Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 00:34
Static task
static1
Behavioral task
behavioral1
Sample
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe
Resource
win10v2004-20220812-en
General
-
Target
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe
-
Size
124KB
-
MD5
529fade9b912037e65c8765d35d4b066
-
SHA1
108edd33406cda07d8ee2a87df8d305159aa7a25
-
SHA256
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933
-
SHA512
1d7d1e006786a31a10b77a2634a480e35815dc8d18d34a0d3230fefed671d7a0a5377668d71fb44cca2a69ab0a344125b865122052ba56d8a1e45431c0189c17
-
SSDEEP
1536:khqSYtGeGemOBKu9eL5/4weWWzmrn14z7/zstv9ScRIMU/wAGrw1e5aRLW2/:7eVwweWUmr1S7/zw1R/UYAx1GYWO
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe" 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe -
Executes dropped EXE 2 IoCs
Processes:
aadrive32.exeaadrive32.exepid process 2964 aadrive32.exe 1752 aadrive32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe" 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exeaadrive32.exedescription pid process target process PID 1488 set thread context of 3768 1488 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe PID 2964 set thread context of 1752 2964 aadrive32.exe aadrive32.exe -
Drops file in Windows directory 3 IoCs
Processes:
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exeaadrive32.exedescription ioc process File created C:\Windows\aadrive32.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe File opened for modification C:\Windows\aadrive32.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe File created C:\Windows\%windir%\lfffile32.log aadrive32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exepid process 3768 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 3768 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 3768 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 3768 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exeaadrive32.exepid process 1488 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 2964 aadrive32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exeaadrive32.exedescription pid process target process PID 1488 wrote to memory of 3768 1488 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe PID 1488 wrote to memory of 3768 1488 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe PID 1488 wrote to memory of 3768 1488 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe PID 1488 wrote to memory of 3768 1488 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe PID 1488 wrote to memory of 3768 1488 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe PID 1488 wrote to memory of 3768 1488 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe PID 1488 wrote to memory of 3768 1488 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe PID 1488 wrote to memory of 3768 1488 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe PID 3768 wrote to memory of 2964 3768 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe aadrive32.exe PID 3768 wrote to memory of 2964 3768 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe aadrive32.exe PID 3768 wrote to memory of 2964 3768 8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe aadrive32.exe PID 2964 wrote to memory of 1752 2964 aadrive32.exe aadrive32.exe PID 2964 wrote to memory of 1752 2964 aadrive32.exe aadrive32.exe PID 2964 wrote to memory of 1752 2964 aadrive32.exe aadrive32.exe PID 2964 wrote to memory of 1752 2964 aadrive32.exe aadrive32.exe PID 2964 wrote to memory of 1752 2964 aadrive32.exe aadrive32.exe PID 2964 wrote to memory of 1752 2964 aadrive32.exe aadrive32.exe PID 2964 wrote to memory of 1752 2964 aadrive32.exe aadrive32.exe PID 2964 wrote to memory of 1752 2964 aadrive32.exe aadrive32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe"C:\Users\Admin\AppData\Local\Temp\8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exeC:\Users\Admin\AppData\Local\Temp\8e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\aadrive32.exe"C:\Windows\aadrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\aadrive32.exeC:\Windows\aadrive32.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\aadrive32.exeFilesize
124KB
MD5529fade9b912037e65c8765d35d4b066
SHA1108edd33406cda07d8ee2a87df8d305159aa7a25
SHA2568e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933
SHA5121d7d1e006786a31a10b77a2634a480e35815dc8d18d34a0d3230fefed671d7a0a5377668d71fb44cca2a69ab0a344125b865122052ba56d8a1e45431c0189c17
-
C:\Windows\aadrive32.exeFilesize
124KB
MD5529fade9b912037e65c8765d35d4b066
SHA1108edd33406cda07d8ee2a87df8d305159aa7a25
SHA2568e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933
SHA5121d7d1e006786a31a10b77a2634a480e35815dc8d18d34a0d3230fefed671d7a0a5377668d71fb44cca2a69ab0a344125b865122052ba56d8a1e45431c0189c17
-
C:\Windows\aadrive32.exeFilesize
124KB
MD5529fade9b912037e65c8765d35d4b066
SHA1108edd33406cda07d8ee2a87df8d305159aa7a25
SHA2568e2740916af9e933ff2afe5ce158af4220798875e18c148fa2b96530af260933
SHA5121d7d1e006786a31a10b77a2634a480e35815dc8d18d34a0d3230fefed671d7a0a5377668d71fb44cca2a69ab0a344125b865122052ba56d8a1e45431c0189c17
-
memory/1488-138-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1488-132-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1752-147-0x0000000000000000-mapping.dmp
-
memory/1752-153-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2964-140-0x0000000000000000-mapping.dmp
-
memory/2964-146-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2964-150-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3768-139-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3768-136-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3768-145-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/3768-135-0x0000000000000000-mapping.dmp