metasploit | 88bb6fbbc03bf7c832826b69b759d1d77bdb49052bd458a0c1623407f9148009

General

Target

88bb6fbbc03bf7c832826b69b759d1d77bdb49052bd458a0c1623407f9148009_JC.ps1
Size

3KB
MD5

ee4cabf85331d01dcc5fa75be75b5598
SHA1

8fff6855dd841e35468be9834954890d79b67341
SHA256

88bb6fbbc03bf7c832826b69b759d1d77bdb49052bd458a0c1623407f9148009
SHA512

9d59c6d47f31133c921efee16a0fa4160f5f5f532d54396cc5e74ee21a158225a3355f0bff845a9c5794a31bc6aec84d2a448996e30fbb93247428b589cb233d

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

3.64.4.198:13688

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	748	powershell.exe
5	748	powershell.exe
5	748	powershell.exe
5	748	powershell.exe
5	748	powershell.exe
5	748	powershell.exe
5	748	powershell.exe
5	748	powershell.exe
5	748	powershell.exe
5	748	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
748	powershell.exe
748	powershell.exe
4504	powershell.exe
4504	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 4008	748	powershell.exe	84
PID 748 wrote to memory of 4008	748	powershell.exe	84
PID 4008 wrote to memory of 4408	4008	csc.exe	85
PID 4008 wrote to memory of 4408	4008	csc.exe	85
PID 748 wrote to memory of 4504	748	powershell.exe	86
PID 748 wrote to memory of 4504	748	powershell.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\88bb6fbbc03bf7c832826b69b759d1d77bdb49052bd458a0c1623407f9148009_JC.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hlf3poxt\hlf3poxt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AC0.tmp" "c:\Users\Admin\AppData\Local\Temp\hlf3poxt\CSCBA698C77296943C7914619D8AC95AB3C.TMP"
    3⤵
    PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6AC0.tmp

Filesize
1KB

MD5
edb9f302b96645888a442d8b6d451e9c

SHA1
792fb388f9304e67d184545b48b4f59579a8c94b

SHA256
6a5ef7bb4a55fdf09623ffb0b8d792d5785868d5add680c8bbed17cadd0550b5

SHA512
1b4538b50186fbe3fa5b7cfc27b50cfaa224ae375c306d479289c0f92603beb95b4478e0c3222ce186ed60c7f08ca67cdd040e60de8cbeba7484506f33a30b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qeghvg05.unl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlf3poxt\hlf3poxt.dll

Filesize
3KB

MD5
f9a3b12f25ac85b0f7273b1eae7c6939

SHA1
107fc3018e30afbb049beff36a74160512b6077f

SHA256
87857cb0fd0852ba751489f932267fa33d8dcce4aedd2e49a9cead5cf6b14244

SHA512
b1aa48582ed57d335038402f954ec757236b6a381756b8e2f833f09c8a34810f6acd7f077fcc3dcf1260778d11c2e8f545a69c66dd4c2d1ab883e9568115d6d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hlf3poxt\CSCBA698C77296943C7914619D8AC95AB3C.TMP

Filesize
652B

MD5
5aeeb9d5417f4d43852fcc7c2a52d693

SHA1
cb0379e52bd4202871976b2030768ad3b9a92511

SHA256
d8fdb8e76303e518243a5e072d2141e3e70a85335b08695babab41cb0954a234

SHA512
8003b2b184a317818181152fd2f7edb149fa990a0e1c2b8727179ca371e1f4541e51b4026702beeca21a496a9497f6bd106ade2b37c80418680a254af50e01e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hlf3poxt\hlf3poxt.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hlf3poxt\hlf3poxt.cmdline

Filesize
369B

MD5
076a739857b3f79baacd40a5132fb1ac

SHA1
b32f6e79dda96fa870d68d32e3c9f8d0f4125083

SHA256
34268dd558f4c12962c30ef61e3b998c4a6c602b0d3b5f3c0615bb6710a9726e

SHA512
4b8139b704634b18c6ff4ea436afde24f1900e57e38a816396327d2e005173661737937c4cc63167bd758d96a3fd3a57cd3c3be7e3a6832a1845593e66dcb05e

Download Submit
memory/748-15-0x000001AC698F0000-0x000001AC69900000-memory.dmp

Filesize
64KB

Download
memory/748-41-0x00007FFE255E0000-0x00007FFE260A1000-memory.dmp

Filesize
10.8MB

Download
memory/748-14-0x000001AC698F0000-0x000001AC69900000-memory.dmp

Filesize
64KB

Download
memory/748-13-0x000001AC698F0000-0x000001AC69900000-memory.dmp

Filesize
64KB

Download
memory/748-10-0x00007FFE255E0000-0x00007FFE260A1000-memory.dmp

Filesize
10.8MB

Download
memory/748-26-0x000001AC69B50000-0x000001AC69B58000-memory.dmp

Filesize
32KB

Download
memory/748-28-0x000001AC69B60000-0x000001AC69B61000-memory.dmp

Filesize
4KB

Download
memory/748-49-0x00007FFE255E0000-0x00007FFE260A1000-memory.dmp

Filesize
10.8MB

Download
memory/748-42-0x000001AC698F0000-0x000001AC69900000-memory.dmp

Filesize
64KB

Download
memory/748-0-0x000001AC69A00000-0x000001AC69A22000-memory.dmp

Filesize
136KB

Download
memory/4504-40-0x0000026AC8AF0000-0x0000026AC8B34000-memory.dmp

Filesize
272KB

Download
memory/4504-39-0x0000026AC8780000-0x0000026AC8790000-memory.dmp

Filesize
64KB

Download
memory/4504-43-0x0000026AC8F20000-0x0000026AC8F96000-memory.dmp

Filesize
472KB

Download
memory/4504-44-0x00007FFE255E0000-0x00007FFE260A1000-memory.dmp

Filesize
10.8MB

Download
memory/4504-45-0x0000026AC8780000-0x0000026AC8790000-memory.dmp

Filesize
64KB

Download
memory/4504-38-0x00007FFE255E0000-0x00007FFE260A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing