Analysis
-
max time kernel
150s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 01:50
Static task
static1
Behavioral task
behavioral1
Sample
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
Resource
win10v2004-20220812-en
General
-
Target
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
-
Size
84KB
-
MD5
d5aa2dbec14a5ca3e5c19cea1a94d0ff
-
SHA1
f513480226b993cbcd01f04107361b2576d95282
-
SHA256
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc
-
SHA512
6e6f476d155ab9c3a8d3ea9c15d6fb319338ea46949600906620d87951f1f04d2ec7934ac5b8efc80461c1b0d611fac6368482cf4b07b6b96ff58935da0a236d
-
SSDEEP
1536:rW0uLeM8v/q291NR7HVAQCUwljFf+NW49:rWhLA1NRjVAjtls
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\cfdrive32.exe" 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe -
Executes dropped EXE 2 IoCs
Processes:
cfdrive32.execfdrive32.exepid process 1944 cfdrive32.exe 736 cfdrive32.exe -
Processes:
resource yara_rule behavioral1/memory/1556-56-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1556-59-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1556-60-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1556-61-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1556-75-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/736-76-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/736-77-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\cfdrive32.exe" 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.execfdrive32.exedescription pid process target process PID 1348 set thread context of 1556 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe PID 1944 set thread context of 736 1944 cfdrive32.exe cfdrive32.exe -
Drops file in Windows directory 3 IoCs
Processes:
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.execfdrive32.exedescription ioc process File created C:\Windows\cfdrive32.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe File opened for modification C:\Windows\cfdrive32.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe File created C:\Windows\%windir%\logfile32.log cfdrive32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exepid process 1556 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 1556 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.execfdrive32.exepid process 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 1944 cfdrive32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.execfdrive32.exedescription pid process target process PID 1348 wrote to memory of 1556 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe PID 1348 wrote to memory of 1556 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe PID 1348 wrote to memory of 1556 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe PID 1348 wrote to memory of 1556 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe PID 1348 wrote to memory of 1556 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe PID 1348 wrote to memory of 1556 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe PID 1348 wrote to memory of 1556 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe PID 1348 wrote to memory of 1556 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe PID 1348 wrote to memory of 1556 1348 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe PID 1556 wrote to memory of 1944 1556 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe cfdrive32.exe PID 1556 wrote to memory of 1944 1556 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe cfdrive32.exe PID 1556 wrote to memory of 1944 1556 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe cfdrive32.exe PID 1556 wrote to memory of 1944 1556 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe cfdrive32.exe PID 1944 wrote to memory of 736 1944 cfdrive32.exe cfdrive32.exe PID 1944 wrote to memory of 736 1944 cfdrive32.exe cfdrive32.exe PID 1944 wrote to memory of 736 1944 cfdrive32.exe cfdrive32.exe PID 1944 wrote to memory of 736 1944 cfdrive32.exe cfdrive32.exe PID 1944 wrote to memory of 736 1944 cfdrive32.exe cfdrive32.exe PID 1944 wrote to memory of 736 1944 cfdrive32.exe cfdrive32.exe PID 1944 wrote to memory of 736 1944 cfdrive32.exe cfdrive32.exe PID 1944 wrote to memory of 736 1944 cfdrive32.exe cfdrive32.exe PID 1944 wrote to memory of 736 1944 cfdrive32.exe cfdrive32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe"C:\Users\Admin\AppData\Local\Temp\79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe"C:\Users\Admin\AppData\Local\Temp\79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\cfdrive32.exe"C:\Windows\cfdrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\cfdrive32.exe"C:\Windows\cfdrive32.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\cfdrive32.exeFilesize
84KB
MD5d5aa2dbec14a5ca3e5c19cea1a94d0ff
SHA1f513480226b993cbcd01f04107361b2576d95282
SHA25679e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc
SHA5126e6f476d155ab9c3a8d3ea9c15d6fb319338ea46949600906620d87951f1f04d2ec7934ac5b8efc80461c1b0d611fac6368482cf4b07b6b96ff58935da0a236d
-
C:\Windows\cfdrive32.exeFilesize
84KB
MD5d5aa2dbec14a5ca3e5c19cea1a94d0ff
SHA1f513480226b993cbcd01f04107361b2576d95282
SHA25679e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc
SHA5126e6f476d155ab9c3a8d3ea9c15d6fb319338ea46949600906620d87951f1f04d2ec7934ac5b8efc80461c1b0d611fac6368482cf4b07b6b96ff58935da0a236d
-
C:\Windows\cfdrive32.exeFilesize
84KB
MD5d5aa2dbec14a5ca3e5c19cea1a94d0ff
SHA1f513480226b993cbcd01f04107361b2576d95282
SHA25679e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc
SHA5126e6f476d155ab9c3a8d3ea9c15d6fb319338ea46949600906620d87951f1f04d2ec7934ac5b8efc80461c1b0d611fac6368482cf4b07b6b96ff58935da0a236d
-
memory/736-77-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/736-76-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/736-69-0x00000000004549C0-mapping.dmp
-
memory/1556-60-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1556-62-0x0000000074F41000-0x0000000074F43000-memory.dmpFilesize
8KB
-
memory/1556-61-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1556-56-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1556-75-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1556-59-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1556-57-0x00000000004549C0-mapping.dmp
-
memory/1944-63-0x0000000000000000-mapping.dmp