metasploit | 22c1329be33647af3519c6ecac6f934b1bedfad2266f23ba34e5c81817ea4d59

General

Target

7HcZdFtt.posh.ps1
Size

3KB
MD5

1b4500e9970342d95ed9bcd9f6e2c312
SHA1

b344d8ed5a0e4292539312ef3b4de85bd43d0931
SHA256

22c1329be33647af3519c6ecac6f934b1bedfad2266f23ba34e5c81817ea4d59
SHA512

1be8a7a7c3d8ccdadeebf090cbc6a183b18331060acad910010baa5dbcbab3b1931a01c95b05eb9ef9d122d585be67ddf01b8a7ab1549a5a1e1d14183243dcc6

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

18.177.60.68:12641

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2500	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2500	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2764	2500	powershell.exe	29
PID 2500 wrote to memory of 2764	2500	powershell.exe	29
PID 2500 wrote to memory of 2764	2500	powershell.exe	29
PID 2764 wrote to memory of 2660	2764	csc.exe	30
PID 2764 wrote to memory of 2660	2764	csc.exe	30
PID 2764 wrote to memory of 2660	2764	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7HcZdFtt.posh.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3x3xrk90.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES647E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC646E.tmp"
    3⤵
    PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3x3xrk90.dll

Filesize
3KB

MD5
b52d81f76f042a51c3bcdf0297bfd8be

SHA1
8d89a2f896f799700737bc423b3876c75f701764

SHA256
8d580b8bef326e787ffebabfab0098ec5a83aa42d699960e593c472273e9e768

SHA512
4d5a8e332b05b30ada4cccfcd243116cf6312993f1c25e3c6d72d5b9f635d4ccf2f9256118145b780668a3f0ab3f253143697665f875425ba2305a9429de65e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3x3xrk90.pdb

Filesize
7KB

MD5
584b2fda094e57a31e8484572ca9e7ba

SHA1
901d09aacdea25f1912c59fdf61067fc733ce743

SHA256
50e76a89fe6d9c5f9444facbf7947bfcfe3a9d60ec057b8c087dca94c259ca53

SHA512
a11719a44c87657ee6e7e9e8aef64793f693a6c4776580119fab6db5cd480030ad9d2a392cfaed73103596c6d57698c2e3338e8a6208943134c8713acc272e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES647E.tmp

Filesize
1KB

MD5
b02e01d92579dff1d78f54e241e42e6f

SHA1
9a1b9e9ca52fd4d39f41000b1982a41fe05ba8a5

SHA256
a75b55fe176566322accff21aef1cac98792059e8b6e708ca9d77342f51d1748

SHA512
296aae60e5a88831c3de4fa7be0c2e3d20da18edcc2ee95332da8c6a0eb64c3ab4b37ff257efc370fb602cab0050ae5b4ba5717ae0e11fe22dff40f64377986b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3x3xrk90.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3x3xrk90.cmdline

Filesize
309B

MD5
504365c8fed6ca66e17a70efb4d8709a

SHA1
814e1f065a876e37791a64f7bbdee9ea12ff778b

SHA256
b64f4157c848b07e09ceeb49397fe3ab6db63715577b473beb83092bb9c04bc3

SHA512
94cfea9594f3c29c64bc76f4d671b709f0913949a870c6c84504052ef82d02d60e42948459fdcdba1a3d95d57beaead4c4644e0a62f8ef5398cdbf820bb2de12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC646E.tmp

Filesize
652B

MD5
7d155abd479953506999306d5152f222

SHA1
2ce795eb40f68f58fa228c496a7e60b98213633e

SHA256
631063966a95420c0fa1ed9f91c8b64e6c40a2ebdc0adefab726927373f71dae

SHA512
7785d61032b9a0d650e92d50b56b6cdd4fe333c4e12bdab99a40f1ff3ab59a2766024fce565b7014694fbe680cf242c1ad713c7bb5e96a98a2f383c08defcaeb

Download Submit
memory/2500-8-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2500-13-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2500-11-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2500-4-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2500-7-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2500-6-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2500-24-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2500-5-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2500-27-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2500-29-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing