metasploit | d1df44a5213dda2704c92779cbea83964d5aa8686e03884cd722201ea3ce33cb

General

Target

j6MF8D5v.posh.ps1
Size

3KB
MD5

707a231033726bbdad945111af97510a
SHA1

722ce669abcb2281225f008d410b0b2793258edb
SHA256

d1df44a5213dda2704c92779cbea83964d5aa8686e03884cd722201ea3ce33cb
SHA512

a6b710d2fc0196aca3dccc1d9ffd30783f725e5bc5f376b5e42ac536965b050198ab218f482a311d821f6645a4db10d17b71168bb28d9eef3fbd7a55e8514e7d

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

18.176.183.3:13745

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2156	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2156	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2648	2156	powershell.exe	29
PID 2156 wrote to memory of 2648	2156	powershell.exe	29
PID 2156 wrote to memory of 2648	2156	powershell.exe	29
PID 2648 wrote to memory of 2372	2648	csc.exe	30
PID 2648 wrote to memory of 2372	2648	csc.exe	30
PID 2648 wrote to memory of 2372	2648	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\j6MF8D5v.posh.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nal0icra.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BFA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1BF9.tmp"
    3⤵
    PID:2372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1BFA.tmp

Filesize
1KB

MD5
c3e9926f378a78abde639de785a63728

SHA1
a1ee1c6d109beeb24d60da1326e204ad9cd654f1

SHA256
7571ce6c37bf17a545283858c3d4954b12b9a2c2ac6d9f508d8c43414650a953

SHA512
aafb53d871f4ed049df666c2aca502784b5fcfd3f8e7aef176debee8a94d9a0614fde4e11eeb20de7e220f32da3a9fdf5e60e8fde6444bbfade296c34019117c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nal0icra.dll

Filesize
3KB

MD5
6873196728361f84d22db65b6da67ff0

SHA1
ba9bf54edc85a5ad352344a1dbfdaa3b5d818703

SHA256
ef7c33f0497cebc0462082097c7d7facfd5448b07e504d588803d7480d173609

SHA512
7a1c41aaf77ba1e76f6d3d53be582b676600017cb8317c4a30599beb3ca71a9e13f49c51c1d5fa3940e7cecd6b1981457b18a46580d895e26c5a3bf3605a100d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nal0icra.pdb

Filesize
7KB

MD5
e733b9c3bfc9fb1ea3df24dbad389424

SHA1
5ffaa6d4f270bd27caecb3a3488b97c522a6edc3

SHA256
3b3c0863d145c5da7246461cf9a9577acfa0d97b8a93b642c5910116926c3b7b

SHA512
8aa1f725d3c697016840f10f1d2164b1452443bea53c87dc668ecd272bfeb54ca565ca1f7b83a143d4477cfb86f2de7d158687e694e77c487f591321bfa213b5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1BF9.tmp

Filesize
652B

MD5
9f76b3b4e8dbf65b928e3c6b169a7f46

SHA1
d5c4ccfb63247ee2b2ebe72aa0570d5ec81d2083

SHA256
0ef9fcee47bedd3bc9cccf99e2d75e559a0ef175ca2fe22d5b58644bc5f5f17b

SHA512
0c3e6fd2961cc46cb45b0927df6c158f3edd19b638ef026a7fc8d73dd699d2f9781cffeb43c255925a41d1d91b5a4eff3973d51094a61e78727edcc83309166a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nal0icra.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nal0icra.cmdline

Filesize
309B

MD5
4589e404a10fb13f65e092fa8bc9932d

SHA1
76ac8023ce8b4a00768a0a310ee9a4e8b3632449

SHA256
1509473bc9374b755f6a702603af4a721b3a5083e1a48e7d5ff7fcc47b8a71ee

SHA512
1ed42606328737482ca2a04dbc7ba60c3138d305dc35296846b8c58b48df33ece993693fc4f6838a0548fc03ca8b00d0b2e17feedf6a8db0006f1534deab29c9

Download Submit
memory/2156-8-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-12-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2156-15-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2156-14-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2156-4-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2156-7-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2156-6-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-25-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2156-5-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2156-28-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2156-30-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing