Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 04:55
Static task
static1
Behavioral task
behavioral1
Sample
13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe
Resource
win10v2004-20220414-en
General
-
Target
13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe
-
Size
84KB
-
MD5
d29a4f42b14963a79065bd7055799eb4
-
SHA1
8d95394fba3164440e1627f02a0963167e154521
-
SHA256
13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071
-
SHA512
6cfc6a7db13c2224804c5ca32abdf541726859e36b873adfb22adff9506920bd42916ed52340dc9dd26d0cae4d9d2cf721eb9b7121d97e1ec38b226b4923d003
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Config Setup = "C:\\Windows\\jodrive32.exe" 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe -
Executes dropped EXE 2 IoCs
Processes:
jodrive32.exejodrive32.exepid process 3924 jodrive32.exe 4508 jodrive32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Config Setup = "C:\\Windows\\jodrive32.exe" 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exejodrive32.exedescription pid process target process PID 1084 set thread context of 1508 1084 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe PID 3924 set thread context of 4508 3924 jodrive32.exe jodrive32.exe -
Drops file in Windows directory 3 IoCs
Processes:
13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exejodrive32.exedescription ioc process File created C:\Windows\jodrive32.exe 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe File opened for modification C:\Windows\jodrive32.exe 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe File created C:\Windows\%windir%\eilfiie32.log jodrive32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exepid process 1508 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 1508 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 1508 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 1508 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exejodrive32.exedescription pid process target process PID 1084 wrote to memory of 1508 1084 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe PID 1084 wrote to memory of 1508 1084 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe PID 1084 wrote to memory of 1508 1084 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe PID 1084 wrote to memory of 1508 1084 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe PID 1084 wrote to memory of 1508 1084 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe PID 1084 wrote to memory of 1508 1084 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe PID 1084 wrote to memory of 1508 1084 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe PID 1508 wrote to memory of 3924 1508 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe jodrive32.exe PID 1508 wrote to memory of 3924 1508 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe jodrive32.exe PID 1508 wrote to memory of 3924 1508 13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe jodrive32.exe PID 3924 wrote to memory of 4508 3924 jodrive32.exe jodrive32.exe PID 3924 wrote to memory of 4508 3924 jodrive32.exe jodrive32.exe PID 3924 wrote to memory of 4508 3924 jodrive32.exe jodrive32.exe PID 3924 wrote to memory of 4508 3924 jodrive32.exe jodrive32.exe PID 3924 wrote to memory of 4508 3924 jodrive32.exe jodrive32.exe PID 3924 wrote to memory of 4508 3924 jodrive32.exe jodrive32.exe PID 3924 wrote to memory of 4508 3924 jodrive32.exe jodrive32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe"C:\Users\Admin\AppData\Local\Temp\13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exeC:\Users\Admin\AppData\Local\Temp\13cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\jodrive32.exe"C:\Windows\jodrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\jodrive32.exeC:\Windows\jodrive32.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\jodrive32.exeFilesize
84KB
MD5d29a4f42b14963a79065bd7055799eb4
SHA18d95394fba3164440e1627f02a0963167e154521
SHA25613cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071
SHA5126cfc6a7db13c2224804c5ca32abdf541726859e36b873adfb22adff9506920bd42916ed52340dc9dd26d0cae4d9d2cf721eb9b7121d97e1ec38b226b4923d003
-
C:\Windows\jodrive32.exeFilesize
84KB
MD5d29a4f42b14963a79065bd7055799eb4
SHA18d95394fba3164440e1627f02a0963167e154521
SHA25613cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071
SHA5126cfc6a7db13c2224804c5ca32abdf541726859e36b873adfb22adff9506920bd42916ed52340dc9dd26d0cae4d9d2cf721eb9b7121d97e1ec38b226b4923d003
-
C:\Windows\jodrive32.exeFilesize
84KB
MD5d29a4f42b14963a79065bd7055799eb4
SHA18d95394fba3164440e1627f02a0963167e154521
SHA25613cdb8e810332bcaa0067d3c234e34e11979208ccebb1f8cffb9d9faefd33071
SHA5126cfc6a7db13c2224804c5ca32abdf541726859e36b873adfb22adff9506920bd42916ed52340dc9dd26d0cae4d9d2cf721eb9b7121d97e1ec38b226b4923d003
-
memory/1508-146-0x0000000000000000-mapping.dmp
-
memory/1508-147-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1508-149-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1508-150-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1508-176-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3924-151-0x0000000000000000-mapping.dmp
-
memory/4508-170-0x0000000000000000-mapping.dmp
-
memory/4508-175-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/4508-177-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB