metasploit | 8bd256602508869a8555f8afb53cb6842db6786f0f571713c0c82d85d9ab9b2b

Analysis

max time kernel
90s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MGKaJt9P.ps1
Size

3KB
MD5

ecad74c71cd9580c73c3732d0e160aed
SHA1

8689190d9e00a27a869b8d560d4b6f60c9dda431
SHA256

8bd256602508869a8555f8afb53cb6842db6786f0f571713c0c82d85d9ab9b2b
SHA512

41f1eb008214bda3764686e2281842e9c469f143a052ffec2c6541ca46f87342ba7d8c9467ecc2d5c6ced31ccb6327bf453d73cadedb0e99d78c7fa580e490ff

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

18.139.9.214:12258

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	5052	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5052	powershell.exe
5052	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1964	5052	powershell.exe	84
PID 5052 wrote to memory of 1964	5052	powershell.exe	84
PID 1964 wrote to memory of 3640	1964	csc.exe	85
PID 1964 wrote to memory of 3640	1964	csc.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\MGKaJt9P.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0uzs2p1t\0uzs2p1t.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7AE.tmp" "c:\Users\Admin\AppData\Local\Temp\0uzs2p1t\CSCBC25B8F788AC40DC9C667893624FC3D5.TMP"
    3⤵
    PID:3640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0uzs2p1t\0uzs2p1t.dll

Filesize
3KB

MD5
f38d34a7efd19bf87d20500ca6c7a559

SHA1
18b5709ce316d33c4e006796c306432dc810acb1

SHA256
90922ffdeedb102dd472536f3de26b14a854366b19fe6b6978da3d03c900825a

SHA512
2ca3a024af29f34f658830c5a0a6b5cb8832ebfcae173925d40171033cccc2ec246d20199cd857d5b71fa11f6af3d3cfef2e3bd95bb1dc80fc9937068a2d9786

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7AE.tmp

Filesize
1KB

MD5
aaf1876020e86541d46f1e99df22e575

SHA1
d20dc7e9a2eaea348968dd30f8c7eea56dada1db

SHA256
d546376758bb2f7d23747180d07f3ca247e64c4fc52f436503f98c59852c34fd

SHA512
45b656364aa505ae180c9cdf3ac9b854fb0932a32d7270a87990691e1bee3146a63e39897d142923c6a91c88d1da5e087158d1f9b232a21881c24f5fefa8738b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hqqno0v.zfi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uzs2p1t\0uzs2p1t.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uzs2p1t\0uzs2p1t.cmdline

Filesize
369B

MD5
25d49a0e201314ce2803c30e03313994

SHA1
9a57da5cf55a8fb6aec80fe2d05b5f0b48710932

SHA256
a62f9e7abef133b26f4fec0ae6590b86c5b31576181418593ae9705694d8973b

SHA512
f9309d2de9406278ad0cdb0f210903e3d11bdc1e424c6f584dddad59e4b88cb9d6f4cf69ef0bda1cea5c7105509f61dc18b0de7d38a581c9eab1f5f29b7ea6c5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uzs2p1t\CSCBC25B8F788AC40DC9C667893624FC3D5.TMP

Filesize
652B

MD5
b8430645141532291db8382ad27f2581

SHA1
a32c6d4c58ebd52aaf6a564632e7ab2ed9a1cc30

SHA256
5d7df7cf2b4e1220c9d093d50652f6f8f686eb76c19257d2e1d84ee3844dada1

SHA512
9185cbe7b539f6c3ab54d3c15074811bfc42820568a30203bda5cb3bc3e81ffb7889e6e2edda7dd23149cbe9370205768330b38885f14a7be677d16a20a6b2d7

Download Submit
memory/5052-142-0x000002A0BACC0000-0x000002A0BACE2000-memory.dmp

Filesize
136KB

Download
memory/5052-143-0x000002A0A04F0000-0x000002A0A0500000-memory.dmp

Filesize
64KB

Download
memory/5052-144-0x000002A0A04F0000-0x000002A0A0500000-memory.dmp

Filesize
64KB

Download
memory/5052-145-0x000002A0A04F0000-0x000002A0A0500000-memory.dmp

Filesize
64KB

Download
memory/5052-159-0x000002A0BAF30000-0x000002A0BAF31000-memory.dmp

Filesize
4KB

Download