metasploit | 85cb3767b22a0fe7280519d30663972557ccd681738baa855f70daf767dc6d42

General

Target

NEAS.tKw0c9h7.posh.ps1
Size

3KB
MD5

1586aeaa9eda2d45832b513f1402166c
SHA1

0d8fcd64d35d1b0809ca9da268c5bb7170d1e341
SHA256

85cb3767b22a0fe7280519d30663972557ccd681738baa855f70daf767dc6d42
SHA512

ce79ac619b9a0ff9a55a1ad23ef8a4d637a0a2bd70dd1cb083f48454c19bb3b74e2cad3714a2acca4ff11f51fc1908639e3753de89238f59c33f816815a0dcec

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

18.177.76.42:18064

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2004	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2004	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2652	2004	powershell.exe	29
PID 2004 wrote to memory of 2652	2004	powershell.exe	29
PID 2004 wrote to memory of 2652	2004	powershell.exe	29
PID 2652 wrote to memory of 2660	2652	csc.exe	30
PID 2652 wrote to memory of 2660	2652	csc.exe	30
PID 2652 wrote to memory of 2660	2652	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\NEAS.tKw0c9h7.posh.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zitskhdc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C1C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6C1B.tmp"
    3⤵
    PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6C1C.tmp

Filesize
1KB

MD5
b340cf1177bb6cd2ad0e8e09e9c50176

SHA1
e80cb15d5b2378902ccc0175ad70b1b916d2423f

SHA256
c6b8aec88225ff5232cd4dd3fb88e7bea4d5f063e109f8a4a6c4e1812617d162

SHA512
2e09a3d2044e68825b9b0c7497d5f07f04a31524d75c34fb5ce387ba3779f92b3786a676c277d7cb5b8e0ae96972c7c0ce677f0fe4d66b92cc90dca0da66e66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zitskhdc.dll

Filesize
3KB

MD5
a69c3e306f34ab3ef02601dbd5c5d13a

SHA1
b88a1c7b1eea56fc1dcaea201c726a9132afd385

SHA256
442d5aa3ba1d2cd721caa1ae87927333ae7a00fbb2e34d45cc87e778597e7880

SHA512
586daa6ff1422237c0a288759e83c31d9e9659b1184fe5902a04b88061443d12103f060e2a7053684f80d87e68ad1cfa71ff37c8164d62d2395806b8c2534425

Download Submit
C:\Users\Admin\AppData\Local\Temp\zitskhdc.pdb

Filesize
7KB

MD5
9ce89bef80507256de225bac6d436fdb

SHA1
80c171181f404fba5f712bc8dfc7421e669d2246

SHA256
3fc3d3d6669d0b228caba89de0ba456f03207a4dadf41a60fb3f79b8aafa051d

SHA512
623eeb1dcfee1924c1cb1c3cc7af97fb5978a53e30e0c679ebc7b250ca73143635d9f944c5c0c1626e0027cbf4164d3d97b5464461898bbad12af93f456c1853

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6C1B.tmp

Filesize
652B

MD5
f3aa79c0614a58d691fa499b17b04d20

SHA1
434ac85f29ee9acb117c8cff4f7075e5c45e30ee

SHA256
ae4f6690b90d530f5c10bb3beafa1039c157a0b4f4817a298228431ce87e665f

SHA512
6b044070bc2a815b4d528943557a32a7297b24886f9a3ac0052c959c9ad54510739bd8200a28fbeb0d580689dfe02a3bf308f2f1ce1acad91808fd1b6c321c52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zitskhdc.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zitskhdc.cmdline

Filesize
309B

MD5
c8d3fae15db5ff1bd55966b9022a1307

SHA1
96c1f8b0983acdada6c8922e569271682ebe63ec

SHA256
a2ea335038bc9f47052edf7b62e020a15ee3ca7e798ac502fbd751c771eda708

SHA512
abc5bd6d45d957cbc9bc7dc6d456868e756d50e879a405eef6cb8f7bd38dd367e0e973869f71a9cac5e1a27421ef4426f95267b789286156762d26608e49264b

Download Submit
memory/2004-15-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2004-14-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2004-4-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/2004-13-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2004-12-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2004-10-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2004-24-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2004-5-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2004-27-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2004-29-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing