metasploit | 8bd256602508869a8555f8afb53cb6842db6786f0f571713c0c82d85d9ab9b2b

Analysis

max time kernel
29s
max time network
32s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MGKaJt9P.ps1
Size

3KB
MD5

ecad74c71cd9580c73c3732d0e160aed
SHA1

8689190d9e00a27a869b8d560d4b6f60c9dda431
SHA256

8bd256602508869a8555f8afb53cb6842db6786f0f571713c0c82d85d9ab9b2b
SHA512

41f1eb008214bda3764686e2281842e9c469f143a052ffec2c6541ca46f87342ba7d8c9467ecc2d5c6ced31ccb6327bf453d73cadedb0e99d78c7fa580e490ff

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

18.139.9.214:12258

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	1644	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1644	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 996	1644	powershell.exe	28
PID 1644 wrote to memory of 996	1644	powershell.exe	28
PID 1644 wrote to memory of 996	1644	powershell.exe	28
PID 996 wrote to memory of 304	996	csc.exe	29
PID 996 wrote to memory of 304	996	csc.exe	29
PID 996 wrote to memory of 304	996	csc.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\MGKaJt9P.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8rtlcn3j.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2732.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2731.tmp"
    3⤵
    PID:304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8rtlcn3j.dll

Filesize
3KB

MD5
12087ac56101abb029e4cf0e24574bad

SHA1
c5d8ae1390a2dcec7e3d032c2e7fb8c2e8026ad5

SHA256
d7b25a2c8392ebcdc9e93499961aa64cf90b6907175acc4f6d142cdce47e93bd

SHA512
994607237225217cce5a94c503b3b4afc0aa9390cb2af00aed40cee93ad75c4498fdd39108dab35e0bb085ade95a09e16e71a55b602005626563dc283ba489ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\8rtlcn3j.pdb

Filesize
7KB

MD5
0142826a6d2ce869f82ae831b0e393e2

SHA1
ee69c5e91ff2d3990db6fb89311138017d31ba22

SHA256
7286a1211d8d74382dc159b29228f6f9d4024799d87bd336f0a990b5e612be11

SHA512
1945b6bfbc7839ff02d48c01ecfefab450efb024097c531fa4d00dd39ad3ed683015267508d45051a7ba0591f43c4eae14f787f797f96394f13d6864d3497e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2732.tmp

Filesize
1KB

MD5
eb69311b2de28193dcf98e149ef0daa4

SHA1
5c990cae45e5fe5c8cff4d365e4e508bd9adc54c

SHA256
e94ca58afa354e5d74f6450f34dc91e8b97588c91b5d058650520cacf92c9d10

SHA512
21ec3a199a707f3f7a2dbb4f24cfb8363642b07a8324b4ee8eaf821e647617b2b6bfe317fa1cd2b0923d03ad443c8828e7db1c2497257b09688bc8243f954a00

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8rtlcn3j.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8rtlcn3j.cmdline

Filesize
309B

MD5
80a200f3d4db08bacc95c9c35c0300a1

SHA1
7a2f312d3c25a533fa9d7cee914260f79c9d0da3

SHA256
a102025d03d1d0e435618bb8fb6db303e3bbb3809d80857a371381f535e4fe40

SHA512
5fc32889a049f76270e27a4005e3e574176a4572bdefef6fc91c7ed2d08de4ecfbb91c7c5c125ab9706307fbf5f0a21c8bc19906d88c153c887e62f9e005e2ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2731.tmp

Filesize
652B

MD5
28fb19570f687f126c7163f968e24781

SHA1
2af79279c32eb0100f793e1a5eb60b05bcf6dcba

SHA256
d48f36e7417fd7499339c4f324e4c35266809b847c5c90a0bb0b5f424b3eed37

SHA512
4afd29b2ebf78103608fe4e2713ddf235e288bf0f31693592ca7307a7cdc6668e7f107b8337278f7f841a053f2e5dee56e453600ca37c7eea338ec3b53e3427e

Download Submit
memory/1644-58-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/1644-69-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1644-75-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/1644-78-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1644-79-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1644-59-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/1644-73-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download