metasploit | c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63

General

Target

c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe
Size

28KB
MD5

2604e69479154e5d7ddc00115706ef0f
SHA1

66c3a2ca32c785a3e3850354388e9259b5a8feb4
SHA256

c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63
SHA512

9d6a4d5bf57d24375e991092575ce4fcc7ffa6302adf72ff584abbc3de9d4a7b14be7cfdedfc7d2f5adf41d2268f4e8744b7d02a5eb59efda5a47d6665dea3d6

Score

10^/10

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://45.32.16.170:80/a

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1980 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1432 powershell.exe
1980 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1432 powershell.exe
Token: SeDebugPrivilege 1980 powershell.exe

flow	pid	process
3	1980	powershell.exe

pid	process
1432	powershell.exe
1980	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exepowershell.exe

description	pid	process	target process
PID 388 wrote to memory of 1432	388	c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe	powershell.exe
PID 388 wrote to memory of 1432	388	c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe	powershell.exe
PID 388 wrote to memory of 1432	388	c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe	powershell.exe
PID 388 wrote to memory of 1432	388	c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe	powershell.exe
PID 1432 wrote to memory of 1980	1432	powershell.exe	powershell.exe
PID 1432 wrote to memory of 1980	1432	powershell.exe	powershell.exe
PID 1432 wrote to memory of 1980	1432	powershell.exe	powershell.exe
PID 1432 wrote to memory of 1980	1432	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe
"C:\Users\Admin\AppData\Local\Temp\c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
6e0e68db7a2cdcbb291c185925213976

SHA1
41285251689d6697593f6a2250823428d157f1f0

SHA256
817d7a3ec273505482cfa5559318919d4b39991e601b577f26b2a497f70798bf

SHA512
05094ed8cb2413bd882557852ca511895415420bc7240c97a3e2b529e8f4ca1603742007956463a9b626d864905812527805da87de9254ccc75d9b514382eeb6

Download Submit
memory/388-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/388-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/388-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1432-56-0x0000000000000000-mapping.dmp

Download
memory/1432-58-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1432-64-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-59-0x0000000000000000-mapping.dmp

Download
memory/1980-62-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-63-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download