Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2024, 12:29
Static task
static1
Behavioral task
behavioral1
Sample
5fe378690b8d80290f81dd5bfc5c8c18.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5fe378690b8d80290f81dd5bfc5c8c18.exe
Resource
win10v2004-20231215-en
General
-
Target
5fe378690b8d80290f81dd5bfc5c8c18.exe
-
Size
80KB
-
MD5
5fe378690b8d80290f81dd5bfc5c8c18
-
SHA1
b81315ebdc5a40cb96999e7eb8566b17165ef3af
-
SHA256
74120250d0dbace2df52e10b8fe9ce2c7ebd8d64416ce39a1f7dcec998b6164e
-
SHA512
b8519a197cfb975bc0c9effcc4c14d878f3aaa53147b203b6122c51548446808accc2a1bc7d14ddfdc55016812f0a67bb77430eef1ae72702d669defb1e87bfa
-
SSDEEP
1536:yQ/vZZtAaijmx4SAmOZ8lGsZyoSq/SgnVMTbG:HvHtHijbSAmOylRT/SgnqTi
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5fe378690b8d80290f81dd5bfc5c8c18.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Config Setup = "C:\\Windows\\jodrive32.exe" 5fe378690b8d80290f81dd5bfc5c8c18.exe -
Executes dropped EXE 2 IoCs
pid Process 4204 jodrive32.exe 4992 jodrive32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Config Setup = "C:\\Windows\\jodrive32.exe" 5fe378690b8d80290f81dd5bfc5c8c18.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4028 set thread context of 2412 4028 5fe378690b8d80290f81dd5bfc5c8c18.exe 89 PID 4204 set thread context of 4992 4204 jodrive32.exe 91 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\jodrive32.exe 5fe378690b8d80290f81dd5bfc5c8c18.exe File opened for modification C:\Windows\jodrive32.exe 5fe378690b8d80290f81dd5bfc5c8c18.exe File created C:\Windows\%windir%\eilfiie32.log jodrive32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2412 5fe378690b8d80290f81dd5bfc5c8c18.exe 2412 5fe378690b8d80290f81dd5bfc5c8c18.exe 2412 5fe378690b8d80290f81dd5bfc5c8c18.exe 2412 5fe378690b8d80290f81dd5bfc5c8c18.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4028 wrote to memory of 2412 4028 5fe378690b8d80290f81dd5bfc5c8c18.exe 89 PID 4028 wrote to memory of 2412 4028 5fe378690b8d80290f81dd5bfc5c8c18.exe 89 PID 4028 wrote to memory of 2412 4028 5fe378690b8d80290f81dd5bfc5c8c18.exe 89 PID 4028 wrote to memory of 2412 4028 5fe378690b8d80290f81dd5bfc5c8c18.exe 89 PID 4028 wrote to memory of 2412 4028 5fe378690b8d80290f81dd5bfc5c8c18.exe 89 PID 4028 wrote to memory of 2412 4028 5fe378690b8d80290f81dd5bfc5c8c18.exe 89 PID 4028 wrote to memory of 2412 4028 5fe378690b8d80290f81dd5bfc5c8c18.exe 89 PID 2412 wrote to memory of 4204 2412 5fe378690b8d80290f81dd5bfc5c8c18.exe 90 PID 2412 wrote to memory of 4204 2412 5fe378690b8d80290f81dd5bfc5c8c18.exe 90 PID 2412 wrote to memory of 4204 2412 5fe378690b8d80290f81dd5bfc5c8c18.exe 90 PID 4204 wrote to memory of 4992 4204 jodrive32.exe 91 PID 4204 wrote to memory of 4992 4204 jodrive32.exe 91 PID 4204 wrote to memory of 4992 4204 jodrive32.exe 91 PID 4204 wrote to memory of 4992 4204 jodrive32.exe 91 PID 4204 wrote to memory of 4992 4204 jodrive32.exe 91 PID 4204 wrote to memory of 4992 4204 jodrive32.exe 91 PID 4204 wrote to memory of 4992 4204 jodrive32.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fe378690b8d80290f81dd5bfc5c8c18.exe"C:\Users\Admin\AppData\Local\Temp\5fe378690b8d80290f81dd5bfc5c8c18.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\5fe378690b8d80290f81dd5bfc5c8c18.exeC:\Users\Admin\AppData\Local\Temp\5fe378690b8d80290f81dd5bfc5c8c18.exe2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\jodrive32.exe"C:\Windows\jodrive32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\jodrive32.exeC:\Windows\jodrive32.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4992
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD55fe378690b8d80290f81dd5bfc5c8c18
SHA1b81315ebdc5a40cb96999e7eb8566b17165ef3af
SHA25674120250d0dbace2df52e10b8fe9ce2c7ebd8d64416ce39a1f7dcec998b6164e
SHA512b8519a197cfb975bc0c9effcc4c14d878f3aaa53147b203b6122c51548446808accc2a1bc7d14ddfdc55016812f0a67bb77430eef1ae72702d669defb1e87bfa