metasploit | a332d9a03fc5f058bbe43920c63a82343f4968584fd3de95247b422658bd2518

General

Target

NEAS.a332d9a03fc5f058bbe43920c63a82343f4968584fd3de95247b422658bd2518.ps1
Size

3KB
MD5

c1a9097d7c7ee35e32edada3f14654c5
SHA1

51f9d6b23289ef25710ebe5954c7116437f2c779
SHA256

a332d9a03fc5f058bbe43920c63a82343f4968584fd3de95247b422658bd2518
SHA512

efb936d3b69454756799f1322959eaf8a6d6b74f3d73db12effc884566867c8022b87000a07a9e9d66ea1be7260ae5453ee49ba5c94173924e8f233a088dca90

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

18.177.60.68:11625

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2876	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2876	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2036	2876	powershell.exe	29
PID 2876 wrote to memory of 2036	2876	powershell.exe	29
PID 2876 wrote to memory of 2036	2876	powershell.exe	29
PID 2036 wrote to memory of 2768	2036	csc.exe	30
PID 2036 wrote to memory of 2768	2036	csc.exe	30
PID 2036 wrote to memory of 2768	2036	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\NEAS.a332d9a03fc5f058bbe43920c63a82343f4968584fd3de95247b422658bd2518.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nfczsd7y.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES696E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC696D.tmp"
    3⤵
    PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES696E.tmp

Filesize
1KB

MD5
5bf86dd8c6e92f668fcb646fa6d34fbe

SHA1
6da585a340da762947808af38c57a0ff772d101c

SHA256
5f99a42046fa510bf65ab004a4ca1b538d7425cd03c33a14bdffd6da69812e08

SHA512
91cd15f9dee56739610f74b774077b55b4852e01c81cc5aae161dbac81f50cc74f334b2ee53248f9fef0665b3c867ffec092e529318a5dea6566388342778a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfczsd7y.dll

Filesize
3KB

MD5
3d7589e8373417cf841a5970836964db

SHA1
088c340e54240b5ea80baaebbdba5a137bb5fcb3

SHA256
434d1bc2da4480a33153779c126b362859f3f94ebec839fc3400b1486d8c69c2

SHA512
3a6720e8219b503f105ce6f2a1babe56b1eb7db1468b7365920a08f8b1da0a3b103654130da00927ee448aa7ff0fe6b4b81a8ed9ca906b3a066091e0fc48320e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfczsd7y.pdb

Filesize
7KB

MD5
b1f616cd69763b16d2a0b4d41005b667

SHA1
35dcce9949aaac262b5cf3080c716476a2084dee

SHA256
54ae90864a97a05d77ad93882cf9ef121b8a4260dd9343b047f576b26750d8f7

SHA512
657a11996826640fff1ace5a19e54535fb23cc0b18a38bc8edc9d378c900ed5522cc96fa110b140616d3ff726f74a011b718a7c3e0b9b7e85d80e6f71688b0fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC696D.tmp

Filesize
652B

MD5
7ec855e4b3f8c1e470b03521dd4b5c29

SHA1
71998d6e6a738bc6481b14f7281219ca5bea943d

SHA256
72d1582868779fa7465916d201f26151a7a7196b373fd5d42ce08de507638f21

SHA512
68e6e4c34746002c5666187f4f04d2f946896ad0e4e37e9220025d43417ece992cd3bacafc40a42dfe81813731a42321d4039c8e585aa30a5ef6fbdffa64a8f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nfczsd7y.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nfczsd7y.cmdline

Filesize
309B

MD5
07cb4dbbec1cc3b2d243828700783279

SHA1
8dd6230ca74b95a56c121bd85b72ef35aa2af677

SHA256
4034b95dbc214d7ae296432bebc3a231a4738d5b313d71907fb4af8ee75a21fb

SHA512
fd7e4ca1421b0b032d1d0e679285403645b47035e4eba34bbeef91dd042ed98695c2fdbb8a2456f90f25d17111ee6685d6c8ca680ffd1751482c1fd1e03318d0

Download Submit
memory/2036-17-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2876-10-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2876-11-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2876-5-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-9-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2876-8-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-6-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2876-7-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2876-26-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2876-4-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2876-29-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2876-31-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing