metasploit | 84e917adbd398c3758c2dda4b348f2604c24075bf4986f37cf11a6e7c6ee44c6

General

Target

payld2.ps1
Size

3KB
MD5

9556f794f43f1144c61ae74fad148d29
SHA1

7814c5d6fb658f77776a99fd4151db3940c6f6b6
SHA256

84e917adbd398c3758c2dda4b348f2604c24075bf4986f37cf11a6e7c6ee44c6
SHA512

7acdf01a210a7d4741769ece53d185752a96c901a0aa0e413bf12714833e6c67c8b393360988704644c10cde010036607b58a8617d6c1bffa2a9513d339aabd6

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

146.190.48.229:4547

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	2036	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2036	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1860	2036	powershell.exe	29
PID 2036 wrote to memory of 1860	2036	powershell.exe	29
PID 2036 wrote to memory of 1860	2036	powershell.exe	29
PID 1860 wrote to memory of 1688	1860	csc.exe	30
PID 1860 wrote to memory of 1688	1860	csc.exe	30
PID 1860 wrote to memory of 1688	1860	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\payld2.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7qvhjsy0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA7D.tmp"
    3⤵
    PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7qvhjsy0.dll

Filesize
3KB

MD5
1dd3d3288ac28c0621b127cadf18bfdb

SHA1
1e4a196edb5f94db0eaccd28eb5764b988f635a3

SHA256
b0b858fbe96fb6b136ecd9d8a7a2cf6960827b32bf26a1b23847b2a3c8befc65

SHA512
e68b8968cc6b90a8de74a24fd44943c37f355bea52a3709f6172a70844d0fd2828c5b101b54b85710227f7fe5086251c32aa068c2b253f8af17490ab3fe8a476

Download Submit
C:\Users\Admin\AppData\Local\Temp\7qvhjsy0.pdb

Filesize
7KB

MD5
3b9ba9cabc340f204fb1926c0f9fec21

SHA1
1742fe6a50376fa9d2da5dffe5fe5e16a21ba73e

SHA256
137bffadaca2fb5c021723c7840dd38cf452cf87018572fd0740b545f15c5dab

SHA512
d612721c0621baee62e18d8a3456a44013abaa84c87ae0c3e64c16e575799519d3e8c2fc4d923fed22f82e44de0c08a81836de96b754ba17c8d208ce6df25ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8D.tmp

Filesize
1KB

MD5
b9954ac597e9d281304e6f9fab41700a

SHA1
860c7284e45bffbd3a91392edff4d68ba3fea0ef

SHA256
a83140106f2711777fd89c968dc52e366450f67a8d122fa86c8dffb428081fe8

SHA512
eb7c4d2ec177decdc9ac81a846cc6dd84f4f7cb4ce88f6d2f6ba2b256d426b764c4a882b6b83876182c0aa23a17cbf1f67a643a65578152679b973f5d718c24a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7qvhjsy0.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7qvhjsy0.cmdline

Filesize
309B

MD5
d08258fbbed468caec8dcb8816d1f1d8

SHA1
0a5eeea392a0c250fc3451d7a958c3518c497989

SHA256
0f525e22abb2a332f0135ff5cce8d60f0836d0212c8022194389cd62098eaee8

SHA512
301499e233ac35dcce2cf52b220477f3894b64e9c8e74b6bfb2987383f5a3bfb395876ebac0a027fb7205b706c4fd3cbe05bd0091f5b221750864538515d83c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA7D.tmp

Filesize
652B

MD5
f21bb9a9d1c2099bc33dbd12e5d7d337

SHA1
6a9c3e1c4e69e3b1afe574cf9ab205e0976dbdc0

SHA256
05bbbac2e6b4c92b64b33f0a7dadc9ebc3c3bd6c05464e8a9ff05ebe690935ee

SHA512
06e27366a2a25eed408e6c1e1b9333aa3b3e179bffec976858c48a536412bb9a2133a89548a4f4e54bb70ddf2d81655bd8df32c2b9721828c7776a8f8207c01f

Download Submit
memory/2036-62-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2036-58-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2036-61-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2036-60-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2036-76-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2036-59-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2036-79-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2036-81-0x000000000278B000-0x00000000027C2000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing