Malware Analysis Report

2024-09-23 03:59

Sample ID 240531-l8es7sed3w
Target 3459b6d7c3a2185f77e9e5b6d295c01ec7ac7cc401cf52c1c99259f22d00f30f.ps1
SHA256 3459b6d7c3a2185f77e9e5b6d295c01ec7ac7cc401cf52c1c99259f22d00f30f
Tags
metasploit backdoor execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3459b6d7c3a2185f77e9e5b6d295c01ec7ac7cc401cf52c1c99259f22d00f30f

Threat Level: Known bad

The file 3459b6d7c3a2185f77e9e5b6d295c01ec7ac7cc401cf52c1c99259f22d00f30f.ps1 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor execution trojan

Metasploit family

MetaSploit

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-31 10:11

Signatures

Metasploit family

metasploit

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 10:11

Reported

2024-05-31 10:14

Platform

win7-20240508-en

Max time kernel

129s

Max time network

140s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3459b6d7c3a2185f77e9e5b6d295c01ec7ac7cc401cf52c1c99259f22d00f30f.ps1

Signatures

MetaSploit

trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3459b6d7c3a2185f77e9e5b6d295c01ec7ac7cc401cf52c1c99259f22d00f30f.ps1

Network

Country Destination Domain Proto
CN 1.14.247.162:40001 tcp

Files

memory/1676-4-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp

memory/1676-5-0x000000001B580000-0x000000001B862000-memory.dmp

memory/1676-6-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/1676-7-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/1676-9-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/1676-10-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/1676-8-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/1676-11-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/1676-12-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1676-13-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

memory/1676-14-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 10:11

Reported

2024-05-31 10:14

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3459b6d7c3a2185f77e9e5b6d295c01ec7ac7cc401cf52c1c99259f22d00f30f.ps1

Signatures

MetaSploit

trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3459b6d7c3a2185f77e9e5b6d295c01ec7ac7cc401cf52c1c99259f22d00f30f.ps1

Network

Country Destination Domain Proto
CN 1.14.247.162:40001 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2888-0-0x00007FFF5E983000-0x00007FFF5E985000-memory.dmp

memory/2888-1-0x000001C874270000-0x000001C874292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_blxih3zm.0wo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2888-11-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

memory/2888-12-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

memory/2888-13-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

memory/2888-14-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

memory/2888-15-0x000001C874260000-0x000001C874261000-memory.dmp

memory/2888-16-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp