metasploit | 9be818a44173a953b708d282de254df6f02f43a4acf1812fc012f7bff20a5503

General

Target

msf500k.ps1
Size

501KB
MD5

bbf15ca69b0688ec777475f84edda743
SHA1

ce5bd93e1ccb39def7b8e29cd2beb9d3964f171b
SHA256

9be818a44173a953b708d282de254df6f02f43a4acf1812fc012f7bff20a5503
SHA512

6d004da4f7a3897ade855fa734fc1ae52be66b2667c0af91bdf886cb42afc2b5037ceef943e262977d23ff43b7be4372268c4bfc037cb01b94cf69c4bca4d837
SSDEEP

48:q+MThimb7RBARAbLPorNfAse3+soGoNeVBXTSbS4:BGTXA0PohfXBGoCJ+z

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.254.66.59:8888

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1620	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1620	powershell.exe
1620	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2428	1620	powershell.exe	89
PID 1620 wrote to memory of 2428	1620	powershell.exe	89
PID 2428 wrote to memory of 4932	2428	csc.exe	91
PID 2428 wrote to memory of 4932	2428	csc.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\msf500k.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rhmrsuhy\rhmrsuhy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82BD.tmp" "c:\Users\Admin\AppData\Local\Temp\rhmrsuhy\CSC95355714943D4AB0B2DAD9D8AB2FE19D.TMP"
    3⤵
    PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES82BD.tmp

Filesize
1KB

MD5
f05e2321ae42ec70b74b1da9d1519660

SHA1
6438270ee2e3c85e9d1f887d95a84791fd03e8a1

SHA256
0e079c809ac5da4ecd7eaf573f4f018e7a468eb5e8f1a0063390fd2e2fb00891

SHA512
735aa56d18426c3450043bfe82d7fa0cb6ed2ba085ff51b0e3ed05df46c20c1daf77e85dde713a82d123193b5826319217633a52ecfccc154f1a8a635be816be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1rpewwu.p0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhmrsuhy\rhmrsuhy.dll

Filesize
3KB

MD5
bdbcda6bcbc88ac38c9c86d465848040

SHA1
9ffe574acc07d740b6a7aa60d05f48422a39317b

SHA256
a935031c611a0bce112d110c2af440a1f40acee655eddb4185fb76a08f9b0202

SHA512
044f94bcaa61e0196150717838ecc9127d57a2f1893c33121eebee096036230f06f01080ac1ca90e366b4d2240862d3ad77f28d9caf840010e8621670c4c3126

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rhmrsuhy\CSC95355714943D4AB0B2DAD9D8AB2FE19D.TMP

Filesize
652B

MD5
b5c4d9a0bfdf3f178d7e2361a4e81fcd

SHA1
6573035fff76106c0785d0d481337c8ae4865774

SHA256
a4fc188f046ec90ad269c4470fd0eff1ca038ff24f6916a195dd94602e4c1b3d

SHA512
8165fa0e4cc84fc39b0d13e3d3e4ecb7908d36980ac6163c4631bdf0a9ebab6319b7c665594e00c49562e1a0bc1be0f45519ef4c05b212ff1685aa87f821e4dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rhmrsuhy\rhmrsuhy.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rhmrsuhy\rhmrsuhy.cmdline

Filesize
369B

MD5
994d41968eaeb89c422504601c2d41d5

SHA1
5102d15fdee1698bc00c4747417432d9e9f3936b

SHA256
a0f8ab9b4b33a27e44febbbd33427021dc322a17250ada1b104c8f68295f7dcf

SHA512
83df0302ef2cb3090d4f174412c224811324e1fb5d410f13ff47200f37cebfcbe4d11122028c038db8567e17aedbbe630ccddad1e532ef92f5c0c00f048106cd

Download Submit
memory/1620-11-0x000001B47A260000-0x000001B47A282000-memory.dmp

Filesize
136KB

Download
memory/1620-12-0x00007FFB7EB40000-0x00007FFB7F601000-memory.dmp

Filesize
10.8MB

Download
memory/1620-0-0x00007FFB7EB43000-0x00007FFB7EB45000-memory.dmp

Filesize
8KB

Download
memory/1620-25-0x000001B479260000-0x000001B479268000-memory.dmp

Filesize
32KB

Download
memory/1620-10-0x00007FFB7EB40000-0x00007FFB7F601000-memory.dmp

Filesize
10.8MB

Download
memory/1620-27-0x000001B4797E0000-0x000001B4797E1000-memory.dmp

Filesize
4KB

Download
memory/1620-31-0x00007FFB7EB40000-0x00007FFB7F601000-memory.dmp

Filesize
10.8MB

Download
memory/1620-32-0x00007FFB7EB40000-0x00007FFB7F601000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing