metasploit | 9be818a44173a953b708d282de254df6f02f43a4acf1812fc012f7bff20a5503

General

Target

msf500k.ps1
Size

501KB
MD5

bbf15ca69b0688ec777475f84edda743
SHA1

ce5bd93e1ccb39def7b8e29cd2beb9d3964f171b
SHA256

9be818a44173a953b708d282de254df6f02f43a4acf1812fc012f7bff20a5503
SHA512

6d004da4f7a3897ade855fa734fc1ae52be66b2667c0af91bdf886cb42afc2b5037ceef943e262977d23ff43b7be4372268c4bfc037cb01b94cf69c4bca4d837
SSDEEP

48:q+MThimb7RBARAbLPorNfAse3+soGoNeVBXTSbS4:BGTXA0PohfXBGoCJ+z

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.254.66.59:8888

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3636	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3636	powershell.exe
3636	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4424	3636	powershell.exe	88
PID 3636 wrote to memory of 4424	3636	powershell.exe	88
PID 4424 wrote to memory of 1900	4424	csc.exe	91
PID 4424 wrote to memory of 1900	4424	csc.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\msf500k.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrlmdna5\xrlmdna5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7530.tmp" "c:\Users\Admin\AppData\Local\Temp\xrlmdna5\CSC42AA19138E854DF99E7A2F8CF7755B71.TMP"
    3⤵
    PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7530.tmp

Filesize
1KB

MD5
323893cbd39fc9073fb3778342fb67be

SHA1
feab294dc5aa9ef22cbf33380d16e530e9688b81

SHA256
e7eeeb343b68c28746cfa6da60f7118c2741c8532a352920a347cc4998661f58

SHA512
5d7444c0aa35291a60b48cc9d75c05488bbea7e6128eef079aa823f442b36be269aed905f842a45dab11589c728768c224362e5d302e71eded9b2e1409694930

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sqkt2koi.qnc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrlmdna5\xrlmdna5.dll

Filesize
3KB

MD5
fb36d17e5aa9e9ca0d6ee05750f038f6

SHA1
289e4178aae7f2ebb1c6e00f0d060948f0c0ebac

SHA256
2979b3eccb21f2b9ec0512b4500523a58e0a966c09cf76af9cc6c05a5f1e9e39

SHA512
1656417da2a619ccec3f0568a352148bbde0f18908a56fb4a16113fb459ea51a64c4f1dbcee2e999567a88b1ee3f6752ba71707fa9dab0b40e5834f4bfabf874

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrlmdna5\CSC42AA19138E854DF99E7A2F8CF7755B71.TMP

Filesize
652B

MD5
0a8fd357c1500ffe1e8754cb44c06077

SHA1
260d423f1634a665cf59b27f2b51d44e17489e3e

SHA256
5afc76ae5a3410c69875ec0490996deb0e734ae7f8e6e78e3d201e63d74362d1

SHA512
75113f77326d4e5844cc7113fce0a7734467ca323ecbfb3519719c8297ebc411505d993d3914c496565d8ea5b2d1c85f1e48b9c4996ee86d6af4b6628dcf6d2a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrlmdna5\xrlmdna5.0.cs

Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrlmdna5\xrlmdna5.cmdline

Filesize
369B

MD5
ac6ff541f6f86d8442b26ddbfaf64a04

SHA1
0164edbe6d2ada268f44178d53ac8a7658d97421

SHA256
e146bddb56611e0939b484d4aa91e44f7fa45b143b29e29e1a2e8351467062a5

SHA512
1eb8327fe04b2cf7c3558512f153f807c74f5c4aac5cedf49a2d08f6b40a2c75b2c6e90800a49fe2ec5199daf8db7ef6e1b4dbdb486f69842f20e6fde88830a3

Download Submit
memory/3636-0-0x00007FFE3CD53000-0x00007FFE3CD55000-memory.dmp

Filesize
8KB

Download
memory/3636-12-0x00007FFE3CD50000-0x00007FFE3D811000-memory.dmp

Filesize
10.8MB

Download
memory/3636-11-0x00007FFE3CD50000-0x00007FFE3D811000-memory.dmp

Filesize
10.8MB

Download
memory/3636-10-0x00000278C5D10000-0x00000278C5D32000-memory.dmp

Filesize
136KB

Download
memory/3636-25-0x00000278C5CF0000-0x00000278C5CF8000-memory.dmp

Filesize
32KB

Download
memory/3636-27-0x00000278C5D00000-0x00000278C5D01000-memory.dmp

Filesize
4KB

Download
memory/3636-31-0x00007FFE3CD50000-0x00007FFE3D811000-memory.dmp

Filesize
10.8MB

Download
memory/3636-32-0x00007FFE3CD50000-0x00007FFE3D811000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing