metasploit | a332d9a03fc5f058bbe43920c63a82343f4968584fd3de95247b422658bd2518

Analysis

max time kernel
133s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a332d9a03fc5f058bbe43920c63a82343f4968584fd3de95247b422658bd2518.ps1
Size

3KB
MD5

c1a9097d7c7ee35e32edada3f14654c5
SHA1

51f9d6b23289ef25710ebe5954c7116437f2c779
SHA256

a332d9a03fc5f058bbe43920c63a82343f4968584fd3de95247b422658bd2518
SHA512

efb936d3b69454756799f1322959eaf8a6d6b74f3d73db12effc884566867c8022b87000a07a9e9d66ea1be7260ae5453ee49ba5c94173924e8f233a088dca90

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

18.177.60.68:11625

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
25	4340	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4340	powershell.exe
4340	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 752	4340	powershell.exe	90
PID 4340 wrote to memory of 752	4340	powershell.exe	90
PID 752 wrote to memory of 4840	752	csc.exe	91
PID 752 wrote to memory of 4840	752	csc.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\NEAS.a332d9a03fc5f058bbe43920c63a82343f4968584fd3de95247b422658bd2518.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f5w5mw3q\f5w5mw3q.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C94.tmp" "c:\Users\Admin\AppData\Local\Temp\f5w5mw3q\CSC450F2E7C8A414E69A442768B6C93BBE4.TMP"
    3⤵
    PID:4840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4C94.tmp

Filesize
1KB

MD5
e9c9551696f89032d769978d956eed9c

SHA1
968d6943782d989024120ba0aa9a81313b81c118

SHA256
873c9f08559ce6c7c70a6323be390c4f2008a5e51acd8813c987462d380d05bb

SHA512
11d44376b1e929f3aa45741039136f36eab167e4a8229b3497f2ddbab71ad68d46b0e9d7ae5776bcaf93aa717dcc65f4d5ed418dfdadf4118dbc4ac531411156

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fshmebsy.od4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5w5mw3q\f5w5mw3q.dll

Filesize
3KB

MD5
59c2be4c2f08ef990904d7ce8992d05c

SHA1
ea7da7295887c1d976202be579309b9de065f65a

SHA256
5efba359982117ef61b4fd3164837c13bf9c8d738177b45443952feba8558370

SHA512
700fbd8a704181d06dba66ee2f18e36f835aac733d1fffe47f74791f29749c8ba49aa045def906b45a703f96821f457f4a78ff428a6bde1aa8460466a1343c2f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f5w5mw3q\CSC450F2E7C8A414E69A442768B6C93BBE4.TMP

Filesize
652B

MD5
0bc85b37724cefd8e42b7899c3a4c667

SHA1
26b16f436be1ec49983834e0667f6baeff3deca7

SHA256
2be8341a4ad0143ae7b3f4a82756e39b0329e57a4b922bd3c40619429591e18a

SHA512
b72684b68332744d117b2788579555484fdbc6dd1f793823bb44336f7592535fa17e2b52c1e41a1b5c4744e28b2a27053bfec44a11c6143f92cf1d47c953846b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f5w5mw3q\f5w5mw3q.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f5w5mw3q\f5w5mw3q.cmdline

Filesize
369B

MD5
8d15e4ef8f52068d5c8818be72cce09b

SHA1
1242aaca851c431f9c8754390a59d712e79c2d05

SHA256
9c6711bce44d5346e4b9449c22cb7659a0f329b55af2cdfc096f3e7c82c3de98

SHA512
e1a3b356470d65e5894621dd4a0a6a78f2e984414959d19a9bde88bd0e04ccaad7b0dde8eee4290016f52c5bf7ffd1351b7ee500678bccd91e4ed90ba07926a3

Download Submit
memory/4340-13-0x00000230305E0000-0x00000230305F0000-memory.dmp

Filesize
64KB

Download
memory/4340-14-0x00000230305E0000-0x00000230305F0000-memory.dmp

Filesize
64KB

Download
memory/4340-15-0x00000230305E0000-0x00000230305F0000-memory.dmp

Filesize
64KB

Download
memory/4340-26-0x0000023032830000-0x0000023032838000-memory.dmp

Filesize
32KB

Download
memory/4340-12-0x00007FFEB01D0000-0x00007FFEB0C91000-memory.dmp

Filesize
10.8MB

Download
memory/4340-9-0x00000230326D0000-0x00000230326F2000-memory.dmp

Filesize
136KB

Download
memory/4340-28-0x0000023032840000-0x0000023032841000-memory.dmp

Filesize
4KB

Download
memory/4340-32-0x00007FFEB01D0000-0x00007FFEB0C91000-memory.dmp

Filesize
10.8MB

Download