metasploit | 530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476

General

Target

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
Size

84KB
MD5

8fd13283ab7be9feda213f1046c894a1
SHA1

cde8940b8592584606259377a416cba1fe14dbbe
SHA256

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476
SHA512

8a0bcc97ee61dc737ca667848618203b95be9a2666980275948c813db365c1c379f50b95218b4175be835f256bc6b032eac4b06ca9ec235ddefe31ccb2af8c87

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe"	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

Executes dropped EXE 2 IoCs

Processes:

aadrive32.exeaadrive32.exe

pid process

3776 aadrive32.exe
2504 aadrive32.exe

pid	process
3776	aadrive32.exe
2504	aadrive32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe"	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exeaadrive32.exe

description	pid	process	target process
PID 2656 set thread context of 2788	2656	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 3776 set thread context of 2504	3776	aadrive32.exe	aadrive32.exe

Drops file in Windows directory 3 IoCs

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exeaadrive32.exe

description	ioc	process
File created	C:\Windows\aadrive32.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
File opened for modification	C:\Windows\aadrive32.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
File created	C:\Windows\%windir%\lfffile32.log	aadrive32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

pid	process
2788	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
2788	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
2788	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
2788	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exeaadrive32.exe

description	pid	process	target process
PID 2656 wrote to memory of 2788	2656	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 2656 wrote to memory of 2788	2656	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 2656 wrote to memory of 2788	2656	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 2656 wrote to memory of 2788	2656	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 2656 wrote to memory of 2788	2656	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 2656 wrote to memory of 2788	2656	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 2656 wrote to memory of 2788	2656	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
PID 2788 wrote to memory of 3776	2788	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	aadrive32.exe
PID 2788 wrote to memory of 3776	2788	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	aadrive32.exe
PID 2788 wrote to memory of 3776	2788	530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe	aadrive32.exe
PID 3776 wrote to memory of 2504	3776	aadrive32.exe	aadrive32.exe
PID 3776 wrote to memory of 2504	3776	aadrive32.exe	aadrive32.exe
PID 3776 wrote to memory of 2504	3776	aadrive32.exe	aadrive32.exe
PID 3776 wrote to memory of 2504	3776	aadrive32.exe	aadrive32.exe
PID 3776 wrote to memory of 2504	3776	aadrive32.exe	aadrive32.exe
PID 3776 wrote to memory of 2504	3776	aadrive32.exe	aadrive32.exe
PID 3776 wrote to memory of 2504	3776	aadrive32.exe	aadrive32.exe

C:\Users\Admin\AppData\Local\Temp\530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
"C:\Users\Admin\AppData\Local\Temp\530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
C:\Users\Admin\AppData\Local\Temp\530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476.exe
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\aadrive32.exe
"C:\Windows\aadrive32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\aadrive32.exe
C:\Windows\aadrive32.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\aadrive32.exe

Filesize
84KB

MD5
8fd13283ab7be9feda213f1046c894a1

SHA1
cde8940b8592584606259377a416cba1fe14dbbe

SHA256
530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476

SHA512
8a0bcc97ee61dc737ca667848618203b95be9a2666980275948c813db365c1c379f50b95218b4175be835f256bc6b032eac4b06ca9ec235ddefe31ccb2af8c87

Download Submit
C:\Windows\aadrive32.exe

Filesize
84KB

MD5
8fd13283ab7be9feda213f1046c894a1

SHA1
cde8940b8592584606259377a416cba1fe14dbbe

SHA256
530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476

SHA512
8a0bcc97ee61dc737ca667848618203b95be9a2666980275948c813db365c1c379f50b95218b4175be835f256bc6b032eac4b06ca9ec235ddefe31ccb2af8c87

Download Submit
C:\Windows\aadrive32.exe

Filesize
84KB

MD5
8fd13283ab7be9feda213f1046c894a1

SHA1
cde8940b8592584606259377a416cba1fe14dbbe

SHA256
530fac43f1252ed34b399fed1b2a74ceb92b66ad78e932bd9bad1337c412d476

SHA512
8a0bcc97ee61dc737ca667848618203b95be9a2666980275948c813db365c1c379f50b95218b4175be835f256bc6b032eac4b06ca9ec235ddefe31ccb2af8c87

Download Submit
memory/2504-170-0x0000000000000000-mapping.dmp

Download
memory/2504-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2504-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2788-146-0x0000000000000000-mapping.dmp

Download
memory/2788-147-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2788-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2788-150-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2788-175-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3776-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads