Overview

overview

10

Static

static

10

HradewMM.posh.ps1

windows11-21h2-x64

10

Resubmissions

13/07/2024, 05:39

240713-gchg1azfpf 10

13/07/2024, 05:35

240713-f98vsaxgjq 10

01/03/2024, 08:56

240301-kv1m3seg2v 10

Analysis

  • max time kernel
    169s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/07/2024, 05:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    HradewMM.posh.ps1

  • Size

    3KB

  • MD5

    475971ebaaa5e66900e78a2b14ccdb84

  • SHA1

    2fd5abc165b3cfac4da62573aeed0761fbaf45b9

  • SHA256

    97103a38ca96751430190a2c14bda371fa1753b6ac8c904c3783b151fbafadab

  • SHA512

    c7ccc56e43be8f3eb920fff5697b9d29c5a0c03f1a93a45b05724e4cf96f37a8faa273379fe635b4544250f8d99730996094ab9c073312294fd465ae8cbe0371

Score
10/10
metasploitbackdoorexecutiontrojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

18.176.183.3:19517

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\HradewMM.posh.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tu3izppy\tu3izppy.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7D4.tmp" "c:\Users\Admin\AppData\Local\Temp\tu3izppy\CSC38EC2F84353D491CBC2EF0DDC8B372C0.TMP"
        3⤵
          PID:1636
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2996
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\AppData\Local\Temp\HradewMM.posh.ps1"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0rqpglvv\0rqpglvv.cmdline"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26C8.tmp" "c:\Users\Admin\AppData\Local\Temp\0rqpglvv\CSC54885764398A45D58FE08DD913CB2ABC.TMP"
            3⤵
              PID:4704
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /0
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4756

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\0rqpglvv\0rqpglvv.dll
                Filesize

                3KB

                MD5

                cf05ff58b027cc1238fb26ac8e14b564

                SHA1

                26390b3315a9ac929a8d8a7eb5145758dfb09463

                SHA256

                3ea40985df50412309a804221f3c67b2b0258f398693bda5c0619fb75f2ae0bb

                SHA512

                0d337574a161a428ae0c81d72d887a3433c354e8cc573c6d69a957ca679fec261aada74b00fc70e848851b239b54c63036000132d4c0298dc7955bd39e22ac7c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RES26C8.tmp
                Filesize

                1KB

                MD5

                734d664fc554e9f08115eeeca722bed9

                SHA1

                cdcb1b3b9b798975afa8ad536abb104cf8f6d7c0

                SHA256

                2b09b762af0401c4445d2eb0df77c98f4b2e5a5bedbf81bc0920df7ecd043986

                SHA512

                694e99cf6926072b14154b9219619acdbeccb8d2b22ee1950b898007c2b3f52bee36eae7b7b5c85a58cf7fe76eafc48096a42368c5101f09848c1598fb1e15e8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RESC7D4.tmp
                Filesize

                1KB

                MD5

                d311f71bdd84cc104beff7eeab278e7a

                SHA1

                61199d295408afe4d7a2e400a44243d87dd069c3

                SHA256

                cf6d56b8043a5f7493ced8ffd782de483c64d8a97177beffc1d33bda36841e98

                SHA512

                1bb6abead19bdf8e32375559ad952a1d60c54474f03746a01792bbf0aa9dfbe280a9b9e8f3be6cf8ecdb4d656197b711858738201677056c3273033d700533dd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fw44n2lu.2hk.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tu3izppy\tu3izppy.dll
                Filesize

                3KB

                MD5

                45ee23174f2f587eb2aa3e29b4956eff

                SHA1

                eaefe42f7f84365a14ab6a70064938e93100ae67

                SHA256

                869ee3af30167f9c472e8586651e6ad23cec2693eb5d09fca113cf7a01653929

                SHA512

                feab17eb32083c81f2cd0bcdd3b727cc76cad8c326027ac086cdea077ba5a1fec52dcf2272f63694f227a40a25d89b2f91a8ba5a469b1c2e9c26df3d662113bf

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\0rqpglvv\0rqpglvv.cmdline
                Filesize

                369B

                MD5

                990e82e632d7667cab606c3bfbfe9f14

                SHA1

                fb6ec198b4eb07495342c9e0c38466761b401ee1

                SHA256

                b843bd229f7c68876ad24427c800b21c182eb89a92b3f8ee062b708cc64d87de

                SHA512

                0e5c955fbe5a4e08063c02300d26accbe40033edae641168b90b0292511f0af9089424db68f1d6356bd488d22911585c1a510430a28d7143ec2b7d1b669903f6

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\0rqpglvv\CSC54885764398A45D58FE08DD913CB2ABC.TMP
                Filesize

                652B

                MD5

                f7b4540f51bc2c9e1dd78003d21d98c8

                SHA1

                f4886474250307b22d3c43562c1fb404a1f32a99

                SHA256

                ecfc4c984b7584e833e16fa2aa818ed8638c858f18e1cb1917e634604bca047e

                SHA512

                54159c8b8c8f812fce59799dd0fcd43690056bf7de8cd4454a30919dd1e01436285be9c038113ffed3a3cedf27771e333491a4fa65c1ced37ae8a62fa87aa0c8

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\tu3izppy\CSC38EC2F84353D491CBC2EF0DDC8B372C0.TMP
                Filesize

                652B

                MD5

                2bd3225af00accc0212c2d7335251ed9

                SHA1

                65187e825e25432ff52c623f0d09f6f8c588b365

                SHA256

                5b67b70bd5fca3863d656e16d105d79db99dfef0fd357e674479afe261c81548

                SHA512

                41d693e76c8f6c39c8d1378e52edfdb74cbb041d0f1a54c59ebafea91694e60734e5638fa8651db9dbd63dfb06501d4058e8c55f072e956a76a158d6e5d8455a

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\tu3izppy\tu3izppy.0.cs
                Filesize

                465B

                MD5

                029a251db8736d1c039890283ddafd0d

                SHA1

                b2d1944ef240baa681565c6327011b30e0f980fd

                SHA256

                d1b97cac79d2b968a2d80df52ab40e480540f81040a825c5aba1192c72db2b0c

                SHA512

                71347e5eb5e4ed3dab872072d84f8eeb575c27632ffb53826f905fd19db9ec082e49d55d7901b98e2ac6ae3de61189d6352bae790e5f1bd9e6db28bc22f31b8f

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\tu3izppy\tu3izppy.cmdline
                Filesize

                369B

                MD5

                7c279c05c6069ca83ad9ef73263b6d29

                SHA1

                66e7671dbff9a07bb56964e9b83ac81a4c2d4fa3

                SHA256

                531e48d35553a32d3011343c3d7fe823b9f3b1611ef72f2bd2fce5a4377dd6c6

                SHA512

                9cdfe73a4d2e2f4464f0cf269fede7e85e15a8b28105a8e6b0ef5e77a7e6bca317d9c284a212c5dbb4958bdc250f9b945e99aa3596134b7977282783d0e2c079

                Download Submit

              • memory/1876-12-0x00007FF953B40000-0x00007FF954602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1876-0-0x00007FF953B43000-0x00007FF953B45000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1876-25-0x000001DED0A10000-0x000001DED0A18000-memory.dmp

                Filesize

                32KB

                Download

              • memory/1876-27-0x000001DED0A20000-0x000001DED0A21000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1876-31-0x00007FF953B40000-0x00007FF954602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1876-1-0x000001DED09C0000-0x000001DED09E2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1876-10-0x00007FF953B40000-0x00007FF954602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1876-11-0x00007FF953B40000-0x00007FF954602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4756-83-0x0000020D84A60000-0x0000020D84A61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4756-85-0x0000020D84A60000-0x0000020D84A61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4756-86-0x0000020D84A60000-0x0000020D84A61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4756-80-0x0000020D84A60000-0x0000020D84A61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4756-74-0x0000020D84A60000-0x0000020D84A61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4756-75-0x0000020D84A60000-0x0000020D84A61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4756-76-0x0000020D84A60000-0x0000020D84A61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4756-84-0x0000020D84A60000-0x0000020D84A61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4756-82-0x0000020D84A60000-0x0000020D84A61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4756-81-0x0000020D84A60000-0x0000020D84A61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4912-33-0x0000016B5D130000-0x0000016B5D17A000-memory.dmp

                Filesize

                296KB

                Download

              • memory/4912-67-0x0000016B5DD70000-0x0000016B5DD78000-memory.dmp

                Filesize

                32KB

                Download

              • memory/4912-53-0x0000016B5DEF0000-0x0000016B5DF66000-memory.dmp

                Filesize

                472KB

                Download

              • memory/4912-51-0x0000016B5DC00000-0x0000016B5DC08000-memory.dmp

                Filesize

                32KB

                Download

              • memory/4912-52-0x0000016B5DC60000-0x0000016B5DC86000-memory.dmp

                Filesize

                152KB

                Download

              • memory/4912-50-0x0000016B5D3F0000-0x0000016B5D3F8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/4912-49-0x0000016B5D3E0000-0x0000016B5D3E8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/4912-40-0x0000016B5BC50000-0x0000016B5BC58000-memory.dmp

                Filesize

                32KB

                Download

              • memory/4912-35-0x0000016B5D180000-0x0000016B5D1B8000-memory.dmp

                Filesize

                224KB

                Download

              • memory/4912-34-0x0000016B432F0000-0x0000016B432FE000-memory.dmp

                Filesize

                56KB

                Download

              • memory/4912-32-0x0000016B415C0000-0x0000016B415F8000-memory.dmp

                Filesize

                224KB

                Download