Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 23:56
Static task
static1
Behavioral task
behavioral1
Sample
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe
Resource
win10v2004-20220414-en
General
-
Target
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe
-
Size
37KB
-
MD5
fec69b033c89a800966467bb52a7d6ab
-
SHA1
8823b35777fd7470fd7e789c4005151e9622610a
-
SHA256
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc
-
SHA512
707bb6a06f5e469db3893c164a9077eb1c0748ef7186c6bbdf35e5a664a465a7d5b87eea698fdc94fd3d4483e8d2cb96b1a637dfdbd3e5b0e923fb999e07319b
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
suricata: ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
suricata: ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\csdrive32.exe" 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe -
Executes dropped EXE 1 IoCs
Processes:
csdrive32.exepid process 1716 csdrive32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\csdrive32.exe" 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe -
Drops file in Windows directory 3 IoCs
Processes:
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.execsdrive32.exedescription ioc process File opened for modification C:\Windows\csdrive32.exe 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe File created C:\Windows\%windir%\lfffile32.log csdrive32.exe File created C:\Windows\csdrive32.exe 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exepid process 1732 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 1732 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exedescription pid process target process PID 1732 wrote to memory of 1716 1732 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe csdrive32.exe PID 1732 wrote to memory of 1716 1732 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe csdrive32.exe PID 1732 wrote to memory of 1716 1732 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe csdrive32.exe PID 1732 wrote to memory of 1716 1732 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe csdrive32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe"C:\Users\Admin\AppData\Local\Temp\431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\csdrive32.exe"C:\Windows\csdrive32.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\csdrive32.exeFilesize
37KB
MD5fec69b033c89a800966467bb52a7d6ab
SHA18823b35777fd7470fd7e789c4005151e9622610a
SHA256431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc
SHA512707bb6a06f5e469db3893c164a9077eb1c0748ef7186c6bbdf35e5a664a465a7d5b87eea698fdc94fd3d4483e8d2cb96b1a637dfdbd3e5b0e923fb999e07319b
-
memory/1716-57-0x0000000000000000-mapping.dmp
-
memory/1716-61-0x00000000002B0000-0x00000000002B8000-memory.dmpFilesize
32KB
-
memory/1716-62-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1716-63-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1732-54-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1732-55-0x00000000002B0000-0x00000000002B8000-memory.dmpFilesize
32KB
-
memory/1732-56-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1732-60-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB