metasploit | 85cb3767b22a0fe7280519d30663972557ccd681738baa855f70daf767dc6d42

General

Target

tKw0c9h7.posh.ps1
Size

3KB
MD5

1586aeaa9eda2d45832b513f1402166c
SHA1

0d8fcd64d35d1b0809ca9da268c5bb7170d1e341
SHA256

85cb3767b22a0fe7280519d30663972557ccd681738baa855f70daf767dc6d42
SHA512

ce79ac619b9a0ff9a55a1ad23ef8a4d637a0a2bd70dd1cb083f48454c19bb3b74e2cad3714a2acca4ff11f51fc1908639e3753de89238f59c33f816815a0dcec

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

18.177.76.42:18064

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1964	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1964	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2396	1964	powershell.exe	29
PID 1964 wrote to memory of 2396	1964	powershell.exe	29
PID 1964 wrote to memory of 2396	1964	powershell.exe	29
PID 2396 wrote to memory of 2796	2396	csc.exe	30
PID 2396 wrote to memory of 2796	2396	csc.exe	30
PID 2396 wrote to memory of 2796	2396	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\tKw0c9h7.posh.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yunazpuv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC67A9.tmp"
    3⤵
    PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES67AA.tmp

Filesize
1KB

MD5
490164a9575bc079fdda58243f851c36

SHA1
c7e9c50f6898d969eca85d0e725e153c594d64f0

SHA256
8519791c2c0dfd3cb1fc6c02c8aab4e0dbae60b65d685a206eaa0f8db60b37c5

SHA512
97ce90ce6cbe2a1c5684eb8950bbea181bab812622f503d28beacabe7485f39139892fba4096ef92c875ef9082c3f2468a2b928c728741413be6039aa140ac09

Download Submit
C:\Users\Admin\AppData\Local\Temp\yunazpuv.dll

Filesize
3KB

MD5
5033a2e19f1709404c830c3dd8b8b39d

SHA1
3437ff56cb2f3c9ff8512a859ac2a965777ad7c9

SHA256
bd7a4d741cfe710c25fcae7ffe62f69a4ea151bacaa2a858ca31ff111a49fa39

SHA512
abe82d3b9f2040104cf42c211aa3fc2ed6d4be367f40829198764a92cd7aa4d47594465ae9103173bd2135e13330d5341e8181a3ae9b442f02c26d0936aa74cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yunazpuv.pdb

Filesize
7KB

MD5
d80cc7dffa69ea58b5d225087ca77c9a

SHA1
e5941772cc7db4530e8122d33a8e2cefda33116c

SHA256
3ae5178d33e79121c2b37d40976d669abfc4b0f4bc27e6eadd21a501ff7a25b5

SHA512
7751746cb78f2eca121c4a1d5e1af0ed60bcf4b6329853bdc2e4f38d47dcfe2f344ea216322d66a9be5335c97e3c973ea774b70dfd9dda1a3ada54e44719caa0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC67A9.tmp

Filesize
652B

MD5
e935d6714d27968c61e4aa6071064aed

SHA1
a25982240c12a7b5f39320731cb87f6f4684b0ed

SHA256
9f82e9e6357d96b94f90c6b4393a6f04ddb145d5c8a634387180e6bfd954d0c1

SHA512
4fd5789ec3018636ee4674e5d400e7230331eb4d2f7b3ea8bad9dca2a4d6d55250d60b3cbcbddf874e6860cdbf92214b0bd10861d490306a35220ce2c20ce9de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yunazpuv.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yunazpuv.cmdline

Filesize
309B

MD5
58cb53ba6bfc084c080cd8fe6bd905da

SHA1
5ca20c56a5e87faf0b98c31d69deccdd50fb36e5

SHA256
27573c4063a5b5cd9d93693d9bda512bc0f68857f3c91e3a3b76e795db860831

SHA512
0a6746e0a494a89c3d432ca3b83404f0f7dbe90ec27cc82ca91c1eca7f6755c55b8fcd7f076f238c516b15670867ad2883329ade09223d7b664cb803d7f3c5a6

Download Submit
memory/1964-10-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1964-11-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1964-5-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/1964-9-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1964-8-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1964-7-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/1964-6-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/1964-26-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/1964-4-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/1964-29-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1964-31-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2396-17-0x00000000021A0000-0x0000000002220000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing