metasploit | 9be818a44173a953b708d282de254df6f02f43a4acf1812fc012f7bff20a5503

General

Target

msf500k.ps1
Size

501KB
MD5

bbf15ca69b0688ec777475f84edda743
SHA1

ce5bd93e1ccb39def7b8e29cd2beb9d3964f171b
SHA256

9be818a44173a953b708d282de254df6f02f43a4acf1812fc012f7bff20a5503
SHA512

6d004da4f7a3897ade855fa734fc1ae52be66b2667c0af91bdf886cb42afc2b5037ceef943e262977d23ff43b7be4372268c4bfc037cb01b94cf69c4bca4d837
SSDEEP

48:q+MThimb7RBARAbLPorNfAse3+soGoNeVBXTSbS4:BGTXA0PohfXBGoCJ+z

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.254.66.59:8888

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3060	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3060	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2504	3060	powershell.exe	31
PID 3060 wrote to memory of 2504	3060	powershell.exe	31
PID 3060 wrote to memory of 2504	3060	powershell.exe	31
PID 2504 wrote to memory of 1928	2504	csc.exe	32
PID 2504 wrote to memory of 1928	2504	csc.exe	32
PID 2504 wrote to memory of 1928	2504	csc.exe	32
PID 3060 wrote to memory of 2572	3060	powershell.exe	33
PID 3060 wrote to memory of 2572	3060	powershell.exe	33
PID 3060 wrote to memory of 2572	3060	powershell.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\msf500k.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b1ijcmpi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC015.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC014.tmp"
    3⤵
    PID:1928
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 936
  2⤵
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC015.tmp

Filesize
1KB

MD5
ac6746c9ee05c0ca6fd1550b12cad7f4

SHA1
16c82a9479700986c85d5002ef68e37f0afd9a9f

SHA256
27eabb3a95d69488fde98df20f4cb9ffa1663ebeaf3f0df4b97d1660400a497b

SHA512
7b769f16e58cef64ac5297a0adb5445b1ac8565774c9b28d5e8bf0ce3ce1235757430863d2da2e76aa1fac628446bf010e97ac4894a875d53a8e98745c1ee1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1ijcmpi.dll

Filesize
3KB

MD5
c3060fc961d653777e2b534149940103

SHA1
ee476931591d044aede505436d63ad5fe79e563f

SHA256
f3f73b74719d99c778aa886115e3fa475c919068be37b038ed6fc03f43d3ae8b

SHA512
3639c99765109d1dbfe0cf40db4269b4a5e8882fa19abb9236e0115b2bc0ed9479b8fdba134aa62db353f76a6a1b8a94d264146be061be3cc1a9f4efe844c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1ijcmpi.pdb

Filesize
7KB

MD5
944ba909114204bca338c569172c5a37

SHA1
60a4e9933fcd5615898983081f738fd166007bba

SHA256
c9c098ce31f60b6b39abc1dbdd3c7ddfdc5ed677b1071074558b74c000e6e03f

SHA512
f613359cbd19485d81f95577899841eabb6fcfd0c41b5f673c789a9e5378fdb2dd9cfe4256c79175e8a9b891f93de7b473bc0ae5173cdc5e94c685f7b38150dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC014.tmp

Filesize
652B

MD5
c6535289cab5a8b58b708538bbb98e53

SHA1
e186d0bd4d833dc23e6ae8c1556d396b6a32478e

SHA256
1353152415f4a08149abac73472c589a6d38bef9f9135e324ef2e22bad4a400b

SHA512
b562ddc5efd413db8edfce4f6c5171025484477649835dd54a063786689693c79846889e39e2b69419adfb455cbfd8db00ffe43d2feb90d9c150ee0cba3e5814

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b1ijcmpi.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b1ijcmpi.cmdline

Filesize
309B

MD5
020812026b092b9d183de22131345ee7

SHA1
c0a05c2f155ec190074c78c6e0f2e6018d05d934

SHA256
6bfc85a6dbe5628857f130712d85cb575ab594b62125c6b6a4862fc3df4f000f

SHA512
df99930f9ee8b8ee70f224e76e2951d8ace26b1334957d80788784ee867cca560dbffbc22ba843b57a2272509f6425c4794125cf34f738a8252f150a9e8f8c84

Download Submit
memory/2504-24-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-16-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-10-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-9-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-8-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-7-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-4-0x000007FEF608E000-0x000007FEF608F000-memory.dmp

Filesize
4KB

Download
memory/3060-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/3060-26-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/3060-5-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/3060-29-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/3060-31-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing