metasploit | 530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476

General

Target

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
Size

84KB
MD5

8fd13283ab7be9feda213f1046c894a1
SHA1

cde8940b8592584606259377a416cba1fe14dbbe
SHA256

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476
SHA512

8a0bcc97ee61dc737ca667848618203b95be9a2666980275948c813db365c1c379f50b95218b4175be835f256bc6b032eac4b06ca9ec235ddefe31ccb2af8c87

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe"	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

Executes dropped EXE 2 IoCs

Processes:

aadrive32.exeaadrive32.exe

pid process

900 aadrive32.exe
920 aadrive32.exe

pid	process
900	aadrive32.exe
920	aadrive32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe"	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exeaadrive32.exe

description	pid	process	target process
PID 1812 set thread context of 868	1812	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 900 set thread context of 920	900	aadrive32.exe	aadrive32.exe

Drops file in Windows directory 3 IoCs

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exeaadrive32.exe

description	ioc	process
File opened for modification	C:\Windows\aadrive32.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
File created	C:\Windows\%windir%\lfffile32.log	aadrive32.exe
File created	C:\Windows\aadrive32.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

pid	process
868	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
868	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exeaadrive32.exe

description	pid	process	target process
PID 1812 wrote to memory of 868	1812	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 1812 wrote to memory of 868	1812	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 1812 wrote to memory of 868	1812	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 1812 wrote to memory of 868	1812	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 1812 wrote to memory of 868	1812	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 1812 wrote to memory of 868	1812	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 1812 wrote to memory of 868	1812	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 1812 wrote to memory of 868	1812	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 868 wrote to memory of 900	868	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	aadrive32.exe
PID 868 wrote to memory of 900	868	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	aadrive32.exe
PID 868 wrote to memory of 900	868	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	aadrive32.exe
PID 868 wrote to memory of 900	868	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	aadrive32.exe
PID 900 wrote to memory of 920	900	aadrive32.exe	aadrive32.exe
PID 900 wrote to memory of 920	900	aadrive32.exe	aadrive32.exe
PID 900 wrote to memory of 920	900	aadrive32.exe	aadrive32.exe
PID 900 wrote to memory of 920	900	aadrive32.exe	aadrive32.exe
PID 900 wrote to memory of 920	900	aadrive32.exe	aadrive32.exe
PID 900 wrote to memory of 920	900	aadrive32.exe	aadrive32.exe
PID 900 wrote to memory of 920	900	aadrive32.exe	aadrive32.exe
PID 900 wrote to memory of 920	900	aadrive32.exe	aadrive32.exe

C:\Users\Admin\AppData\Local\Temp\530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
"C:\Users\Admin\AppData\Local\Temp\530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
C:\Users\Admin\AppData\Local\Temp\530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\aadrive32.exe
"C:\Windows\aadrive32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\aadrive32.exe
C:\Windows\aadrive32.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\aadrive32.exe

Filesize
84KB

MD5
8fd13283ab7be9feda213f1046c894a1

SHA1
cde8940b8592584606259377a416cba1fe14dbbe

SHA256
530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476

SHA512
8a0bcc97ee61dc737ca667848618203b95be9a2666980275948c813db365c1c379f50b95218b4175be835f256bc6b032eac4b06ca9ec235ddefe31ccb2af8c87

Download Submit
C:\Windows\aadrive32.exe

Filesize
84KB

MD5
8fd13283ab7be9feda213f1046c894a1

SHA1
cde8940b8592584606259377a416cba1fe14dbbe

SHA256
530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476

SHA512
8a0bcc97ee61dc737ca667848618203b95be9a2666980275948c813db365c1c379f50b95218b4175be835f256bc6b032eac4b06ca9ec235ddefe31ccb2af8c87

Download Submit
C:\Windows\aadrive32.exe

Filesize
84KB

MD5
8fd13283ab7be9feda213f1046c894a1

SHA1
cde8940b8592584606259377a416cba1fe14dbbe

SHA256
530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476

SHA512
8a0bcc97ee61dc737ca667848618203b95be9a2666980275948c813db365c1c379f50b95218b4175be835f256bc6b032eac4b06ca9ec235ddefe31ccb2af8c87

Download Submit
memory/868-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/868-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/868-74-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/868-76-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/868-77-0x0000000000407650-mapping.dmp

Download
memory/868-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/868-80-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/868-70-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/868-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/900-81-0x0000000000000000-mapping.dmp

Download
memory/920-108-0x0000000000407650-mapping.dmp

Download
memory/920-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/920-114-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads