metasploit | 9be818a44173a953b708d282de254df6f02f43a4acf1812fc012f7bff20a5503

General

Target

msf500k.ps1
Size

501KB
MD5

bbf15ca69b0688ec777475f84edda743
SHA1

ce5bd93e1ccb39def7b8e29cd2beb9d3964f171b
SHA256

9be818a44173a953b708d282de254df6f02f43a4acf1812fc012f7bff20a5503
SHA512

6d004da4f7a3897ade855fa734fc1ae52be66b2667c0af91bdf886cb42afc2b5037ceef943e262977d23ff43b7be4372268c4bfc037cb01b94cf69c4bca4d837
SSDEEP

48:q+MThimb7RBARAbLPorNfAse3+soGoNeVBXTSbS4:BGTXA0PohfXBGoCJ+z

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.254.66.59:8888

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2664	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2864	2664	powershell.exe	31
PID 2664 wrote to memory of 2864	2664	powershell.exe	31
PID 2664 wrote to memory of 2864	2664	powershell.exe	31
PID 2864 wrote to memory of 2552	2864	csc.exe	32
PID 2864 wrote to memory of 2552	2864	csc.exe	32
PID 2864 wrote to memory of 2552	2864	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\msf500k.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qmkt8jwk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E5F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4E5E.tmp"
    3⤵
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4E5F.tmp

Filesize
1KB

MD5
71268bd7ce3c4c5836fa0f57478b5c99

SHA1
cc27d95326b5fce7a76a83cd1c7bfb0ab38e10a2

SHA256
c09a6d280f457f75086bed230ad566d98a86dfc3687d1dc9c70395368ee5b7c7

SHA512
65e14d8cb4a530e6a4e570baed913af2ff975c98ff07d5ebcb11b67e2ceff4b61f0cbe2c540212ef7e24cea823cb5c8db84903a7e9f4e563999a88e2f87a8990

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmkt8jwk.dll

Filesize
3KB

MD5
5df0a7000c6995291644103ca11a1cc0

SHA1
32883874767fed2188efa8927ee10c6176cb6452

SHA256
34ac39a9bfe42311afafb8f40a2131f601fa8bddba1122714fcc590cc91635f9

SHA512
0cfa9601c977d8e5844a12b6ed48d92519c616330b3305b96b882e0c4ebb64a9d226425dbd506b109d40a09af83abd69eacd2e059be16850a73c61aae1e0008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmkt8jwk.pdb

Filesize
7KB

MD5
072d84604db8637e29485f7cc2fd3709

SHA1
2d31d2eb17e623ed1aa5d6c2860114673f429ab2

SHA256
4d0253c4515fb9010cb45f4ef6ff3f6fd275efaf6d6e656759df807474a72026

SHA512
b31f216af67ef1b415c6845427ac18cbe0f36d1e016e5b1217b34f0efba1064c6a8d4660c96465bb9abc39332cf9800985854a7adabb72f6b4ecc3445281590c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4E5E.tmp

Filesize
652B

MD5
0df36aa348ef997d81431a3212a2deb3

SHA1
61388e8d5db6dc2bacce76cf01c4335448e6fd2b

SHA256
e035b24677ecb28ec1c606ed650df7b2e567a688b7d4b389bb89877b6ecf5920

SHA512
f3b4787dd6854c7f21e8f8580faff997bcc46c0af4ca45f2be88bf044de5f6780d0f557906469dfe5b8c6a656a53e34e63ffe97c02ec999d847f28cb13acafd1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qmkt8jwk.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qmkt8jwk.cmdline

Filesize
309B

MD5
8c2728746a5ea1e845638e403d98730a

SHA1
b3156e8e4ae872e65e91fb3c6a74b1ee3a79ba26

SHA256
44d3d6b192372e2b8ad0c704c8e89ab58c81c7235775bd21e106cc2a25674fa5

SHA512
0065043fc37df2d530d20ae9afb08e7c64896daeeb344b8288aa0e48703ecd98de6ad401153f1b7e8104ce2b70c73f065dbf6f981da0038e03e574a923ceafe3

Download Submit
memory/2664-14-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-7-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

Filesize
4KB

Download
memory/2664-28-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2664-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-25-0x0000000002D70000-0x0000000002D78000-memory.dmp

Filesize
32KB

Download
memory/2664-6-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2664-5-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2664-31-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-29-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-32-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing