metasploit | bf8a4f7d764d1030903a8f1367162bd431810dfa1f1a189bfbe24b8b8bae289c

General

Target

4f6e8de8f57b96d6342121d01a67a803ba88015de8283122245c5e3a6f4efe0d.ps1
Size

3KB
MD5

ad4124b740a624b574e9f375e2bb872a
SHA1

b481d86d9d1b4d44e950b759ce9ef42fe9598614
SHA256

4f6e8de8f57b96d6342121d01a67a803ba88015de8283122245c5e3a6f4efe0d
SHA512

ad82914cfcfe3a77414a8057b1145bb1e6865d895072af2df342b42dbaca4fa859a48cab0f7805571406c7a0761575c7ade89b601148c517f24aae4592f9f295

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

18.177.60.68:15302

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2092	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2092	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2632	2092	powershell.exe	29
PID 2092 wrote to memory of 2632	2092	powershell.exe	29
PID 2092 wrote to memory of 2632	2092	powershell.exe	29
PID 2632 wrote to memory of 2612	2632	csc.exe	30
PID 2632 wrote to memory of 2612	2632	csc.exe	30
PID 2632 wrote to memory of 2612	2632	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\4f6e8de8f57b96d6342121d01a67a803ba88015de8283122245c5e3a6f4efe0d.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rcnqqtjn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65F5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC65F4.tmp"
    3⤵
    PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES65F5.tmp

Filesize
1KB

MD5
b7ca7184f85a33bd401d3b7f402e9594

SHA1
a1057739360e7e980c89c73bdca151779e704483

SHA256
e85b32fd33f1270e45f0a6e4924fe88af20006addfa7358635e5c3c9b1e904c5

SHA512
ecb61a772d3dd11b4f41eeda3b438ac4d0ae1604668ffc4503ac4cb575415bd45b0aaa05a904774f6605223a66d281af5f08d508874da44eb42f39c0f98cd97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcnqqtjn.dll

Filesize
3KB

MD5
2cc3f9d01e57db09e45b0b024dc00812

SHA1
f8a9a80c4fce582b0a1a3973b5b60aed949971b8

SHA256
9628bd3ec1ae575ea2a32bc7487c33e920327d8475d2ff5216da8a917b04e520

SHA512
490bfd1d59c32861ae3f260d377b53aaf799ff618f79f71538e8153ef45f6fe8d86a99304008f0dc8f9f1f0f63482b1f95fd79c56740e8d2b4dc4f0d264ad135

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcnqqtjn.pdb

Filesize
7KB

MD5
3a10f58429066884bb8cf1de66104a4b

SHA1
6292a70cde9a3df0baea05c2f6e4c1048f12f63e

SHA256
83615545686eac93b2797ed7e3fb61ecf81e06b6e248579b18843f7e46a644e6

SHA512
1cfa4e7e7713596a55ff7d69d871041f21c42de7dfd46bc40252c5465d028c9adbcaa7b988de5db7422fba504c675608a3aa63a5cce30415c737cb41091ac321

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC65F4.tmp

Filesize
652B

MD5
00f085b0c6b76bf42de6e5fb050179ec

SHA1
17682920f208448f321f70c42cc68a0f6c5d0c80

SHA256
14098fb9959b1e69e2783df6b41321d1091327859f312353f0aed51bff1a4960

SHA512
16c31394f689068f48dee2b8cf7de1d85b1841ef802aca6d8e6313b4364b836d280e66493c848abf3fecf04fe9926023a4ef652da7baf3e6b8cb3995f29b9df0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rcnqqtjn.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rcnqqtjn.cmdline

Filesize
309B

MD5
83205062c44bc6b80022a886fc6ed69b

SHA1
89e1e50343cc54c9686906d5b0a5480732d1b5fb

SHA256
d8314016070b3a9edaf9c116d8b6b03ad998d84f37a8df1790ac53358fe1d6f2

SHA512
a35540c143029b70ac4be6069b175fc20f08dee9cf3864be1905e9443995ea160602d1ca6f7fd21e6aaacc945c2f2591990fb75c989b6268ec4a4852e8e59211

Download Submit
memory/2092-10-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2092-11-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2092-4-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2092-9-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2092-8-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

Filesize
9.6MB

Download
memory/2092-7-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2092-5-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2092-25-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2092-6-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

Filesize
9.6MB

Download
memory/2092-28-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2092-30-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing