Overview

overview

10

Static

static

10

0a79157ced...09.ps1

windows7-x64

10

0a79157ced...09.ps1

windows10-2004-x64

3

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a79157ced6caf940a852fa5163f2e09.ps1

  • Size

    2KB

  • MD5

    0a79157ced6caf940a852fa5163f2e09

  • SHA1

    e4e2145e4dabe073e3437425c5eafc098c9cf3fd

  • SHA256

    9fcf01850aba30ee520be8691bd97d9ae58b36ba689fcaace2cc218bb15f54ed

  • SHA512

    0494f068a268671b2c71ea7d3321e1c7715b2781fcea79d9dbbdac0b2c0817c049806c270642e99a7ba666392a22e391d48281957e5f1551fe68dc175392e65e

Score
10/10
metasploitbackdoorexecutiontrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0a79157ced6caf940a852fa5163f2e09.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i0gkdfyb.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90DB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC90DA.tmp"
        3⤵
          PID:2852

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES90DB.tmp
      Filesize

      1KB

      MD5

      1bc8ffda51adcc598c43492647dc1507

      SHA1

      eb0f145d29ffab8969b576783409c57d5667aaeb

      SHA256

      fd62b0bfb515d8002b3e3bb1ec8a0dbba53b9d2f3e56ee172b9915d47067e742

      SHA512

      3741307ebf5d82280e1b70acb4a8dc3ce6f18329f1dde034ab087539e34664ef399299e018ed4124fff343e5a37d63738c69cbcfdc927a0975d6449b40b873f2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\i0gkdfyb.dll
      Filesize

      3KB

      MD5

      9f72a882cf5fe7097a482fbf2c761a75

      SHA1

      bbdcdbe2f9e86dbceb186797e9ba685fe9607016

      SHA256

      1e27d6f6b028dd0b1a71960b769ded4395f8fed0dda2cae3bcfc681edd150152

      SHA512

      be996b198e0145adc58fffafd88beeec6f30198e582e99c7d2798fb7a60115c2896b92f2ff9c7706eebc99dfe3c4f8dfd410978679d83c3ced72f671eb311702

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\i0gkdfyb.pdb
      Filesize

      7KB

      MD5

      769b9ea154d7f7d42a4c16d801e179f1

      SHA1

      5483cb42ff77a428f825ed7e774ad21c11f3f47c

      SHA256

      355184f96709eab6ef11132a1194f85c986eeb5735120b29247fa38ca7cbe9a9

      SHA512

      6efa10747ab14ade19e7c1d989c0f4a031fc69a3a15648daede8765b822880b2fe5ef5cfcc96a5f9ee45e2ca476bee2e197eb3e3bed65e64365371128cd1ca0d

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\CSC90DA.tmp
      Filesize

      652B

      MD5

      9bcbed3f2807dbd9cc293114bdbfbc80

      SHA1

      9390f160c7456b800a3c6c64140b7f56b479babd

      SHA256

      8401f1ebfd39f26fa43c861a31108c7b19988547c5106dfe7e808c8870effc4b

      SHA512

      ae0d59c164afd0e69bd7dee47228527d72b1457aac70f0a4a2c97722313a171b6c5afa524ca11363692d32c85becec4ff918cabca09978e59742ac5083bb0fa8

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\i0gkdfyb.0.cs
      Filesize

      557B

      MD5

      7319070c34daa5f6f2ece2dfc07119ee

      SHA1

      f26a4a48518a5608e93c8b77368f588b0433973c

      SHA256

      b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

      SHA512

      34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\i0gkdfyb.cmdline
      Filesize

      309B

      MD5

      2822815d688dbea05ea0b861e69db1dc

      SHA1

      0fff870964fdfcb97906d8d19bc0e90b41443a86

      SHA256

      538bc1adc54b56b5e2a24441fe82f3964cafeb6b2bb894a8adb61e5091716efe

      SHA512

      20e55c208a8da8d8f443fcc7086af2a29bd7ce112427fb1da4bd7d825d7e60d5b3290a71d5dcbe23cd74a31864420993a75c69fc6def4a4dde6b83f840b3dc7d

      Download Submit
    • memory/1704-9-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1704-31-0x0000000002980000-0x0000000002981000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1704-10-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1704-4-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1704-11-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1704-5-0x000000001B350000-0x000000001B632000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/1704-8-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1704-7-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1704-27-0x00000000027E0000-0x00000000027E8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1704-6-0x0000000001E60000-0x0000000001E68000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1704-33-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1704-30-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1704-32-0x0000000002980000-0x0000000002981000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2692-17-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2692-25-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp
      Filesize

      9.6MB

      Download