metasploit | 985f82e71e6781286468c4e8f576009fa3bfdd30facdbc638ec49725da93430b

Analysis

max time kernel
64s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2023 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jbHmvbzS.ps1
Size

3KB
MD5

5274758378f9fc7ec1f11dc97fa86768
SHA1

cfa2566b2bf1824dcc57d98505ba6929714fa42c
SHA256

985f82e71e6781286468c4e8f576009fa3bfdd30facdbc638ec49725da93430b
SHA512

8a391437f015c072023c03e6e9017ae11fa6e8438be90aaf5c419a734dd34061753209acd018669eb13755cb97bfe44f3188b6366394c854cac9e573ad548cb4

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

3.22.53.161:14524

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	5004	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5004	powershell.exe
5004	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4040	5004	powershell.exe	81
PID 5004 wrote to memory of 4040	5004	powershell.exe	81
PID 4040 wrote to memory of 1196	4040	csc.exe	82
PID 4040 wrote to memory of 1196	4040	csc.exe	82

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\jbHmvbzS.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w51nkioi\w51nkioi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC71.tmp" "c:\Users\Admin\AppData\Local\Temp\w51nkioi\CSC36807F09323647ADB53E30BC1E8F8FC.TMP"
    3⤵
    PID:1196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAC71.tmp

Filesize
1KB

MD5
c1a4a4e27d8b428d89eb4b2ed99f1133

SHA1
669603051e8e1302b9a2c05f2046adfb1f8f168b

SHA256
4ed76305033914f96425e94fdde1c4351a349628e447ae49732aecfe8e4219e6

SHA512
766b81064a1d84abad09b88f81c9ef50f0ca67d98cbaf0d637f058bd71910caff1038c16d1ec975295a35630ff276d682ebb0070df697899388b87dff5f0ddf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5eyei05r.pdd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\w51nkioi\w51nkioi.dll

Filesize
3KB

MD5
5420c107ebc6f46ce2a7824b76448c66

SHA1
847eadd33a0ae60eb6f43f5207b02affa5ccc824

SHA256
7636d1f480c782a83c2439b9c434f3f034436af326e4d8a948663e93bf829228

SHA512
933451f34f429ca3eea9e3276da6a97865573e8f6241513dc0d0d7f4c80dd362e8a2415a0e3a446a23cef7a20fd21310ff64d51be40235f040109fb6c23a92a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w51nkioi\CSC36807F09323647ADB53E30BC1E8F8FC.TMP

Filesize
652B

MD5
ea30e919c3f94edcce09b9a55946fcde

SHA1
97813fb84b8473d7e1b16069135451246571d54c

SHA256
05dfd7f5f4b74314bf63be59cde620fb6a9b83581bd4183be50da01f2c71360d

SHA512
12d675a3feed72dccf67811dc215ad510585f444f26e7047e3c5c2d0b28796a090fa4fe0fee925523724e710df6417fd7999aa40fb2820891659a6c8b13eac09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w51nkioi\w51nkioi.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w51nkioi\w51nkioi.cmdline

Filesize
369B

MD5
9bb5feb13ff6a61ea6ace0b68b86d3e3

SHA1
8f514063809abf3ef93df53190fd89a3cd8e7f53

SHA256
2bfc241d8053f9c1374bdb63e0e138ebef7ea1b00f9b3b37afaf5412d532e389

SHA512
3110d473868a1766b79f30fa43e223db54efa2432df1501036db77f16e1a7a26db3bb7f4f4f8d28a62b6d10b5cc6df3da99808f0d38bf58a65e7f9e3c4697f17

Download Submit
memory/5004-133-0x00000249AEA30000-0x00000249AEA52000-memory.dmp

Filesize
136KB

Download
memory/5004-143-0x00000249C6FD0000-0x00000249C6FE0000-memory.dmp

Filesize
64KB

Download
memory/5004-144-0x00000249C6FD0000-0x00000249C6FE0000-memory.dmp

Filesize
64KB

Download
memory/5004-145-0x00000249C6FD0000-0x00000249C6FE0000-memory.dmp

Filesize
64KB

Download
memory/5004-159-0x00000249C9B70000-0x00000249C9B71000-memory.dmp

Filesize
4KB

Download