metasploit | 85cb3767b22a0fe7280519d30663972557ccd681738baa855f70daf767dc6d42

Analysis

max time kernel
128s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tKw0c9h7.posh.ps1
Size

3KB
MD5

1586aeaa9eda2d45832b513f1402166c
SHA1

0d8fcd64d35d1b0809ca9da268c5bb7170d1e341
SHA256

85cb3767b22a0fe7280519d30663972557ccd681738baa855f70daf767dc6d42
SHA512

ce79ac619b9a0ff9a55a1ad23ef8a4d637a0a2bd70dd1cb083f48454c19bb3b74e2cad3714a2acca4ff11f51fc1908639e3753de89238f59c33f816815a0dcec

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

18.177.76.42:18064

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	580	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
580	powershell.exe
580	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 1360	580	powershell.exe	87
PID 580 wrote to memory of 1360	580	powershell.exe	87
PID 1360 wrote to memory of 3404	1360	csc.exe	88
PID 1360 wrote to memory of 3404	1360	csc.exe	88

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\tKw0c9h7.posh.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ajvuced0\ajvuced0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA086.tmp" "c:\Users\Admin\AppData\Local\Temp\ajvuced0\CSC6315EFE94DAB4D4C957A6DEB9F2E4A0.TMP"
    3⤵
    PID:3404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA086.tmp

Filesize
1KB

MD5
c9fa5993341737d71d44550462cfcd48

SHA1
4c2cdf2738ebc2139a8e226a743a6679b7a7db81

SHA256
e775a88823bcd162cd4fa952621a09eb807d00dbddde0a99fa8c9408d3bf218d

SHA512
aefa1f414e89f9b1b685ad29ac43cc64d337051a378bcfdf9f638052a00310f6a9af5c17b473a7e7a0e7d5784b7149ae7b6f5c9f098d985057612237f29e05d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpl4zeb1.tcv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajvuced0\ajvuced0.dll

Filesize
3KB

MD5
bc2476ded7a5d067e99cff5d0e874705

SHA1
ef9b907ca048398341ca472060d6f102de230e9b

SHA256
9857525226cc90008bc2820d690edded285f4e4f2b096c2f8f127bd2bb73a606

SHA512
78a1a30b299a0f50959271badbc798ced074a7eb4a99a3aa75531375529b8d69bbbfdeb2075f0ac152b96cb98ee363e47d4da33198b704bed219958f357fc7c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ajvuced0\CSC6315EFE94DAB4D4C957A6DEB9F2E4A0.TMP

Filesize
652B

MD5
d83312c0323b6ea302e06d78bf08f25d

SHA1
894752fcd3f85d4c1496e26088c5df731876fca4

SHA256
10f21a83278a0fce942d96b9d1bacc9c9908ed6ef7b158e430d3e6ee4ce897ee

SHA512
5b3d9f18a1b7318773f5247d25cbe0a9b8535cc0e2ab0bd06172ddeb30038592c29fa292a2199d2a6b83cd78d5064d379fda1d977093bfab074554ff87c7189d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ajvuced0\ajvuced0.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ajvuced0\ajvuced0.cmdline

Filesize
369B

MD5
62cbd05e2603f3b7c007530533e8ff0f

SHA1
cab85d1331010c735d607343e74202f66be39920

SHA256
cfc37e401127bb8ac91056a492860914d4a8f0d42f1f5b740a1e8184f33460fb

SHA512
8059bacfb1bea238d0047cb4734b9864f8e10ec9ac1aa1c2cc603e9c9b3acfe56bef245c56f201677e3f6d73d891c9fe80ae8dc4b1047896e8a5b8eb90617193

Download Submit
memory/580-0-0x000001A434910000-0x000001A434932000-memory.dmp

Filesize
136KB

Download
memory/580-11-0x000001A434900000-0x000001A434910000-memory.dmp

Filesize
64KB

Download
memory/580-13-0x000001A434900000-0x000001A434910000-memory.dmp

Filesize
64KB

Download
memory/580-12-0x000001A434900000-0x000001A434910000-memory.dmp

Filesize
64KB

Download
memory/580-10-0x00007FFF794F0000-0x00007FFF79FB1000-memory.dmp

Filesize
10.8MB

Download
memory/580-26-0x000001A44D1D0000-0x000001A44D1D8000-memory.dmp

Filesize
32KB

Download
memory/580-28-0x000001A44D1E0000-0x000001A44D1E1000-memory.dmp

Filesize
4KB

Download
memory/580-32-0x00007FFF794F0000-0x00007FFF79FB1000-memory.dmp

Filesize
10.8MB

Download