metasploit | 85cb3767b22a0fe7280519d30663972557ccd681738baa855f70daf767dc6d42

Analysis

max time kernel
132s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2023 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.tKw0c9h7.posh.ps1
Size

3KB
MD5

1586aeaa9eda2d45832b513f1402166c
SHA1

0d8fcd64d35d1b0809ca9da268c5bb7170d1e341
SHA256

85cb3767b22a0fe7280519d30663972557ccd681738baa855f70daf767dc6d42
SHA512

ce79ac619b9a0ff9a55a1ad23ef8a4d637a0a2bd70dd1cb083f48454c19bb3b74e2cad3714a2acca4ff11f51fc1908639e3753de89238f59c33f816815a0dcec

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

18.177.76.42:18064

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
32	3756	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3756	powershell.exe
3756	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 4296	3756	powershell.exe	91
PID 3756 wrote to memory of 4296	3756	powershell.exe	91
PID 4296 wrote to memory of 4860	4296	csc.exe	92
PID 4296 wrote to memory of 4860	4296	csc.exe	92

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\NEAS.tKw0c9h7.posh.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3io4mmfk\3io4mmfk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES293E.tmp" "c:\Users\Admin\AppData\Local\Temp\3io4mmfk\CSCF5F517878C54A1687666FA6F3C27F58.TMP"
    3⤵
    PID:4860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3io4mmfk\3io4mmfk.dll

Filesize
3KB

MD5
4ac799cedd9d2bc83469416613fe4133

SHA1
1ed2107c2e722856fde008c255cf58e309aac9e9

SHA256
53b842d97e22e22d34aa570e8efe04bca98f9619236a105ffb58974da15ae4ab

SHA512
f74f1bd26246a18d9843251de3e8ce2d21ff4a87fd2910d3131c12d12bb79adca4fd0d665c81a537588ff2f8beee44595069d128e5c4da9d62f02884df30a4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES293E.tmp

Filesize
1KB

MD5
7f98c8449affe378040edf55d937f0a8

SHA1
054c6c292b677119ee79b9c6dfb5f41dc40dd08b

SHA256
f59cdddfd1bc310d16897966dbeb777f1afa6206dc4e07da1344157d165ed014

SHA512
15858926f3d4e69b21f78e63af8298a728664f79121654d247de69c674cbe4d52ea018582ce31c31fc3bd167c1915344a46f031ed204e2f8526918f233690ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hhkatt1u.nxp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3io4mmfk\3io4mmfk.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3io4mmfk\3io4mmfk.cmdline

Filesize
369B

MD5
95aaad3b64cbc168bb0bd3b6b947911a

SHA1
389a89673e89df328a3749fecfa5bac82cfb5425

SHA256
7bb2f4df964c0004e3e155b37f578e29bca10e59242f8e51992ca765cd581799

SHA512
403cbf816a33297713dbe3616ad7f3eae348d7014d15c021e2a2c51bcd547953c235e941840412941f6397e00444c322cdfc45bbd589a066cdbe8d3dde3b54a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3io4mmfk\CSCF5F517878C54A1687666FA6F3C27F58.TMP

Filesize
652B

MD5
750066d54d67be41b4fa71463b21f7d6

SHA1
a9b6ff4f757a2b0180528550d8c2277330c0de4d

SHA256
157397da376a514c71d046b97d5694fe1fb909da964b6d3295cc453a31ebad6f

SHA512
0959184cc0607d6bbd7ad9551350f3702d27d9cbefc5c8d1151b7ee5c2514efd497b5511017e323fe228380d8d3f6cd627e08ce57e13a20483f64b336f754fc0

Download Submit
memory/3756-12-0x00000211F78A0000-0x00000211F78B0000-memory.dmp

Filesize
64KB

Download
memory/3756-11-0x00000211F78A0000-0x00000211F78B0000-memory.dmp

Filesize
64KB

Download
memory/3756-10-0x00007FFFA30D0000-0x00007FFFA3B91000-memory.dmp

Filesize
10.8MB

Download
memory/3756-9-0x00000211F7870000-0x00000211F7892000-memory.dmp

Filesize
136KB

Download
memory/3756-25-0x00000211DF390000-0x00000211DF398000-memory.dmp

Filesize
32KB

Download
memory/3756-27-0x00000211F7860000-0x00000211F7861000-memory.dmp

Filesize
4KB

Download
memory/3756-31-0x00007FFFA30D0000-0x00007FFFA3B91000-memory.dmp

Filesize
10.8MB

Download