metasploit | c79e55e22a00297e4e33a80b56bc1122c5f316c4dcd854414a26318a6db8fde7

General

Target

runs.ps1
Size

3KB
MD5

b9eeef211ccc99e98293a4f7cf5c7084
SHA1

4e2521900e3c1aafaa097a126b43ca1e19b7e289
SHA256

c79e55e22a00297e4e33a80b56bc1122c5f316c4dcd854414a26318a6db8fde7
SHA512

02336caa57be954d08844d3fe2e5135543e45767d4042819892206cecd5db7a6e29fd6b1e0d2e26f385bfc4168c730d0ea2d4196923ed3d901d9aa7362e58211

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://193.37.254.27:33038/kMxuxZbnZNEBpwCmYgPolwLaV2IfqcL_IKKE51

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1716	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1520	dw20.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2844	1716	powershell.exe	3
PID 1716 wrote to memory of 2844	1716	powershell.exe	3
PID 1716 wrote to memory of 2844	1716	powershell.exe	3
PID 2844 wrote to memory of 2932	2844	csc.exe	2
PID 2844 wrote to memory of 2932	2844	csc.exe	2
PID 2844 wrote to memory of 2932	2844	csc.exe	2
PID 1716 wrote to memory of 1520	1716	powershell.exe	1
PID 1716 wrote to memory of 1520	1716	powershell.exe	1
PID 1716 wrote to memory of 1520	1716	powershell.exe	1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1104
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1520

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9168.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9157.tmp"
1⤵
PID:2932

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vm7ikibv.cmdline"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\runs.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9168.tmp

Filesize
1KB

MD5
02f09b3e5a082d263fb69f093feb6021

SHA1
fa0491e3b9cdb67418bfc93a49e0022c29eb8a31

SHA256
55dec518d818f3db1ac08e8c46ec20a6db865634b1e1f0eaf7239bf25613bf41

SHA512
620477a244747ad7386b232afe222669656b79667682f67c76a2559a2b39645f5ef83030ccc3357dc560dc1ede1a2e78c7d853857a7e2b37bc12bd7b915b6345

Download Submit
C:\Users\Admin\AppData\Local\Temp\vm7ikibv.dll

Filesize
3KB

MD5
d11e3ad6c56433bab4c7754d44ae7ddc

SHA1
1ff73a4bdffa2044a9daca10ba742402f4280c48

SHA256
79c69a1181dd6f3222aed757f0888818e018d02b8533508202b428fe036a08af

SHA512
7d6730800c406afe3bf5557e5b88d5611569df85965cb20bf9201ba9bb334a3b7a2c6f0c14284620d158fe047ebfa71d86e9660d5be98114ad9d66ca2ef71837

Download Submit
C:\Users\Admin\AppData\Local\Temp\vm7ikibv.pdb

Filesize
7KB

MD5
5af0a2578a6ebfbe50ebad8cfb1334b0

SHA1
fb4fe7c5f2d6e2f611823526b0f5b77024722455

SHA256
a68567d67e539db8ad63ff8046ee9849ed3e6d8f9f73328a1eceaab84c16e67f

SHA512
c50d05aae980dfbfdc29f963292013120f36afaba3f5cf31d3fd2501207e5a9322444f15b749d7c4b58f31b840232d8d0be72f45c25b8b048a6fdee81c5da8b1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9157.tmp

Filesize
652B

MD5
db9bffa2aa20063b1f26cf14ee1f7728

SHA1
60fb0750a83984ff5b2d7540b20a5e7c4b736b28

SHA256
32c8b0f722e1513f2894878e276bb98056b49fee6efbda4ae40a0a80ab5a21ba

SHA512
21f2cc0661c0d59e9b62f55d35ea9519cd17fa5f4dc43ec54f027802add426ec242a9a8c3f5a241a277fa9bfaf8fc84b3fafa892bfd7b16813261e753ad8a139

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vm7ikibv.0.cs

Filesize
603B

MD5
677addd4c1b98774f1b219d3aa1eabd2

SHA1
5f59a3f00bd84152093052f9c3829c83db8c4e00

SHA256
a090b092a209f60d19a53617119da7c5bd0a0c75475b112cd8b39ae07b5d274c

SHA512
872046c86618c3ece4443532a0269f24195153f71d1df162b043147d2427e31c1030fef89a24652171361f6acd2cabaddb90381f3d7a01ccf5d74b97b387b451

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vm7ikibv.cmdline

Filesize
309B

MD5
6227a44b5e4ae76301f11e3998d7e10a

SHA1
03132e6eb242e0b1eb95bad8a7f83d551dd5cded

SHA256
5f1891bba51822dcef8b89157d08c150d17c935c484bf3db8eba3807f1c52054

SHA512
d7a82abab51456bb9926674625a1cfdb09deea9b15f48f8b29f0e2a54a5877d9d9bd0f577633704c7b7877ab39a4a679371059bbee1724a504cd49730955aa42

Download Submit
memory/1520-82-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1716-63-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1716-59-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1716-64-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1716-81-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/1716-62-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1716-61-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1716-60-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1716-78-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/1716-58-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/1716-83-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1716-84-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1716-85-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1716-86-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1716-87-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing