metasploit | d62e44a99414b5864671d04a08f86a5eb811bed0ffb6977e5a4872782f6fb685

General

Target

msf1M.ps1
Size

1.0MB
MD5

76739f936182b41ff253260f4cc89bf1
SHA1

7b1c4e436b0f9c2baee13dc578ab3f2d5c23865a
SHA256

d62e44a99414b5864671d04a08f86a5eb811bed0ffb6977e5a4872782f6fb685
SHA512

4c1049125fadc400833b26319f8ba767ded9bcfb781f9264341953135ba3d1933bb9a636a2a9e0c35e408353dfc45aed9be320c72c0107d352c8bae4fdf7212b
SSDEEP

48:q+MThimb7RBARAbLPorNfAse3+soGoNeVBXTSbS4:BGTXA0PohfXBGoCJ+z

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.254.66.59:8888

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2396	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2396	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2900	2396	powershell.exe	32
PID 2396 wrote to memory of 2900	2396	powershell.exe	32
PID 2396 wrote to memory of 2900	2396	powershell.exe	32
PID 2900 wrote to memory of 2604	2900	csc.exe	33
PID 2900 wrote to memory of 2604	2900	csc.exe	33
PID 2900 wrote to memory of 2604	2900	csc.exe	33
PID 2396 wrote to memory of 2624	2396	powershell.exe	34
PID 2396 wrote to memory of 2624	2396	powershell.exe	34
PID 2396 wrote to memory of 2624	2396	powershell.exe	34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\msf1M.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6ai50dg4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE83E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE83D.tmp"
    3⤵
    PID:2604
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 872
  2⤵
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ai50dg4.dll

Filesize
3KB

MD5
09c0b189c4d77d3535e2556b38998284

SHA1
8499a0d6e7f6d7c4c41247708096ad198bbc98a9

SHA256
bcac9aa7d9a8d5d2de1037a3bea5733aa6f4d2280c7b0325c1cbb6a9a31b0207

SHA512
5fafb9b8be0ea90688352515ff542bd3c48da37e46ba7f1f8900fc9b331dfa28c6076bf0e9e94944fe93ac6957f34397285bf3181386b72fbb425e27da287840

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ai50dg4.pdb

Filesize
7KB

MD5
c3547da90c5e7ff9de8ec5af46366fb2

SHA1
3eddfd3e237eae3a56c0aa69428694f62a5fac42

SHA256
958d50ec108ce577e884d1ad35b77c55d1e08234583fca9bbc28a73fdab32603

SHA512
0514cc1678178cf81119cdcfd91ca7c4db7a3f965e5e1bf8fda865110f96bad8c11417a9e9ec1f414569bda57b89e311f75f8bc52e94c5abccf02390814b7b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE83E.tmp

Filesize
1KB

MD5
6f08ed99a34f58a3599f04ddcf1f87b3

SHA1
174712a7a05fb1579739c35ad1704e00d146a30c

SHA256
c42a19c224141dd3542bbd1bc4d91ef154e0d7a06f087f0fd1a636026d3880b2

SHA512
33b7569479c1d18cd8d297a9baf0ec88553f2f82bb677d086ba2622ae6e55eaeb9adc2c135b0fae1da4b6db3a0276409120cec59fcbf97704e030fdbccafc80e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6ai50dg4.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6ai50dg4.cmdline

Filesize
309B

MD5
0c86a84f61452196fe6f15cc38f6dd10

SHA1
61dfd0bc68b8629829b195e54c6dfac62a4bdf22

SHA256
57eddece254f34356de5678b7ed83c6d92acc95e7bd853eba4b2e5e2d4275c40

SHA512
7015d17cf1b79cea32adaca22da4172ff5da35f0f0da65fad45b9681f74f605b1ecb33350f394856dd0c25fec5bd52388965c8b47df06efc1cb751a2f2d07485

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE83D.tmp

Filesize
652B

MD5
e35fd8e0357b2f671024e7080eb952ce

SHA1
4ef4adbae091ae9410b0d5d34ccb5c0169acd2cb

SHA256
786fd3bbcc187f7c98c80703576ded0d57b93b1abda57516f3ee77f169a138ed

SHA512
02946620d79872a57ca021ace93f0f5a3d5a3762fe4d2c03d21a2a3aef868f908285a6ffee112d27ad04ae738a786fdfa88f91ca2618a9b9a729086b7bad4fa3

Download Submit
memory/2396-12-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2396-4-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

Filesize
4KB

Download
memory/2396-26-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2396-25-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/2396-9-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2396-22-0x0000000002CE0000-0x0000000002CE8000-memory.dmp

Filesize
32KB

Download
memory/2396-6-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2396-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2396-28-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing