metasploit | 472e4f80a21736d734de6735d6686d4526d76ff68c3ffc5880d0e44580b1b0ba

General

Target

J94vEGUX.ps1
Size

2KB
MD5

12b7ab8d6832a7ce580266baa4c2c4da
SHA1

16f51e9986289e470adc69d0586d8d6d76a02afa
SHA256

472e4f80a21736d734de6735d6686d4526d76ff68c3ffc5880d0e44580b1b0ba
SHA512

3d493530c92286ca2a7b7ef4cd55dec26e18fc2bdc8f638da537631c03b7d5c477e5fb59db19b611ec92f071aa72396abbd3e4c8b7b59efd87d806395ff811f8

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

46.4.114.111:9999

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1052	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1012	1052	powershell.exe	28
PID 1052 wrote to memory of 1012	1052	powershell.exe	28
PID 1052 wrote to memory of 1012	1052	powershell.exe	28
PID 1012 wrote to memory of 268	1012	csc.exe	29
PID 1012 wrote to memory of 268	1012	csc.exe	29
PID 1012 wrote to memory of 268	1012	csc.exe	29
PID 1052 wrote to memory of 1896	1052	powershell.exe	30
PID 1052 wrote to memory of 1896	1052	powershell.exe	30
PID 1052 wrote to memory of 1896	1052	powershell.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\J94vEGUX.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pdktlemc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27BE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC27AD.tmp"
    3⤵
    PID:268
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 1104
  2⤵
  PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES27BE.tmp

Filesize
1KB

MD5
a9d843cc8e6c41757a85ca374311404a

SHA1
337442537e36125efb48b451b441e987cb6b362d

SHA256
a2782944f75535a01dfda6327b6145522146c37afb037b50f728019526ef7918

SHA512
9e640e76877054d2dc75aa50650c966f72cc95cd23a34df0687b0406000fcafa5bce72a36238871b610deda8672f5b70a47e8c32c72b77641e3d30155fd1d8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdktlemc.dll

Filesize
3KB

MD5
a65f907954aea47bcb3c3134c5dcdad6

SHA1
04d642f80d9f7ad841a254cba728dc205ada2f2f

SHA256
0a967ec122f3e41dd9bcefa09de5c031b971ea97c009256845ceaf1f546e1229

SHA512
7e41ce54efd6d375fed2be8abaac5273bb3f9307522709f64980d5680f8985d6752d0a7697f01534ecf3dd557c12c61b992f66a74b86664fd5541550dc5608cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdktlemc.pdb

Filesize
7KB

MD5
bff7d3468ac75f2b11ad9c6082188705

SHA1
4e7d338d1f6e5a7ea7794b0bda61a51684496aca

SHA256
ca84994e2cb9af75413e9af58ad39c2d370a90a2052b2eee9a7331314f7b18f1

SHA512
3a7ab023d6effb47b280a60a1dcb3b4aeb75f01bb26b7f5251e858eb8c436425617e5142c882e4c2cd77ffcb9fdacdbae56b07d03db608f2d34b3b64a3c7b2bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC27AD.tmp

Filesize
652B

MD5
937872a198cd33a9a077a2f6a20df80f

SHA1
453d57f9ceeab262e3eed92f5c897e30f71c7ab4

SHA256
e24332732e5834d58febab3c640719c7d3bb846c450c890b8fe31118602163cd

SHA512
cdd975563f6a9374b4f9206f12c12c54a854b166323f468de12e2b626c098aa8a27913149704afaa360d165f8bee89bd33d9b400aa6f1628f2ab38bea61e7abf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pdktlemc.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pdktlemc.cmdline

Filesize
309B

MD5
4143ac3a8b9aff7f7f7cd99257458bcc

SHA1
1256c75c73bcaff0e57367beafbfaf40b976a73c

SHA256
b25461d5398590865ad4a9900ee288d2bb02d4006b236511e2ae5fbaebc5d678

SHA512
16b4e4ebf6bcc170072ec2ccb1c819ec9beca070df839ed1d68bb5b82b945e505556d3712c0778eeca8448a50e96e01b861e0fcd6e17270f84fed0f9269f0930

Download Submit
memory/1052-61-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/1052-58-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1052-60-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/1052-75-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/1052-59-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/1052-78-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1052-80-0x00000000025CB000-0x0000000002602000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing