metasploit | 985f82e71e6781286468c4e8f576009fa3bfdd30facdbc638ec49725da93430b

Analysis

max time kernel
29s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-05-2023 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jbHmvbzS.ps1
Size

3KB
MD5

5274758378f9fc7ec1f11dc97fa86768
SHA1

cfa2566b2bf1824dcc57d98505ba6929714fa42c
SHA256

985f82e71e6781286468c4e8f576009fa3bfdd30facdbc638ec49725da93430b
SHA512

8a391437f015c072023c03e6e9017ae11fa6e8438be90aaf5c419a734dd34061753209acd018669eb13755cb97bfe44f3188b6366394c854cac9e573ad548cb4

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

3.22.53.161:14524

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	944	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
944	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 996	944	powershell.exe	28
PID 944 wrote to memory of 996	944	powershell.exe	28
PID 944 wrote to memory of 996	944	powershell.exe	28
PID 996 wrote to memory of 1636	996	csc.exe	29
PID 996 wrote to memory of 1636	996	csc.exe	29
PID 996 wrote to memory of 1636	996	csc.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\jbHmvbzS.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ry5t4mhr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45C9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC45B8.tmp"
    3⤵
    PID:1636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES45C9.tmp

Filesize
1KB

MD5
c1e1278df867c149f676bee5df3eea82

SHA1
9216727047a9883d8d85331f4e0501320f27fdf8

SHA256
d04c05a787b83b50b452239dbdf5fef56bb6df63531b4892fc8a1104f7bf21ca

SHA512
bc8b51d0cfdb66e6656677242e0000f36d19d25a48d5a5fbdb68083223c10ea8f93203c1733814c668001af2fb2b903d34c7befec3f7d5f3a48722c2679eeae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ry5t4mhr.dll

Filesize
3KB

MD5
a82ba42388d6d3aab8e43e99d2369c4a

SHA1
10d5cb63dc2dc50f1a2331b1a487a53030864d23

SHA256
7007baccf9d455a6e53f088b561b15b8f6bc048031a3cda9e111c5282c76ffd2

SHA512
94131146ef804c5c79abb89563ac1e6a05a89694f43f8da69e4a8933eecda170dc8c3db5d025b6bddadaa359a327d362d2fbe0d90995d3b21ee2d9c8bafaa670

Download Submit
C:\Users\Admin\AppData\Local\Temp\ry5t4mhr.pdb

Filesize
7KB

MD5
6ffa1ef9ea465ed285ae58b914080ee4

SHA1
c117d0e6c7663657aa6aa0d814b72ffe72f91f97

SHA256
c086c65f12f964b10922bc8a79b3e3a59766d63c527fac2d0615d0bc77adda07

SHA512
69d164c59829c2186ae602ffc84f577249bc00abe0ded1e25b99b8f5953a0f85844a721f0ea2a9ce5e13204de7f13ce0c37e4cb3784a54fe36c075fa564a1c3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC45B8.tmp

Filesize
652B

MD5
bca3c90335f38da4ba8c4c41bcbd876b

SHA1
69720233d32058b247aad39068fe688315fe80e0

SHA256
8105aa7fc8bb137caa7af3c7fcdb0ee3a51dd35faf6e45249188229f4104e10b

SHA512
e738f9cd139847187945a7a8270d1d1b5c99c0d02421c95b5662d14bda71f5211c0800d11979f6a0b69a956dc3533aa3f7f8aae7d9b867badf408bd0b90137ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ry5t4mhr.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ry5t4mhr.cmdline

Filesize
309B

MD5
1c7a432492f4729919ab7a84dc4067a6

SHA1
5017d89c1419260ab0debd61ff6415c80dcc464f

SHA256
06242ccfbf9ce03135da4c7dee40c6507c188df0b31f5318734e214b36cb32b6

SHA512
1bb8042f079a63c25bab77772d8f5c13c8b5aaecc680fdca6f704e47afa0852559e6e26cda5b2113a9bcc6affec15570f2b21dcdfee880ef79f07597a63589ba

Download Submit
memory/944-58-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/944-59-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/944-65-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/944-66-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/944-75-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/944-78-0x000000001B6A0000-0x000000001B6A1000-memory.dmp

Filesize
4KB

Download