs
MD5
a389a7ef15e3b09cfb3690bc909266d5

SHA1
2bd8c9a9a96fffff27f81306a8bc91e4fca7fa15

SHA256
ebf32f279e139576b159cafcf9cc217ca43b9e342d882471c8da84a243206ac9

SHA512
9797b728fec11e2e359051cbc0049e3abfbd8396a819dbeed0b2d8bd083b1a5bf45c04243fb44e4a8c99388177e46161fb5d449028d16d504dfd35888cff591c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0znjyact\0znjyact.cmdline
MD5
126048448dfe17a51ce53b7984abdad3

SHA1
d8d25e0bf456fcc4ff9aeb6ab21da801c98ab215

SHA256
9829afcf21670dd57a1d3bf804ac43fb3c854b072d09c603d9558e5133d3c3e7

SHA512
f342d7bb01ac5fb7ff5f8af32ef931e1688c8f76a053ff64b245ceba8bffbaf0862befc11bb2182bc313f25f8561482d235e1a12a8cb837b18436639c63c0142

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0znjyact\CSC77484ED132DE4165A48CA949FFECCC51.TMP
MD5
e9dfb746d773483ad0ff6b6c8d67c08f

SHA1
8149d194ba59d9ba197fb0ce6af463db5aec7be2

SHA256
241a2249ca8ee93cfc2d6a5fb45eeefe6a0fd0ac709d296a77164edd85e7abc7

SHA512
4a01d51f85121f2a1f20e36d44f8f4ac7ae1ae28da8075ea8aa926860a3865f42531e81321b2953ae59efbe6c54ca662ba65737be12bd226b4b6b8e1112cd456

Download Submit
memory/784-124-0x0000012178C23000-0x0000012178C25000-memory.dmp

Filesize
8KB

Download
memory/784-132-0x0000012178C26000-0x0000012178C28000-memory.dmp

Filesize
8KB

Download
memory/784-119-0x0000012160600000-0x0000012160601000-memory.dmp

Filesize
4KB

Download
memory/784-123-0x0000012178C20000-0x0000012178C22000-memory.dmp

Filesize
8KB

Download
memory/784-122-0x00000121795C0000-0x00000121795C1000-memory.dmp

Filesize
4KB

Download
memory/784-137-0x0000012178BC0000-0x0000012178BC1000-memory.dmp

Filesize
4KB

Download
memory/784-140-0x0000012178C10000-0x0000012178C11000-memory.dmp

Filesize
4KB

Download
memory/2736-133-0x0000000000000000-mapping.dmp

Download
memory/4056-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing