Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 23:56
Static task
static1
Behavioral task
behavioral1
Sample
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe
Resource
win10v2004-20220414-en
General
-
Target
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe
-
Size
37KB
-
MD5
fec69b033c89a800966467bb52a7d6ab
-
SHA1
8823b35777fd7470fd7e789c4005151e9622610a
-
SHA256
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc
-
SHA512
707bb6a06f5e469db3893c164a9077eb1c0748ef7186c6bbdf35e5a664a465a7d5b87eea698fdc94fd3d4483e8d2cb96b1a637dfdbd3e5b0e923fb999e07319b
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
suricata: ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
suricata: ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\csdrive32.exe" 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe -
Executes dropped EXE 1 IoCs
Processes:
csdrive32.exepid process 2320 csdrive32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\csdrive32.exe" 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe -
Drops file in Windows directory 3 IoCs
Processes:
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.execsdrive32.exedescription ioc process File created C:\Windows\csdrive32.exe 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe File opened for modification C:\Windows\csdrive32.exe 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe File created C:\Windows\%windir%\lfffile32.log csdrive32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exepid process 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exedescription pid process target process PID 2480 wrote to memory of 2320 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe csdrive32.exe PID 2480 wrote to memory of 2320 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe csdrive32.exe PID 2480 wrote to memory of 2320 2480 431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe csdrive32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe"C:\Users\Admin\AppData\Local\Temp\431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\csdrive32.exe"C:\Windows\csdrive32.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\csdrive32.exeFilesize
37KB
MD5fec69b033c89a800966467bb52a7d6ab
SHA18823b35777fd7470fd7e789c4005151e9622610a
SHA256431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc
SHA512707bb6a06f5e469db3893c164a9077eb1c0748ef7186c6bbdf35e5a664a465a7d5b87eea698fdc94fd3d4483e8d2cb96b1a637dfdbd3e5b0e923fb999e07319b
-
C:\Windows\csdrive32.exeFilesize
37KB
MD5fec69b033c89a800966467bb52a7d6ab
SHA18823b35777fd7470fd7e789c4005151e9622610a
SHA256431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc
SHA512707bb6a06f5e469db3893c164a9077eb1c0748ef7186c6bbdf35e5a664a465a7d5b87eea698fdc94fd3d4483e8d2cb96b1a637dfdbd3e5b0e923fb999e07319b
-
memory/2320-132-0x0000000000000000-mapping.dmp
-
memory/2320-135-0x00000000006A0000-0x00000000006A8000-memory.dmpFilesize
32KB
-
memory/2320-136-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2320-138-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2480-130-0x00000000006F0000-0x00000000006F8000-memory.dmpFilesize
32KB
-
memory/2480-131-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2480-137-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB