Malware Analysis Report

2024-09-23 03:45

Sample ID 240531-j67ebsda38
Target 7db40a37f34545a195973c341554cfb02ae0f105898e20eafb4dfb55f8a65a77.ps1
SHA256 7db40a37f34545a195973c341554cfb02ae0f105898e20eafb4dfb55f8a65a77
Tags
metasploit backdoor execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7db40a37f34545a195973c341554cfb02ae0f105898e20eafb4dfb55f8a65a77

Threat Level: Known bad

The file 7db40a37f34545a195973c341554cfb02ae0f105898e20eafb4dfb55f8a65a77.ps1 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor execution trojan

Metasploit family

MetaSploit

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-31 08:17

Signatures

Metasploit family

metasploit

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 08:17

Reported

2024-05-31 08:20

Platform

win7-20240508-en

Max time kernel

149s

Max time network

138s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7db40a37f34545a195973c341554cfb02ae0f105898e20eafb4dfb55f8a65a77.ps1

Signatures

MetaSploit

trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7db40a37f34545a195973c341554cfb02ae0f105898e20eafb4dfb55f8a65a77.ps1

Network

Country Destination Domain Proto
CN 1.14.247.162:40001 tcp

Files

memory/2960-4-0x000007FEF614E000-0x000007FEF614F000-memory.dmp

memory/2960-5-0x000000001B780000-0x000000001BA62000-memory.dmp

memory/2960-7-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

memory/2960-8-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

memory/2960-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

memory/2960-9-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

memory/2960-10-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

memory/2960-11-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/2960-12-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 08:17

Reported

2024-05-31 08:20

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7db40a37f34545a195973c341554cfb02ae0f105898e20eafb4dfb55f8a65a77.ps1

Signatures

MetaSploit

trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7db40a37f34545a195973c341554cfb02ae0f105898e20eafb4dfb55f8a65a77.ps1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3572 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
CN 1.14.247.162:40001 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/4620-0-0x00007FFD84573000-0x00007FFD84575000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eb01sdvi.41i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4620-10-0x000002BCFDC20000-0x000002BCFDC42000-memory.dmp

memory/4620-11-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4620-12-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4620-13-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4620-14-0x000002BCE34D0000-0x000002BCE34D1000-memory.dmp

memory/4620-15-0x00007FFD84573000-0x00007FFD84575000-memory.dmp

memory/4620-16-0x00007FFD84570000-0x00007FFD85031000-memory.dmp