metasploit | d1df44a5213dda2704c92779cbea83964d5aa8686e03884cd722201ea3ce33cb

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

j6MF8D5v.posh.ps1
Size

3KB
MD5

707a231033726bbdad945111af97510a
SHA1

722ce669abcb2281225f008d410b0b2793258edb
SHA256

d1df44a5213dda2704c92779cbea83964d5aa8686e03884cd722201ea3ce33cb
SHA512

a6b710d2fc0196aca3dccc1d9ffd30783f725e5bc5f376b5e42ac536965b050198ab218f482a311d821f6645a4db10d17b71168bb28d9eef3fbd7a55e8514e7d

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

18.176.183.3:13745

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	4596	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4596	powershell.exe
4596	powershell.exe
4596	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 1316	4596	powershell.exe	96
PID 4596 wrote to memory of 1316	4596	powershell.exe	96
PID 1316 wrote to memory of 1644	1316	csc.exe	97
PID 1316 wrote to memory of 1644	1316	csc.exe	97

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\j6MF8D5v.posh.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezmpnd2y\ezmpnd2y.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES702F.tmp" "c:\Users\Admin\AppData\Local\Temp\ezmpnd2y\CSCE9D3C1CBF904C8DAEDAC8D667A95A74.TMP"
    3⤵
    PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:3264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES702F.tmp

Filesize
1KB

MD5
c782c2aa6ffaa544e1c25d8192253813

SHA1
b9fa29f920d155a688bda162d10892f1a16dbc8d

SHA256
ee0a8f7bb02fd76976709f62b78a2ff7106071a5b8d9ae6aa54e557576ba531a

SHA512
ceccfd9b6a75f69b8de8b231d0d20e18a137cc151fce136d1bffcdfbd6cc4b0606a5b26fc09f8c6a05d59fd0f5fcad7bc1a731db8463e21e8dcaf42875b0c237

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aoaur4sy.0xv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezmpnd2y\ezmpnd2y.dll

Filesize
3KB

MD5
1b4f7a1fe7802ce9a462a67b7d185fff

SHA1
65141fd89f237e01ee4e5525d43c95e2389ac04c

SHA256
7dc44e3e5bdc694ba113e72eac6410e8826c81b9479c1adf0de435b797af6105

SHA512
2b68a7be81b72110cfd56f84dad21001ddffe34bd9b2be0fa03fe4b5612818e12dc07804c8370174b4f077197fb5b64dc5c924bb3a597843afe65cf017f507fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ezmpnd2y\CSCE9D3C1CBF904C8DAEDAC8D667A95A74.TMP

Filesize
652B

MD5
068697fcb78fb09284546bf5957ed3b3

SHA1
f2ed88797ac9c3ce686ae40a5abd57efdb291a26

SHA256
74d48d20b6c7a8586252e141161ab1fd2532d9858f9d40207aad35f02f76c1b6

SHA512
03e73aa8580ccb3d85bdbc0b66a49c036ffc5a8c2031f64b6aa290170ebfd75e5f39ef4feb5c49d81326145bdf0ba17b1fe3692d68685cb1d2ed6c095def2e7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ezmpnd2y\ezmpnd2y.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ezmpnd2y\ezmpnd2y.cmdline

Filesize
369B

MD5
80bc2b9f758164f8d0d60eb0cfc04519

SHA1
fb7ea11f6820d4de42a9e26b8da1611741f459cd

SHA256
204f02343a328b0462dc94a220e5d214a9da095328a8bbfea2c8f34c0d67ee18

SHA512
792a383f3202be9df77b925778d402bc7d4af7ed3ba3bc78b2a91bbacfc664e187f171be6f7bc10b349657174d070039c05cdc98d265f4254da2f57d607ea164

Download Submit
memory/4596-11-0x0000022FF2D70000-0x0000022FF2D80000-memory.dmp

Filesize
64KB

Download
memory/4596-12-0x0000022FF2D70000-0x0000022FF2D80000-memory.dmp

Filesize
64KB

Download
memory/4596-0-0x0000022FDA7F0000-0x0000022FDA812000-memory.dmp

Filesize
136KB

Download
memory/4596-25-0x0000022FF2D50000-0x0000022FF2D58000-memory.dmp

Filesize
32KB

Download
memory/4596-10-0x00007FFB6F2F0000-0x00007FFB6FDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-27-0x0000022FF2D60000-0x0000022FF2D61000-memory.dmp

Filesize
4KB

Download
memory/4596-31-0x00007FFB6F2F0000-0x00007FFB6FDB1000-memory.dmp

Filesize
10.8MB

Download