metasploit | bf8a4f7d764d1030903a8f1367162bd431810dfa1f1a189bfbe24b8b8bae289c

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 03:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f6e8de8f57b96d6342121d01a67a803ba88015de8283122245c5e3a6f4efe0d.ps1
Size

3KB
MD5

ad4124b740a624b574e9f375e2bb872a
SHA1

b481d86d9d1b4d44e950b759ce9ef42fe9598614
SHA256

4f6e8de8f57b96d6342121d01a67a803ba88015de8283122245c5e3a6f4efe0d
SHA512

ad82914cfcfe3a77414a8057b1145bb1e6865d895072af2df342b42dbaca4fa859a48cab0f7805571406c7a0761575c7ade89b601148c517f24aae4592f9f295

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

18.177.60.68:15302

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	1028	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1028	powershell.exe
1028	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2160	1028	powershell.exe	89
PID 1028 wrote to memory of 2160	1028	powershell.exe	89
PID 2160 wrote to memory of 2128	2160	csc.exe	90
PID 2160 wrote to memory of 2128	2160	csc.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\4f6e8de8f57b96d6342121d01a67a803ba88015de8283122245c5e3a6f4efe0d.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i4qebzw2\i4qebzw2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7484.tmp" "c:\Users\Admin\AppData\Local\Temp\i4qebzw2\CSCE86012B2FB9044F5928367365D9DFD4.TMP"
    3⤵
    PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7484.tmp

Filesize
1KB

MD5
a83c54b3053bae9c7bcaee5c934e0510

SHA1
b268b6c1cc4c066ba90a7844f0d43b6c4c189166

SHA256
c5f0c6896850938cb2bc92e3f9ca74b96be6e18c5c804deb1cffc0c4ab423637

SHA512
a7942e9974c3e3846da811bace216ebbbbccf660dcd6e5f3be3d01bb5afe09a3c852919fe98958464e2c65ae79201022234d85dc6e7d59d5d1bc4be8cce9cab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mbrgsj4t.jhv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4qebzw2\i4qebzw2.dll

Filesize
3KB

MD5
fae8014086e2deb4f024f51d4ceaeaed

SHA1
aef3188f8c1c187fd320b7d1c04dec4855b5d0d2

SHA256
6cc02b923cb3b3a2bafa2533b311bb363217caede0b5950b3a97def6b4a3f3cd

SHA512
a572e74568b876322c42b6eed0acfd287b58f7a507a27ff9ba25ea656ea1c3506626a9289931c8ef21ab9a75655acbdc6eea0db10632e33aecc0593f81fc5825

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i4qebzw2\CSCE86012B2FB9044F5928367365D9DFD4.TMP

Filesize
652B

MD5
58b12fcb3993d6c999bac19fc4a676cb

SHA1
b3d3469d7cd00ec167483bf499e255e842ef8e25

SHA256
172ab9ffdaf0a7b91a58dbc1d5bfa641d8fdad71afb5e30b121aff13d6f625ca

SHA512
0854cdab7095b35cab0f79cf708e52625818003557aa351501f0ab2c0366b06ca79f9fbbf7bf7db95110999432135782d76d901b62d464a74f526a766cca99e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i4qebzw2\i4qebzw2.0.cs

Filesize
465B

MD5
029a251db8736d1c039890283ddafd0d

SHA1
b2d1944ef240baa681565c6327011b30e0f980fd

SHA256
d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

SHA512
71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i4qebzw2\i4qebzw2.cmdline

Filesize
369B

MD5
88a8488fef8b90960a3628d6fc5f46dc

SHA1
a584daa07bd8c2fa63c9099b36424c7e9880aac8

SHA256
f3a0c405324417b55a78b04bdd130ebcf5a1b3845abccc9b14b4cbc066ec9cb1

SHA512
2b17ce33cb2063d061729631e0ad9ebf9c6c34d8b8db9ae56c1ec30ea6c2f80c81f10a025c19ee78e10c166761e4ef6f11cfd9cc3cb85df9f3d18174a003e132

Download Submit
memory/1028-11-0x0000012C1FE90000-0x0000012C1FEA0000-memory.dmp

Filesize
64KB

Download
memory/1028-12-0x0000012C1FE90000-0x0000012C1FEA0000-memory.dmp

Filesize
64KB

Download
memory/1028-10-0x00007FF883B90000-0x00007FF884651000-memory.dmp

Filesize
10.8MB

Download
memory/1028-25-0x0000012C20BD0000-0x0000012C20BD8000-memory.dmp

Filesize
32KB

Download
memory/1028-9-0x0000012C20B60000-0x0000012C20B82000-memory.dmp

Filesize
136KB

Download
memory/1028-27-0x0000012C20BE0000-0x0000012C20BE1000-memory.dmp

Filesize
4KB

Download
memory/1028-31-0x00007FF883B90000-0x00007FF884651000-memory.dmp

Filesize
10.8MB

Download