metasploit | b479843e834146fbfca5b1233c5cf3c1fddaec5f1241f75a9809c767a934069d

General

Target

3e1484958d36378ab52a298fefd50d8e.exe
Size

80KB
MD5

3e1484958d36378ab52a298fefd50d8e
SHA1

d054086c5879bc90b2ae6a3c9978c8e2aeb29c0b
SHA256

b479843e834146fbfca5b1233c5cf3c1fddaec5f1241f75a9809c767a934069d
SHA512

9b49cddf30d8b269e9f6efb69a6aa4dfb8e961ce14d862c4ec2472c205816c8e5f8c2b12f20ca248d181da61d2e00db8db7578004c911d89a03536f7c37fbbb5
SSDEEP

1536:2qzC6Ici4KbmRjWTtXWVhtB66TUkmGYQT3XyluPy6egwLcHJ1p:2z39XUitXehtB6lkm8TZPyEv5

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3e1484958d36378ab52a298fefd50d8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe"	3e1484958d36378ab52a298fefd50d8e.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	aadrive32.exe
2980	aadrive32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe"	3e1484958d36378ab52a298fefd50d8e.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 2096	2760	3e1484958d36378ab52a298fefd50d8e.exe	23
PID 2776 set thread context of 2980	2776	aadrive32.exe	26

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\aadrive32.exe	3e1484958d36378ab52a298fefd50d8e.exe
File created	C:\Windows\%windir%\lfffile32.log	aadrive32.exe
File created	C:\Windows\aadrive32.exe	3e1484958d36378ab52a298fefd50d8e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2096	3e1484958d36378ab52a298fefd50d8e.exe
2096	3e1484958d36378ab52a298fefd50d8e.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2096	2760	3e1484958d36378ab52a298fefd50d8e.exe	23
PID 2760 wrote to memory of 2096	2760	3e1484958d36378ab52a298fefd50d8e.exe	23
PID 2760 wrote to memory of 2096	2760	3e1484958d36378ab52a298fefd50d8e.exe	23
PID 2760 wrote to memory of 2096	2760	3e1484958d36378ab52a298fefd50d8e.exe	23
PID 2760 wrote to memory of 2096	2760	3e1484958d36378ab52a298fefd50d8e.exe	23
PID 2760 wrote to memory of 2096	2760	3e1484958d36378ab52a298fefd50d8e.exe	23
PID 2760 wrote to memory of 2096	2760	3e1484958d36378ab52a298fefd50d8e.exe	23
PID 2760 wrote to memory of 2096	2760	3e1484958d36378ab52a298fefd50d8e.exe	23
PID 2096 wrote to memory of 2776	2096	3e1484958d36378ab52a298fefd50d8e.exe	25
PID 2096 wrote to memory of 2776	2096	3e1484958d36378ab52a298fefd50d8e.exe	25
PID 2096 wrote to memory of 2776	2096	3e1484958d36378ab52a298fefd50d8e.exe	25
PID 2096 wrote to memory of 2776	2096	3e1484958d36378ab52a298fefd50d8e.exe	25
PID 2776 wrote to memory of 2980	2776	aadrive32.exe	26
PID 2776 wrote to memory of 2980	2776	aadrive32.exe	26
PID 2776 wrote to memory of 2980	2776	aadrive32.exe	26
PID 2776 wrote to memory of 2980	2776	aadrive32.exe	26
PID 2776 wrote to memory of 2980	2776	aadrive32.exe	26
PID 2776 wrote to memory of 2980	2776	aadrive32.exe	26
PID 2776 wrote to memory of 2980	2776	aadrive32.exe	26
PID 2776 wrote to memory of 2980	2776	aadrive32.exe	26

C:\Users\Admin\AppData\Local\Temp\3e1484958d36378ab52a298fefd50d8e.exe
"C:\Users\Admin\AppData\Local\Temp\3e1484958d36378ab52a298fefd50d8e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\3e1484958d36378ab52a298fefd50d8e.exe
  C:\Users\Admin\AppData\Local\Temp\3e1484958d36378ab52a298fefd50d8e.exe
  2⤵
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\aadrive32.exe
    "C:\Windows\aadrive32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\aadrive32.exe
      C:\Windows\aadrive32.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\aadrive32.exe

Filesize
17KB

MD5
021591bb3aaf75516726cf3897b3ce51

SHA1
1ab1b117d27e5a9583a3e9a918c4a16278ebf60d

SHA256
9ef7e1d0f2ce6f8064138de8badbe0629c12a823d4bf8bcce92104bbf96ac6d7

SHA512
b57cce754c0bfb226267f0d8febfd55f01d897e18f0c385ef50d266bfe59416c95c8ddca13165a0d38ab42d067a6c0a7bc3e12f5fb27f34641bde29174c5ee3d

Download Submit
C:\Windows\aadrive32.exe

Filesize
10KB

MD5
7943dda39711bf88490a53338b8cd75f

SHA1
5bdecdd716e241933160b6a38c2d55ccd6848b71

SHA256
1123357c6708434fd4663effa4c7849c7336f74eaa8ef968238f7a1e5bfc54db

SHA512
9beef144e31e38d7eab509351aa6496580bc2a8ac9f112bbc52463ae24cd69c5ba1fa47b4c607b6bef823a4d628b09dd6959dd78725104e965afeb4bbbd8c24b

Download Submit
C:\Windows\aadrive32.exe

Filesize
12KB

MD5
31f93ef32776884c8129ed9d33236045

SHA1
0cf6aad70f9099188038219edf44d0a61e849b02

SHA256
24de4d2732b5c10415a1204f0501a1a0abced42dbdf3dbfcdaf5c6fd526cd641

SHA512
9a94ba396eaf8220c7b9d708fe4f5355990a97377777081906a064ac3e131fc13d5bdd24a49fc4a729c66b7e4c18ea1bd547e9caeab19af338d1a280dc03038b

Download Submit
memory/2096-1-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2096-13-0x0000000000380000-0x000000000039B000-memory.dmp

Filesize
108KB

Download
memory/2096-4-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2096-15-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2096-5-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2760-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2776-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2776-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-23-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2980-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2980-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads