metasploit | c79e55e22a00297e4e33a80b56bc1122c5f316c4dcd854414a26318a6db8fde7

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2023, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runs.ps1
Size

3KB
MD5

b9eeef211ccc99e98293a4f7cf5c7084
SHA1

4e2521900e3c1aafaa097a126b43ca1e19b7e289
SHA256

c79e55e22a00297e4e33a80b56bc1122c5f316c4dcd854414a26318a6db8fde7
SHA512

02336caa57be954d08844d3fe2e5135543e45767d4042819892206cecd5db7a6e29fd6b1e0d2e26f385bfc4168c730d0ea2d4196923ed3d901d9aa7362e58211

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

http://193.37.254.27:33038/kMxuxZbnZNEBpwCmYgPolwLaV2IfqcL_IKKE51

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	2152	WerFault.exe	16

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2152	powershell.exe
2152	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 4824	2152	powershell.exe	85
PID 2152 wrote to memory of 4824	2152	powershell.exe	85
PID 4824 wrote to memory of 3808	4824	csc.exe	87
PID 4824 wrote to memory of 3808	4824	csc.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\runs.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ofx1uel\3ofx1uel.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA170.tmp" "c:\Users\Admin\AppData\Local\Temp\3ofx1uel\CSCF3888878B0E64FC38C2D4E839963759.TMP"
    3⤵
    PID:3808
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2152 -s 1636
  2⤵
  - Program crash
  PID:1968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2152 -ip 2152
1⤵
PID:4272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ofx1uel\3ofx1uel.dll

Filesize
3KB

MD5
fb6c70b586f5c1117dc616d0ded47e24

SHA1
df46f0201b84d102e49e0dd01c8ef107afba34eb

SHA256
513d11281efcdd7733442b7d3ad335974d0631016426c2a45c0141c253a06d16

SHA512
88d33f50ce0deb5b2fe13857b12ccbf32ce19c329ca0649c5fa4cc4d7b030b395ea77f147c276e63183eeb29301dc52d2d4b544e1de2102863a923a17714706a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA170.tmp

Filesize
1KB

MD5
5e785bb65ce77acf1d714624b69dfdf8

SHA1
519d7824f84b00e3866d78a1e927f2d1405c9ffe

SHA256
ea102c39ee3b0e9f9a2b3ec113a35d499157e475da392d8c992646a67599a402

SHA512
dbbcca38b63798f98fdfedc7363a10aa959c9b03bd05eb53c2ef5c9ffe9d5c4982fd42bfaca4d7b5375faa657e99364743f3618dee2af0145d55c11df70d551b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yizcyqs4.yk3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ofx1uel\3ofx1uel.0.cs

Filesize
603B

MD5
677addd4c1b98774f1b219d3aa1eabd2

SHA1
5f59a3f00bd84152093052f9c3829c83db8c4e00

SHA256
a090b092a209f60d19a53617119da7c5bd0a0c75475b112cd8b39ae07b5d274c

SHA512
872046c86618c3ece4443532a0269f24195153f71d1df162b043147d2427e31c1030fef89a24652171361f6acd2cabaddb90381f3d7a01ccf5d74b97b387b451

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ofx1uel\3ofx1uel.cmdline

Filesize
369B

MD5
255a26f57b66a28391eb0dbecef3902c

SHA1
bc9932df068ce80369162cea26cf465a9c349792

SHA256
6e897241bb28f94342f88d0af30a6ad64fb226ba74eef7614b071baab02ff60d

SHA512
bcafc8652893372e672b5533d417e18a038fcb5eec3a54a1496a19e6b62edcb15e17910166fd741499573758bfabeb4890e8f6a7d574357b0aee35d95c667310

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ofx1uel\CSCF3888878B0E64FC38C2D4E839963759.TMP

Filesize
652B

MD5
3755625c2df77f75d780b2b062a08faf

SHA1
178ed3aa2b4d24fd150501e325aad7049224b3a9

SHA256
384b37afdbd87abc888531d7775637c396ebfa64d5b46648b557d7fb6cdcc00f

SHA512
ff07a30ad75987542a2bc474b411ad9f483b6792247c5d1b21c00f363982b750060caac900f5cca7510338859ec303bf5cfbd180a093d6c7215be433fffc6063

Download Submit
memory/2152-142-0x000002C0F4900000-0x000002C0F4922000-memory.dmp

Filesize
136KB

Download
memory/2152-148-0x00007FFAE5110000-0x00007FFAE5BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2152-149-0x000002C0F3B30000-0x000002C0F3B40000-memory.dmp

Filesize
64KB

Download
memory/2152-158-0x000002C0F4C70000-0x000002C0F4C71000-memory.dmp

Filesize
4KB

Download
memory/2152-160-0x00007FFAE5110000-0x00007FFAE5BD1000-memory.dmp

Filesize
10.8MB

Download