Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16/01/2024, 12:29
Static task
static1
Behavioral task
behavioral1
Sample
5fe378690b8d80290f81dd5bfc5c8c18.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5fe378690b8d80290f81dd5bfc5c8c18.exe
Resource
win10v2004-20231215-en
General
-
Target
5fe378690b8d80290f81dd5bfc5c8c18.exe
-
Size
80KB
-
MD5
5fe378690b8d80290f81dd5bfc5c8c18
-
SHA1
b81315ebdc5a40cb96999e7eb8566b17165ef3af
-
SHA256
74120250d0dbace2df52e10b8fe9ce2c7ebd8d64416ce39a1f7dcec998b6164e
-
SHA512
b8519a197cfb975bc0c9effcc4c14d878f3aaa53147b203b6122c51548446808accc2a1bc7d14ddfdc55016812f0a67bb77430eef1ae72702d669defb1e87bfa
-
SSDEEP
1536:yQ/vZZtAaijmx4SAmOZ8lGsZyoSq/SgnVMTbG:HvHtHijbSAmOylRT/SgnqTi
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5fe378690b8d80290f81dd5bfc5c8c18.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Config Setup = "C:\\Windows\\jodrive32.exe" 5fe378690b8d80290f81dd5bfc5c8c18.exe -
Executes dropped EXE 2 IoCs
pid Process 2560 jodrive32.exe 2568 jodrive32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Config Setup = "C:\\Windows\\jodrive32.exe" 5fe378690b8d80290f81dd5bfc5c8c18.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2008 set thread context of 2796 2008 5fe378690b8d80290f81dd5bfc5c8c18.exe 28 PID 2560 set thread context of 2568 2560 jodrive32.exe 30 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\jodrive32.exe 5fe378690b8d80290f81dd5bfc5c8c18.exe File opened for modification C:\Windows\jodrive32.exe 5fe378690b8d80290f81dd5bfc5c8c18.exe File created C:\Windows\%windir%\eilfiie32.log jodrive32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2796 5fe378690b8d80290f81dd5bfc5c8c18.exe 2796 5fe378690b8d80290f81dd5bfc5c8c18.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2796 2008 5fe378690b8d80290f81dd5bfc5c8c18.exe 28 PID 2008 wrote to memory of 2796 2008 5fe378690b8d80290f81dd5bfc5c8c18.exe 28 PID 2008 wrote to memory of 2796 2008 5fe378690b8d80290f81dd5bfc5c8c18.exe 28 PID 2008 wrote to memory of 2796 2008 5fe378690b8d80290f81dd5bfc5c8c18.exe 28 PID 2008 wrote to memory of 2796 2008 5fe378690b8d80290f81dd5bfc5c8c18.exe 28 PID 2008 wrote to memory of 2796 2008 5fe378690b8d80290f81dd5bfc5c8c18.exe 28 PID 2008 wrote to memory of 2796 2008 5fe378690b8d80290f81dd5bfc5c8c18.exe 28 PID 2008 wrote to memory of 2796 2008 5fe378690b8d80290f81dd5bfc5c8c18.exe 28 PID 2796 wrote to memory of 2560 2796 5fe378690b8d80290f81dd5bfc5c8c18.exe 29 PID 2796 wrote to memory of 2560 2796 5fe378690b8d80290f81dd5bfc5c8c18.exe 29 PID 2796 wrote to memory of 2560 2796 5fe378690b8d80290f81dd5bfc5c8c18.exe 29 PID 2796 wrote to memory of 2560 2796 5fe378690b8d80290f81dd5bfc5c8c18.exe 29 PID 2560 wrote to memory of 2568 2560 jodrive32.exe 30 PID 2560 wrote to memory of 2568 2560 jodrive32.exe 30 PID 2560 wrote to memory of 2568 2560 jodrive32.exe 30 PID 2560 wrote to memory of 2568 2560 jodrive32.exe 30 PID 2560 wrote to memory of 2568 2560 jodrive32.exe 30 PID 2560 wrote to memory of 2568 2560 jodrive32.exe 30 PID 2560 wrote to memory of 2568 2560 jodrive32.exe 30 PID 2560 wrote to memory of 2568 2560 jodrive32.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fe378690b8d80290f81dd5bfc5c8c18.exe"C:\Users\Admin\AppData\Local\Temp\5fe378690b8d80290f81dd5bfc5c8c18.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\5fe378690b8d80290f81dd5bfc5c8c18.exeC:\Users\Admin\AppData\Local\Temp\5fe378690b8d80290f81dd5bfc5c8c18.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\jodrive32.exe"C:\Windows\jodrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\jodrive32.exeC:\Windows\jodrive32.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2568
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD55fe378690b8d80290f81dd5bfc5c8c18
SHA1b81315ebdc5a40cb96999e7eb8566b17165ef3af
SHA25674120250d0dbace2df52e10b8fe9ce2c7ebd8d64416ce39a1f7dcec998b6164e
SHA512b8519a197cfb975bc0c9effcc4c14d878f3aaa53147b203b6122c51548446808accc2a1bc7d14ddfdc55016812f0a67bb77430eef1ae72702d669defb1e87bfa