Overview

overview

10

Static

static

10

msf100k.ps1

windows7-x64

10

msf100k.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    msf100k.ps1

  • Size

    251KB

  • MD5

    815bc9a2bda28cce0c598780c6a8b760

  • SHA1

    b69dfbc0bde78569fbb6f80375d37747d75735d9

  • SHA256

    b8d143e811b80961bc4245ce58cc04c81950246b11ff294917d269a239b7b160

  • SHA512

    5d7c308ab8bb6414c485edca1841ca0eb00fea78f569a7c621fefab9aa2b8ff5cbc2088fbd1a368804c550a7f427356486d29fda316b6c34b5980bff150dd485

  • SSDEEP

    48:q+MThimb7RBARAbLPorNfAse3+soGoNeVBXTSbS4:BGTXA0PohfXBGoCJ+z

Score
10/10
metasploitbackdoorexecutiontrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.254.66.59:8888

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\msf100k.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fbaj4g3g\fbaj4g3g.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5321.tmp" "c:\Users\Admin\AppData\Local\Temp\fbaj4g3g\CSC6C0E89703E14490F9215DA87C7DAC033.TMP"
        3⤵
          PID:5640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES5321.tmp
      Filesize

      1KB

      MD5

      f653b4997f2ee2c96228d927bbd8aabd

      SHA1

      48556437df35714f6c60be8657facf7208d985ca

      SHA256

      2d3470651caf7bb02a5575347d2737441eec77e710c73fc5a5ac8a3fb98a19a5

      SHA512

      5fc0ce57b7d7db302211ce0f60934fca78f093f6f0026cd3741929eb73f26cd880f20b80263856059cdc76ccf6070a1889c9eb585e16741546ff87ab94adb0c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkca34gf.2fj.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fbaj4g3g\fbaj4g3g.dll
      Filesize

      3KB

      MD5

      c3fb33d0c87b0b7ff22bf75566804662

      SHA1

      c6dfad4168f9c92d52a7c7c3fe6dcae624d5b19b

      SHA256

      98dc4d8bed2f9fc526642a8d3d1ae55e956d4cd0e18fcbe380e0f5d73ab05835

      SHA512

      2756c9e7b32daf6fbf23aaa5068a8d74ba4972ed621d9a0a021e05047fb08c90bf2a637114097cedcfa5fa8e14391c7a7d8e81dbe30d438c723487cf8b049ce7

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fbaj4g3g\CSC6C0E89703E14490F9215DA87C7DAC033.TMP
      Filesize

      652B

      MD5

      06a77f5727bfafb537d7b167c29bbeec

      SHA1

      1b99d7f72708b6e66142a0030c639418d80bf9b9

      SHA256

      a14f4b2f5dbd5e1e21d7e9b86b13724317ed45a2000bf8ed22f8678504bd36d9

      SHA512

      1538a4b6b02dbdeee5516e070ec86998a6d858fdc30de55e3a1f114cd573d7b0c45655bca4560adcec2a769c333d5e4573d2ba5303b090d292fedaac6effb54d

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fbaj4g3g\fbaj4g3g.0.cs
      Filesize

      468B

      MD5

      52cc39367c8ed123b15e831e52cbd25f

      SHA1

      497593af41731aedd939d2234d8d117c57a6d726

      SHA256

      5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

      SHA512

      ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fbaj4g3g\fbaj4g3g.cmdline
      Filesize

      369B

      MD5

      d3338c288b1538862afefcf10bbcc128

      SHA1

      43df60eb4e09851df3730179095e127813e1f372

      SHA256

      6b27eb71ab122a05886272b5507a06773d430f7077f7319d0ccef019b0d74f55

      SHA512

      cc9f9a83eadfaaa8b24e0dd48d89e87d0a3ccf36ff6063f2e9f1497c700c5e339ac3a208d8c1ed284689d2aabef102bb39868fa5ae4e4d7657c8e3a587abdfb2

      Download Submit

    • memory/2524-11-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2524-12-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2524-0-0x00007FF982133000-0x00007FF982135000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2524-25-0x00000184DC7F0000-0x00000184DC7F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2524-10-0x00000184C4260000-0x00000184C4282000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2524-27-0x00000184DC800000-0x00000184DC801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2524-31-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

      Filesize

      10.8MB

      Download