metasploit | d62e44a99414b5864671d04a08f86a5eb811bed0ffb6977e5a4872782f6fb685

General

Target

msf1M.ps1
Size

1.0MB
MD5

76739f936182b41ff253260f4cc89bf1
SHA1

7b1c4e436b0f9c2baee13dc578ab3f2d5c23865a
SHA256

d62e44a99414b5864671d04a08f86a5eb811bed0ffb6977e5a4872782f6fb685
SHA512

4c1049125fadc400833b26319f8ba767ded9bcfb781f9264341953135ba3d1933bb9a636a2a9e0c35e408353dfc45aed9be320c72c0107d352c8bae4fdf7212b
SSDEEP

48:q+MThimb7RBARAbLPorNfAse3+soGoNeVBXTSbS4:BGTXA0PohfXBGoCJ+z

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.254.66.59:8888

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4120	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4120	powershell.exe
4120	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 4264	4120	powershell.exe	91
PID 4120 wrote to memory of 4264	4120	powershell.exe	91
PID 4264 wrote to memory of 4956	4264	csc.exe	92
PID 4264 wrote to memory of 4956	4264	csc.exe	92

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\msf1M.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4vtlyjas\4vtlyjas.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1BA.tmp" "c:\Users\Admin\AppData\Local\Temp\4vtlyjas\CSC6881A295E6A4835BB8A1AF546CFAF5D.TMP"
    3⤵
    PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4vtlyjas\4vtlyjas.dll

Filesize
3KB

MD5
2b2ff7df2c62e76be106b9ab7fc03110

SHA1
ece63c8cbb7c2a163e1f4dd19473fe2e7a3f9dba

SHA256
eb2fa8328d9ca7eb32536d0731a334e6277cc22978041f4a0e3b6fc9671d2ead

SHA512
543b6bb68979582c0765c46217b6b26f6597f4cf74cc2b3a887b6d53f611c1111b32a06f24b4bf1109513c3279132856d5194274b39aba423538b2ac63b816c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC1BA.tmp

Filesize
1KB

MD5
aca5bf46080dc68a5bd6f046b5e403b0

SHA1
338634880cccd68f1eed3998f1907753977093fe

SHA256
80637e34cb2f85f47c692dd7f06cde1ed7b0f63e593dcc3f50e01da0acdba429

SHA512
18159dc96bacdc0883c1ed6dfa90751314bb89eaa5f3087c1055ef649696552e20ed4598b9dd98584460a0a12664bb5ddffe4561a94b3e1bea599db21c176d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2bkoj1k.vb4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vtlyjas\4vtlyjas.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vtlyjas\4vtlyjas.cmdline

Filesize
369B

MD5
549a9011e9603d72afc22fc3a8552d26

SHA1
504c58a5443f477b3bd42e5cf2bf9e1d4f2b1db3

SHA256
8ba30a0c091b50d4256415ba4caed8731b2c12c8b5f455b4610667e71918e607

SHA512
e656d6c08fd3163d1ba65a6005593cfc67719a98a5ccc45b5e5e4b87e570676e19d74ac1a8a042622f0de016b1b0b78c7b2cf84041e126d200784aec351828cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vtlyjas\CSC6881A295E6A4835BB8A1AF546CFAF5D.TMP

Filesize
652B

MD5
91076753e5adb5c32a4bfa348bda669d

SHA1
f151483ada8d9c3cc228aaedf7716a55ba78d397

SHA256
07c6eeb745effbdab4fb7f1cbfe6f13fa3dd03409b7c970f891733b74d8e259e

SHA512
09d77f21aeda7040e10ab047a71630efd79c39c5596a78f5943701a5104754946612256052d7de254f4dd4c3350f8596f3c54dbeb90eb41ddca540bcf142d0a6

Download Submit
memory/4120-11-0x00007FF846A10000-0x00007FF8474D1000-memory.dmp

Filesize
10.8MB

Download
memory/4120-12-0x00007FF846A10000-0x00007FF8474D1000-memory.dmp

Filesize
10.8MB

Download
memory/4120-0-0x00007FF846A13000-0x00007FF846A15000-memory.dmp

Filesize
8KB

Download
memory/4120-25-0x000001F1D85E0000-0x000001F1D85E8000-memory.dmp

Filesize
32KB

Download
memory/4120-10-0x000001F1D85F0000-0x000001F1D8612000-memory.dmp

Filesize
136KB

Download
memory/4120-27-0x000001F1D8820000-0x000001F1D8821000-memory.dmp

Filesize
4KB

Download
memory/4120-31-0x00007FF846A10000-0x00007FF8474D1000-memory.dmp

Filesize
10.8MB

Download
memory/4120-32-0x00007FF846A10000-0x00007FF8474D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing