Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 06:36

General

  • Target

    0a79157ced6caf940a852fa5163f2e09.ps1

  • Size

    2KB

  • MD5

    0a79157ced6caf940a852fa5163f2e09

  • SHA1

    e4e2145e4dabe073e3437425c5eafc098c9cf3fd

  • SHA256

    9fcf01850aba30ee520be8691bd97d9ae58b36ba689fcaace2cc218bb15f54ed

  • SHA512

    0494f068a268671b2c71ea7d3321e1c7715b2781fcea79d9dbbdac0b2c0817c049806c270642e99a7ba666392a22e391d48281957e5f1551fe68dc175392e65e

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0a79157ced6caf940a852fa5163f2e09.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trxma8u1.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D58.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2D57.tmp"
        3⤵
          PID:2608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES2D58.tmp

      Filesize

      1KB

      MD5

      c6a4d56655e6ee2a8bb84d517c9d08c4

      SHA1

      52356ffc9b06adad92f9c4d64ae3c81acfb5dfb3

      SHA256

      376fa54886c8c85a39c7f41260333ae5887eeaa9852703d1664291b79bee8b0a

      SHA512

      936be776caf8c256160a70fb463196001287c38cea1d138c424ac89d82e59e39862a17fbb4694bd14b8f5bc4c17206a8148b27dc428309d73ea4cae2b9e98275

    • C:\Users\Admin\AppData\Local\Temp\trxma8u1.dll

      Filesize

      3KB

      MD5

      059c7f71710970fe973286761e0f5177

      SHA1

      f5733e74f4a7245f1bf7de66e5f1f5fc4d7ba028

      SHA256

      da52c8f79f3314d5c067393c1acbcf6103882ec8e52630751d8abfeb87b3c5e8

      SHA512

      521218f77f63ee4f4ef1c5e60c528be71b1ef3703df5658ce6b6cc38334e9683fcd50b701555582e79b4aa29a2555fa99a3cc6ee391f4033cb05e2cbe9535cc0

    • C:\Users\Admin\AppData\Local\Temp\trxma8u1.pdb

      Filesize

      7KB

      MD5

      e8060745cfe4255919e1ec78a9d64310

      SHA1

      c05749a44a70b27cfab485b7e16dcb00172e644e

      SHA256

      03496ca7dbabe350fd76b93ca1dc2f63879bee92e70e8d02f62c9b9da0a13ebf

      SHA512

      fa66d60cc57d65fd55d840709b581e35af2e8ded8c55f484c08c7e6e3e17bc5ddeec3288722c82f1e6b18e8bdf10fd1fd73aa7efc05235c0203d52aaf708d2eb

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC2D57.tmp

      Filesize

      652B

      MD5

      81e49f8086bbf7c29eb0939dc7826ed5

      SHA1

      b6b443d5f24a9c81d74365482fade42cd0ea2295

      SHA256

      d5f388b74135e0304f87280fde7f934be4ac2040377ad875a77c2e602a8f7ace

      SHA512

      178a0e54085a9dc03a5efe5edcb753fc43b832d59658283e2c0dbe5c709fe7631f4523b0d27cb601cef5cf63433722f38d33af641c1366f3cf9f3d407ca273ea

    • \??\c:\Users\Admin\AppData\Local\Temp\trxma8u1.0.cs

      Filesize

      557B

      MD5

      7319070c34daa5f6f2ece2dfc07119ee

      SHA1

      f26a4a48518a5608e93c8b77368f588b0433973c

      SHA256

      b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

      SHA512

      34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

    • \??\c:\Users\Admin\AppData\Local\Temp\trxma8u1.cmdline

      Filesize

      309B

      MD5

      8d29e9f2e8442dcecb7a65da3bf5c405

      SHA1

      5c979038a76dbdb0db968ea8c5591a8f04daa93b

      SHA256

      9bc6239349374e6c346b752cffbffdb3c8815cceed4bf692051aeba4e6f6ded9

      SHA512

      e0ee8545c33058ab2ec9fed7a4b351bb36bb3a750b499ec65dff658250c414f76dddbdfe6470c2717e2e756ae7e206329d75f14dd5bfdb1e215453b548267b79

    • memory/2192-6-0x00000000026A0000-0x00000000026A8000-memory.dmp

      Filesize

      32KB

    • memory/2192-10-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2192-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

      Filesize

      2.9MB

    • memory/2192-4-0x000007FEF64FE000-0x000007FEF64FF000-memory.dmp

      Filesize

      4KB

    • memory/2192-9-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2192-8-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2192-7-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2192-26-0x0000000002C00000-0x0000000002C08000-memory.dmp

      Filesize

      32KB

    • memory/2192-29-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2192-30-0x000000001B600000-0x000000001B601000-memory.dmp

      Filesize

      4KB

    • memory/2192-32-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2568-19-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2568-24-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

      Filesize

      9.6MB