metasploit | 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc

General

Target

79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
Size

84KB
MD5

d5aa2dbec14a5ca3e5c19cea1a94d0ff
SHA1

f513480226b993cbcd01f04107361b2576d95282
SHA256

79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc
SHA512

6e6f476d155ab9c3a8d3ea9c15d6fb319338ea46949600906620d87951f1f04d2ec7934ac5b8efc80461c1b0d611fac6368482cf4b07b6b96ff58935da0a236d
SSDEEP

1536:rW0uLeM8v/q291NR7HVAQCUwljFf+NW49:rWhLA1NRjVAjtls

Score

10^/10

metasploit backdoor persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\cfdrive32.exe"	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe

Executes dropped EXE 2 IoCs

Processes:

cfdrive32.execfdrive32.exe

pid process

4056 cfdrive32.exe
4684 cfdrive32.exe

pid	process
4056	cfdrive32.exe
4684	cfdrive32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3708-135-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3708-138-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3708-137-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3708-139-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3708-150-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4684-152-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4684-153-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\cfdrive32.exe"	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.execfdrive32.exe

description	pid	process	target process
PID 2564 set thread context of 3708	2564	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
PID 4056 set thread context of 4684	4056	cfdrive32.exe	cfdrive32.exe

Drops file in Windows directory 3 IoCs

Processes:

79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.execfdrive32.exe

description	ioc	process
File created	C:\Windows\cfdrive32.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
File opened for modification	C:\Windows\cfdrive32.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
File created	C:\Windows\%windir%\logfile32.log	cfdrive32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe

pid	process
3708	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
3708	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
3708	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
3708	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.execfdrive32.exe

pid process

2564 79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
4056 cfdrive32.exe

pid	process
2564	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
4056	cfdrive32.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.execfdrive32.exe

description	pid	process	target process
PID 2564 wrote to memory of 3708	2564	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
PID 2564 wrote to memory of 3708	2564	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
PID 2564 wrote to memory of 3708	2564	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
PID 2564 wrote to memory of 3708	2564	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
PID 2564 wrote to memory of 3708	2564	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
PID 2564 wrote to memory of 3708	2564	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
PID 2564 wrote to memory of 3708	2564	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
PID 2564 wrote to memory of 3708	2564	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
PID 3708 wrote to memory of 4056	3708	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	cfdrive32.exe
PID 3708 wrote to memory of 4056	3708	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	cfdrive32.exe
PID 3708 wrote to memory of 4056	3708	79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe	cfdrive32.exe
PID 4056 wrote to memory of 4684	4056	cfdrive32.exe	cfdrive32.exe
PID 4056 wrote to memory of 4684	4056	cfdrive32.exe	cfdrive32.exe
PID 4056 wrote to memory of 4684	4056	cfdrive32.exe	cfdrive32.exe
PID 4056 wrote to memory of 4684	4056	cfdrive32.exe	cfdrive32.exe
PID 4056 wrote to memory of 4684	4056	cfdrive32.exe	cfdrive32.exe
PID 4056 wrote to memory of 4684	4056	cfdrive32.exe	cfdrive32.exe
PID 4056 wrote to memory of 4684	4056	cfdrive32.exe	cfdrive32.exe
PID 4056 wrote to memory of 4684	4056	cfdrive32.exe	cfdrive32.exe

C:\Users\Admin\AppData\Local\Temp\79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
"C:\Users\Admin\AppData\Local\Temp\79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe
"C:\Users\Admin\AppData\Local\Temp\79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\cfdrive32.exe
"C:\Windows\cfdrive32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\cfdrive32.exe
"C:\Windows\cfdrive32.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cfdrive32.exe

Filesize
84KB

MD5
d5aa2dbec14a5ca3e5c19cea1a94d0ff

SHA1
f513480226b993cbcd01f04107361b2576d95282

SHA256
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc

SHA512
6e6f476d155ab9c3a8d3ea9c15d6fb319338ea46949600906620d87951f1f04d2ec7934ac5b8efc80461c1b0d611fac6368482cf4b07b6b96ff58935da0a236d

Download Submit
C:\Windows\cfdrive32.exe

Filesize
84KB

MD5
d5aa2dbec14a5ca3e5c19cea1a94d0ff

SHA1
f513480226b993cbcd01f04107361b2576d95282

SHA256
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc

SHA512
6e6f476d155ab9c3a8d3ea9c15d6fb319338ea46949600906620d87951f1f04d2ec7934ac5b8efc80461c1b0d611fac6368482cf4b07b6b96ff58935da0a236d

Download Submit
C:\Windows\cfdrive32.exe

Filesize
84KB

MD5
d5aa2dbec14a5ca3e5c19cea1a94d0ff

SHA1
f513480226b993cbcd01f04107361b2576d95282

SHA256
79e32ed5b8a2d0bd3511f10172b12c204ef5feecaf1b753d1c438c462b58a8fc

SHA512
6e6f476d155ab9c3a8d3ea9c15d6fb319338ea46949600906620d87951f1f04d2ec7934ac5b8efc80461c1b0d611fac6368482cf4b07b6b96ff58935da0a236d

Download Submit
memory/3708-137-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3708-139-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3708-138-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3708-135-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3708-134-0x0000000000000000-mapping.dmp

Download
memory/3708-150-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4056-140-0x0000000000000000-mapping.dmp

Download
memory/4684-145-0x0000000000000000-mapping.dmp

Download
memory/4684-152-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4684-153-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads