metasploit | 858415220041b72086f6c8282779b65ac05c7936e4d252400c684fa70d020e41

General

Target

1.ps1
Size

2KB
MD5

0872c54372986ab2d2c6afbbd8a59a9c
SHA1

ed968d3c88b76479c0f3b5b4da9f83d9649cb256
SHA256

858415220041b72086f6c8282779b65ac05c7936e4d252400c684fa70d020e41
SHA512

9632d3879ccac093e215bcaa6c204ea83d2086c816b1c8fe859770441451f350401479e1a31cf6603a4c71a64f7bedcba1213c0a1d8745387a73b46dd2209d77

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.254.66.59:8888

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2412	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2412	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1528	2412	powershell.exe	31
PID 2412 wrote to memory of 1528	2412	powershell.exe	31
PID 2412 wrote to memory of 1528	2412	powershell.exe	31
PID 1528 wrote to memory of 2336	1528	csc.exe	32
PID 1528 wrote to memory of 2336	1528	csc.exe	32
PID 1528 wrote to memory of 2336	1528	csc.exe	32
PID 2412 wrote to memory of 2752	2412	powershell.exe	33
PID 2412 wrote to memory of 2752	2412	powershell.exe	33
PID 2412 wrote to memory of 2752	2412	powershell.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fpcrzn7j.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA803.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA802.tmp"
    3⤵
    PID:2336
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 1172
  2⤵
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA803.tmp

Filesize
1KB

MD5
c2dd9a0a1294f7234053db9f85d4d619

SHA1
6b924d306dd63a65eef388ac0e79faa1022d51cc

SHA256
eaf0180d5fed7665f178331d7ab65501515efafe53623d747c38b3a12e0c9ef4

SHA512
6b1a4b0e79d7bf07693a1900fe94d9fb112de77ed61f488bd939f7c2953657f15a0299e3b97a0fa7912d906c1dcf11d18b4ab9584c7c523b3cc3371383581a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpcrzn7j.dll

Filesize
3KB

MD5
a613b7c558d34a812881b1b68ba3772b

SHA1
a08000cdfa18a40e7fd83e48e381e098c3821d9b

SHA256
e700d6ee1e49dec9e4aa092923cd4fee8ffb8bc944bdb99d514676ebf75e2026

SHA512
ab927a22cc5b76951805290c5502d3b33b29c40dafee68bef1ef44eb03f71e5d0b76c65acc04a6e7fccb875dfca75e6ddef9d947797ef8f912ad9309183e774b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpcrzn7j.pdb

Filesize
7KB

MD5
eb454a70fee04186b350c5f827a7c22c

SHA1
b3a17db8f48f97e919d00055d000c2a235bf3724

SHA256
cbd1c61461e877a66bbc20f57293184241358042845e94fc7819b874129f8ce3

SHA512
8b3383c36438042bac2efa988179dc597abc70576159e8d0a808a61bcb5f771213f30e891a00ed7edc16a2f7ce4d7e6da6a4d2d5acd4728e138a207a43ac9f7a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA802.tmp

Filesize
652B

MD5
3a8bd9a832fcb1e0e1360e28006e4c80

SHA1
48271b447a1c49fbbe524d02159bbf05d25acef5

SHA256
182efe4b947f16d57f9748211e6299b79c07a0aa8699ebbfd030eacbce01d1c0

SHA512
b87fa60ef5fc97b4e553bf378ba5a0279d2447eb8e211a828f52be75f6f1f737cf572b5a5dd17e42efbfc0149160123fe2837d582b42f635fb7c3848e2f38f2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fpcrzn7j.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fpcrzn7j.cmdline

Filesize
309B

MD5
8c76f46f837c13b8b7ad42316c31c9c0

SHA1
031fc8f38d51eebf873d008df7be947a98647d68

SHA256
816855736675038aa01ce4e85d016a189a1b7467163a233e7cd8dc7c10eda4df

SHA512
07dcf7e9ac38fa07320dda750fc4b646e6dedda7f33377ebc2c149c408be6a2ac7db82ee24a08f1e0fd482f8dfce9d85da6860fd845c3bd9a2b165f2856d9f7f

Download Submit
memory/2412-10-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-25-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/2412-4-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

Filesize
4KB

Download
memory/2412-22-0x0000000002AF0000-0x0000000002AF8000-memory.dmp

Filesize
32KB

Download
memory/2412-13-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2412-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2412-28-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-26-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing