metasploit | a4fafa40bfe7001d890c256f6c4456a63ba16165f37ce7763a18ae4d48ffcba2

Analysis

max time kernel
82s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a4fafa40bfe7001d890c256f6c4456a63ba16165f37ce7763a18ae4d48ffcba2.ps1
Size

3KB
MD5

7c8925b2280001f809a88d6e4aaa4334
SHA1

995f9cad089fb6a79f3c54811cce57307ebf7147
SHA256

a4fafa40bfe7001d890c256f6c4456a63ba16165f37ce7763a18ae4d48ffcba2
SHA512

2b535e3b716579278d1fd22c0872cfab374ac8d940cebe7bf0ac6fae73e223a988cd56432d8e31e9f369517194e595a2c523b1b7b58aceca2e6620b23ebea2da

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

18.177.76.42:19536

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	2652	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2652	powershell.exe
2652	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2688	2652	powershell.exe	88
PID 2652 wrote to memory of 2688	2652	powershell.exe	88
PID 2688 wrote to memory of 5020	2688	csc.exe	90
PID 2688 wrote to memory of 5020	2688	csc.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\NEAS.a4fafa40bfe7001d890c256f6c4456a63ba16165f37ce7763a18ae4d48ffcba2.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmew45gw\tmew45gw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB3.tmp" "c:\Users\Admin\AppData\Local\Temp\tmew45gw\CSC2FB0D5FF1DF945F8B8B5AEB4ED8A86D.TMP"
    3⤵
    PID:5020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBB3.tmp

Filesize
1KB

MD5
e5c2a5ad9c2419b25d2762459e7052e3

SHA1
fcf35e08063732ae7190937b94c0781287ce9a9e

SHA256
930ba2776d916aceaf0c808e4f8d43a83616a92a40a9ea97a42f6a2ad49cad1d

SHA512
4254150b91e68e7010e1afa27fb6e8341ad1d20228a85c27d3573ff9294f30884b514ba208ec03ae9b11466cbbf93f994a266774f96805cac335adb0a5587657

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsqcw2ze.fy2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmew45gw\tmew45gw.dll

Filesize
3KB

MD5
8771d69149174d2e26e57da0489d3042

SHA1
cbc57259f664f916a8171bd28c9dbbdfdfd9560b

SHA256
85803678c1833a28057a272abb9810d4711cf106c0ab93936b0e839435930551

SHA512
e313f2833c769343f52caacb5a002dd73981826f830e1da8eacee1894a88422adc46d78cde4c61dfc02da0f2f2034afcc4b103e5820dc47a70a06f323df44756

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmew45gw\CSC2FB0D5FF1DF945F8B8B5AEB4ED8A86D.TMP

Filesize
652B

MD5
83170b2a872692730a2d4726840eda2c

SHA1
9eee2982e9d8f2ca048a4d9d12f9b63ae433b7bc

SHA256
568df158dc6b1800d331683dad8205455561c3fd9d37f3d0cf1c379daf1980dc

SHA512
ed9f253b563e0e378d6ee026cab06c7e6220d57682e55e7674ea59f67a537bd093bd20b192fbe5107d2aa5215ddec6e27ecd5ca04a8dc3959936e2483738ad42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmew45gw\tmew45gw.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmew45gw\tmew45gw.cmdline

Filesize
369B

MD5
f7c34c59581c78391b400f9235768ef2

SHA1
df4fc8051a6a9960361bab4ad7be7fe344ea27d7

SHA256
382f39385240e888a6a1e36fdf316f63d67f377e3c91ea80a07a5b1f26895d4b

SHA512
0d9c70fa214ee39e41258746e508ba943617fb9ec619d1445d0a25f489887b0fbe58b4188c94e48eb5c00fce14353bd05c164980691931dc7f72cd85a09bd95e

Download Submit
memory/2652-15-0x000001AEB8F00000-0x000001AEB8F10000-memory.dmp

Filesize
64KB

Download
memory/2652-14-0x000001AEB8F00000-0x000001AEB8F10000-memory.dmp

Filesize
64KB

Download
memory/2652-13-0x000001AEB8F00000-0x000001AEB8F10000-memory.dmp

Filesize
64KB

Download
memory/2652-12-0x00007FFE1E1C0000-0x00007FFE1EC81000-memory.dmp

Filesize
10.8MB

Download
memory/2652-26-0x000001AEBA890000-0x000001AEBA898000-memory.dmp

Filesize
32KB

Download
memory/2652-9-0x000001AED4FD0000-0x000001AED4FF2000-memory.dmp

Filesize
136KB

Download
memory/2652-28-0x000001AEBA8E0000-0x000001AEBA8E1000-memory.dmp

Filesize
4KB

Download
memory/2652-32-0x00007FFE1E1C0000-0x00007FFE1EC81000-memory.dmp

Filesize
10.8MB

Download