metasploit | ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2.ps1
Size

1KB
MD5

6cedc4e1091b48b0b968acce2fe33fdc
SHA1

e0262eb44e82188ec7ff61670603445f1e79b59c
SHA256

ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2
SHA512

118c1406e3941340862474d2fe2f2d4c3c08baf6e2b691f343b45cfaaa3bd1b242f20be0db20f125c0188f16e4b59e90456e1a01be843d780aa285bc5e128c9e

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

89.168.48.110:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 10 IoCs

flow	pid	Process
2	1572	powershell.exe
2	1572	powershell.exe
2	1572	powershell.exe
2	1572	powershell.exe
2	1572	powershell.exe
2	1572	powershell.exe
2	1572	powershell.exe
2	1572	powershell.exe
2	1572	powershell.exe
2	1572	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1572	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1572	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1664	1572	powershell.exe	29
PID 1572 wrote to memory of 1664	1572	powershell.exe	29
PID 1572 wrote to memory of 1664	1572	powershell.exe	29
PID 1664 wrote to memory of 2164	1664	csc.exe	31
PID 1664 wrote to memory of 2164	1664	csc.exe	31
PID 1664 wrote to memory of 2164	1664	csc.exe	31
PID 1572 wrote to memory of 2868	1572	powershell.exe	32
PID 1572 wrote to memory of 2868	1572	powershell.exe	32
PID 1572 wrote to memory of 2868	1572	powershell.exe	32
PID 2868 wrote to memory of 2168	2868	csc.exe	34
PID 2868 wrote to memory of 2168	2868	csc.exe	34
PID 2868 wrote to memory of 2168	2868	csc.exe	34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jyhzs5ij.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBF7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCBF6.tmp"
    3⤵
    PID:2164
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2dzrjpa-.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEC5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCEC4.tmp"
    3⤵
    PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2dzrjpa-.dll

Filesize
3KB

MD5
93d6d1bfbac6a999cfe33c6cb21bfb01

SHA1
d6082ccc8b9289e1ef69da139a084041b016dde4

SHA256
a7cc369a375610b84a18f15a51fdacb8e15449a46de0f6cccd89b2d52a062332

SHA512
8b516bd0d92aa7bc1b4fd4a30eecbfb8be178d1ff7c5f99439c750cddd8e83293f36d35d0a354685b21f82d43a4f4e3f52a2cdc495ba4d0594d2abc393f3505e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dzrjpa-.pdb

Filesize
7KB

MD5
fab66db7183fdcdc73f2102b9f81235f

SHA1
9ec64e4cf3b62c87f9c59d18950b3d972e47b67b

SHA256
6f27403e68f8ebcd72154bfe6c52deaca2bb2b21c59c755ba304a0c200de3549

SHA512
4a415a9412646ab2dbdf75d81332a972b08aad2cc29f7392fa639c053c239a384421f43aad02914a746eadd34515ffeadb305fdd914b5c6db6f0ff3fdb345314

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBF7.tmp

Filesize
1KB

MD5
3d555f5927856ba6c878a2e86681c356

SHA1
0ccb27ab1042f312390fb5056e3789e234db0346

SHA256
2f8f225497757d49c7dff105a0bd53319edebd1e74264aaa48830cfdc42181a3

SHA512
177ee1ec82417b15242837a3309b6ffeb88ad4c95acad10df95cca546dda6901ef316e6a7124ae1f261f1d4acd31baa09c2ce27502f01efa8c308359c6752dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCEC5.tmp

Filesize
1KB

MD5
e38da6fc18bcb232380321301f316352

SHA1
b0a1d928612a4fb2a2a2c17a70cb02cc5fff44b1

SHA256
fef5446b7d70f081757eb15ed8a388983e57342a1c01fe7b493eea66bc2838af

SHA512
f6197ca883d139abed57e13ad7782e2cbf297b78befa110f37a228426a6843936493e4ffe24f4ea6edefa08113161d242363f5481150cc9aa327fcf4d17ae99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyhzs5ij.dll

Filesize
3KB

MD5
a36754e8dbd0481c0e12c438a1d70e89

SHA1
2462e5379cfbe0c8e76423113ec35996580ec9bb

SHA256
a8bf271f62cf2e4504170316b50d5f4fd8f38aeec2389e326ce06a34459dcc8e

SHA512
58830ac38a6fdfb4ab69fc79e3551d83b357f5aec9aae2ec798617a10dc2f346283fa1b7a7d7a2cc84d27e667fc8610b990ee477a8ef1ceca341eb86e838d9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyhzs5ij.pdb

Filesize
7KB

MD5
b8ca4526e56a5957014b04884b14dca4

SHA1
c4a141270c5a4135017893a4776d5e01631edf01

SHA256
38527780913c3a1f5a3680136256952411e1d678f89c48bfc4939dd1769ca950

SHA512
f76a74750c73f4d0cd8fb7f5abc6a59171842a21fde04ad61ce6d46bf9018330ec3221dc7b6b9a1c1bbd90505a668b88812c3e2033baa92fad6636a346eac60f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2dzrjpa-.0.cs

Filesize
150B

MD5
21b26009ffb5a7eea15d8317681c193c

SHA1
16ecf382e8cf2ad5e2279ea34fd44ea134edca6f

SHA256
ae177de80f359cd5d4cb1ce59170c2eff01d6bb8912c49523c93976225285c1f

SHA512
74e95b0049020333a0cfba4b703fef8af11064d84c6247c21aaccfe2a84e47c5af10300d09b9847ffd9ae50c66925bebffd90aedb1034b402cc138e5185aacac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2dzrjpa-.cmdline

Filesize
309B

MD5
c6ff02622ad955c689c3cd5d2beaf4a9

SHA1
7d3547a10de6c413ebbd598bb44d162c7d98988c

SHA256
705b614abf78d8526e4436962aaa67de0c314449d839138bdbca17108ed3a57b

SHA512
31429ede3b930d94861b747fe176413a70c8577cc3fb3307c9b1db18320ef74c60d25bf0838f9877767e2da6550245fe0c89053aa2714c360333e301a0627b5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCBF6.tmp

Filesize
652B

MD5
baadbc20bee1924d21d9e16bc65921df

SHA1
3aabf17e89df7685346e7e91da664bb5c50872c0

SHA256
48ca8ec98cff421f3d7be9bc280ac7eece86134a22a7824c6c96aa4db29f342f

SHA512
963624ba54531316a6ba3cbfbafc29d732ee6f347e4947198e9d25c63d616a8bb52183240ac34279fb270f005b9fc16f3e4e867a99ffef6500b85501b55c871b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCEC4.tmp

Filesize
652B

MD5
4cf6e805400b955bd7377f57deffdee7

SHA1
564dfe62eca735e5991303bd433a114673c7f320

SHA256
6fa56b90213718c359edeb628439907f1efdfd727f0d73755da3c242efa65007

SHA512
fc302f9bcae3b7709d53693cf29cd703ca2062c3f90246c48043947c75d97b3a59085f1ed4352d8e0945442f20d8457fcad5ea1560c6051b65aedb5812f5c74f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jyhzs5ij.0.cs

Filesize
232B

MD5
2a25f8c0fce2643d0bf6dd99b1c7125d

SHA1
879eaf1edf6107d0fcc646fcdaa45124b1c828d0

SHA256
418ba293d4540a019145ad4632a7def4c35a1945a0367d0766e3c751bf53b47e

SHA512
ccfbe628331130c3dad922c3fcd16010651752e31b94e47a253101a1e1f7d24be3572fad64e7e77997d84efd6b9122663d2b8219fdd621ecf104a479ec57bdf8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jyhzs5ij.cmdline

Filesize
309B

MD5
06437f1a5f1f56e017419d826a311941

SHA1
a78b6a4d33d37eafad3c5585e1bb88978f46efb8

SHA256
78766b98302da9051a3b049811782f3885a100d6c9ce60236bfbc1470fef8064

SHA512
0414ad39973302c7d2e8a94b9aca31e5d721d05fe313399d0c0a88fa93ba42bfb1c62fc75a30185cae7175580c7908ed444eb1009225775c0fee7c144ed679f7

Download Submit
memory/1572-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1572-25-0x0000000002CF0000-0x0000000002CF8000-memory.dmp

Filesize
32KB

Download
memory/1572-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/1572-28-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1572-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1572-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1572-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1572-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1572-42-0x0000000002D80000-0x0000000002D88000-memory.dmp

Filesize
32KB

Download
memory/1572-45-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1572-46-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/1664-23-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1664-18-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download