metasploit | b8d143e811b80961bc4245ce58cc04c81950246b11ff294917d269a239b7b160

General

Target

msf100k.ps1
Size

251KB
MD5

815bc9a2bda28cce0c598780c6a8b760
SHA1

b69dfbc0bde78569fbb6f80375d37747d75735d9
SHA256

b8d143e811b80961bc4245ce58cc04c81950246b11ff294917d269a239b7b160
SHA512

5d7c308ab8bb6414c485edca1841ca0eb00fea78f569a7c621fefab9aa2b8ff5cbc2088fbd1a368804c550a7f427356486d29fda316b6c34b5980bff150dd485
SSDEEP

48:q+MThimb7RBARAbLPorNfAse3+soGoNeVBXTSbS4:BGTXA0PohfXBGoCJ+z

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.254.66.59:8888

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1780	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1780	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1716	1780	powershell.exe	31
PID 1780 wrote to memory of 1716	1780	powershell.exe	31
PID 1780 wrote to memory of 1716	1780	powershell.exe	31
PID 1716 wrote to memory of 2388	1716	csc.exe	32
PID 1716 wrote to memory of 2388	1716	csc.exe	32
PID 1716 wrote to memory of 2388	1716	csc.exe	32
PID 1780 wrote to memory of 2760	1780	powershell.exe	33
PID 1780 wrote to memory of 2760	1780	powershell.exe	33
PID 1780 wrote to memory of 2760	1780	powershell.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\msf100k.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oexhajis.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E42.tmp"
    3⤵
    PID:2388
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 1036
  2⤵
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9E43.tmp

Filesize
1KB

MD5
846dd7c801be3e3fcf3112795377a1cb

SHA1
7d2c0a2cb661981786d11b5aa43bcf31810f60f0

SHA256
7a7e9cd2928167e64fbf409646637a30a9d839e933713353c1095202bc0f6be5

SHA512
e27e2755e19f7604346a7741d0a96c87a3b87aec6a247c436ae2aeb5307dd10e6378166000a5742c9c382db014cbe123ac177b4c7f34da5b537a509982aa5b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\oexhajis.dll

Filesize
3KB

MD5
2134be7f9e1c4c137b371f47ae952921

SHA1
0850491784b81abb1c286b8d709aa942917cd46c

SHA256
f4e3995df285bcd9a5b759ce5ef05e032615c7494e2dfc8d25943c17bd06a86c

SHA512
2d9e497986429b3b9de01049fa94ed8c8c5dc41d3d718c7d7b164340c32c1f888ab7945229a4486aaa014985482d6499e096da8d6ac016bde54db6953a1b3a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\oexhajis.pdb

Filesize
7KB

MD5
1e8f4c6c5f5ffad757e4e9ab85a5ab3d

SHA1
ea2eed24e1ac94f4c73000d86051664076b4c8a5

SHA256
d4ff23199a927591200b41b37385e16c69ac1d38556a3740488966925d8f473d

SHA512
cd39b5afcbc0916815bf9571dd1ff6a50abf4f1d894426af85d33de72d89bfeb0faf9d1d75cf218e4e4ea2b08b007f17eccdfcebeff77fec5251050dc30281fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9E42.tmp

Filesize
652B

MD5
f066518f5a40057bad38927de0640dc5

SHA1
b0daf557dc47e291b5b2a6fbcab377f78110dd55

SHA256
fd0afced9df477eca33a116f08ad082519c4f8d346b8b7b85fee9919232f3969

SHA512
5d99a427d0cc6e512ecda0e6d4caeb470e31dc681eb4296f6597dc0b83a52d81f29bf4264c6caaa72e7e52ccc4db3a3a263c4a2b41ee22603cb3627a0dd33b27

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oexhajis.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oexhajis.cmdline

Filesize
309B

MD5
7a9b8d258a376a6b5c0db94886fdce1a

SHA1
7ef098a251b68923853987ffd2b4a62e6cc4e13a

SHA256
f09a24e96b83f890b11da321574a2ee1a03db43f21542de3e78999f1ed0381c4

SHA512
f57f64fc2122013b158bcd3c04a77c7383e993c27fbc61fd58001d910f5d5422d1eaf9ab8d24ba65c0ec73f4ce817f3a8493e68488f866b15cfb9174590aa382

Download Submit
memory/1716-24-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1716-32-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-7-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-9-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-8-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-4-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

Filesize
4KB

Download
memory/1780-10-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-26-0x0000000002B80000-0x0000000002B88000-memory.dmp

Filesize
32KB

Download
memory/1780-29-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1780-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1780-31-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-5-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1780-11-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing