metasploit | 472e4f80a21736d734de6735d6686d4526d76ff68c3ffc5880d0e44580b1b0ba

Analysis

max time kernel
78s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2023, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

J94vEGUX.ps1
Size

2KB
MD5

12b7ab8d6832a7ce580266baa4c2c4da
SHA1

16f51e9986289e470adc69d0586d8d6d76a02afa
SHA256

472e4f80a21736d734de6735d6686d4526d76ff68c3ffc5880d0e44580b1b0ba
SHA512

3d493530c92286ca2a7b7ef4cd55dec26e18fc2bdc8f638da537631c03b7d5c477e5fb59db19b611ec92f071aa72396abbd3e4c8b7b59efd87d806395ff811f8

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

46.4.114.111:9999

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1068	powershell.exe
1068	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 3484	1068	powershell.exe	85
PID 1068 wrote to memory of 3484	1068	powershell.exe	85
PID 3484 wrote to memory of 1080	3484	csc.exe	86
PID 3484 wrote to memory of 1080	3484	csc.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\J94vEGUX.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3md1fr0q\3md1fr0q.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B5C.tmp" "c:\Users\Admin\AppData\Local\Temp\3md1fr0q\CSC8D7C81A4C9374CCD856CE1CBE2E554E.TMP"
    3⤵
    PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3md1fr0q\3md1fr0q.dll

Filesize
3KB

MD5
92e16a420b5533a558631e9b8bb57cba

SHA1
4203ea177ec1d4f75532a7de29dbfa3575dc6c14

SHA256
360b584813bf512c83cdb51f489b08b92fa7809a80df1a020a6ae7e6108bc237

SHA512
6e21fe8fbe6d66b38d452f51ddb0f92b5339a460f99c449e1730eae96599c55808e25a5e7bd7968621383902bbecdda5f105dac15ee8cf58987f337cfc333fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B5C.tmp

Filesize
1KB

MD5
3c85b9f62d636a1ed0442e423b089958

SHA1
0de090088270ad3637ab5ac8ffdbc70443a2ea25

SHA256
0a7252316a4cd34026ad4a105d0ba81598a961a5bd75dfd4de9c95ba67ba27a5

SHA512
df0bc5e30d3dde12e4c87b6a154eb80c3b0cc3cd2d1de833009f55886becd1568ba4952ba2e72f306142cf2f40cc7d6577af82f76dd6b6d662de8cabed2623af

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uotwpjgz.5zz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3md1fr0q\3md1fr0q.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3md1fr0q\3md1fr0q.cmdline

Filesize
369B

MD5
40e2d73799b42d290df6ff81af4abe6c

SHA1
673b40ca45b67940f31bd55070be9deeb50402cc

SHA256
d8ed79213c91ad120037710c576a0e28f37ab5ad6fb380de4e6f43010d621b21

SHA512
55ff0816df9e70c900613b63ad8bec4d03df6060f60e7078adbd851a6895e145e305da0421e8701ba27eb19adc82d7990a1fed197741787e94ae139f5d8eca3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3md1fr0q\CSC8D7C81A4C9374CCD856CE1CBE2E554E.TMP

Filesize
652B

MD5
007b1a2766230de2f627838a6ba4875c

SHA1
d194ca94e71d2b9ef1274b4239600bb4a3f497a4

SHA256
e68ce137efcc76366e7194a79c2715ffe88249fed865d0eb37c3ea168254f635

SHA512
9f988896f0ec0171d11a24abf0e61d02702ae7df7dc82428ab78c741063e7c178d15b96c251702c98a651c74a597dddebc09805a656d0651265a297959b73839

Download Submit
memory/1068-138-0x000001CE7D590000-0x000001CE7D5B2000-memory.dmp

Filesize
136KB

Download
memory/1068-148-0x000001CE7B3E0000-0x000001CE7B3F0000-memory.dmp

Filesize
64KB

Download
memory/1068-149-0x000001CE7B3E0000-0x000001CE7B3F0000-memory.dmp

Filesize
64KB

Download
memory/1068-158-0x000001CE7D900000-0x000001CE7D901000-memory.dmp

Filesize
4KB

Download