Windows Analysis Report
adEHIudJGb.exe

Overview

General Information

Sample name: adEHIudJGb.exe
renamed because original name is a hash value
Original sample name: 0dafaa7feba79f41422715d008deefe5c7d94849.exe
Analysis ID: 1546792
MD5: ab9870c0ad477a2f5e0078e82c7afb54
SHA1: 0dafaa7feba79f41422715d008deefe5c7d94849
SHA256: d4610be19ea719ca5ca2ec3f53e2ae70bb60b1345d74d65fdcd18a45282634d4
Tags: exeReversingLabsuser-NDA0E
Infos:

Detection

Metasploit
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AV process strings found (often used to terminate AV products)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: adEHIudJGb.exe Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "192.168.56.102", "Port": 443}
Multi AV Scanner detection for submitted file
Source: adEHIudJGb.exe ReversingLabs: Detection: 60%
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49782
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49744
Source: adEHIudJGb.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: adEHIudJGb.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: adEHIudJGb.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: adEHIudJGb.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: adEHIudJGb.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: adEHIudJGb.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: adEHIudJGb.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: adEHIudJGb.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: adEHIudJGb.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: adEHIudJGb.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net
Source: adEHIudJGb.exe String found in binary or memory: https://sectigo.com/CPS0
Source: adEHIudJGb.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: adEHIudJGb.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: adEHIudJGb.exe, type: SAMPLE Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 0.0.adEHIudJGb.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 0.2.adEHIudJGb.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000000.1771504707.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000002.1979604577.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
One or more processes crash
Source: C:\Users\user\Desktop\adEHIudJGb.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7300 -s 416
PE / OLE file has an invalid certificate
Source: adEHIudJGb.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: adEHIudJGb.exe Binary or memory string: OriginalFilename vs adEHIudJGb.exe
Source: adEHIudJGb.exe, 00000000.00000002.1979817609.000000014013D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePuTTYd" vs adEHIudJGb.exe
Source: adEHIudJGb.exe Binary or memory string: OriginalFilenamePuTTYd" vs adEHIudJGb.exe
Yara signature match
Source: adEHIudJGb.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 0.0.adEHIudJGb.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 0.2.adEHIudJGb.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000000.1771504707.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000002.1979604577.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: adEHIudJGb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal72.troj.winEXE@2/5@0/0
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7300
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\679f59e6-f2b6-4923-9fd7-126386c87bed Jump to behavior
Source: adEHIudJGb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\adEHIudJGb.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: adEHIudJGb.exe ReversingLabs: Detection: 60%
Source: adEHIudJGb.exe String found in binary or memory: config-address-family
Source: adEHIudJGb.exe String found in binary or memory: config-ssh-portfwd-address-family
Source: adEHIudJGb.exe String found in binary or memory: [200~}||{zconfig-proxyUnable to parse auth header from HTTP proxyConnection/Proxysshttypermit-ptyconfig-ssh-ptyServer refused to allocate ptyAllocated ptyReset scrollback on display activityidentityconfig-ssh-xauthorityPublic key of certification authoritySelect public key file of certification authorityconfig-serial-parityConfiguring %s paritySerialParityFontQualityValidityAddDllDirectoryOut of memoryCryptProtectMemoryUnable to load any WinSock libraryprimaryconfig-selection-autocopyMouseAutocopyconfig-rtfcopyWindow/Selection/Copy&CopyFlush log file frequentlyApplyReceived invalid elliptic curve point in ECDH replyReceived invalid elliptic curve point in GSSAPI ECDH replyconfig-altonlyKey file contains public key onlyUse font in OEM mode onlyAltOnlyForwarded port opened successfullyDisconnect if authentication succeeds triviallyconfig-address-familyconfig-ssh-portfwd-address-familyNetwork error: Address family not supported by protocol familyAddressFamilyForbid resizing completelyHandles SSH-2 key re-exchange badlyValid hosts this key is trusted to certifyModifyconfig-ssh-privkey-hostkeyconfig-telnetkeyconfig-ssh-kex-rekeyconfig-ssh-bug-rekeyGssapiRekeypublickeypubkeycert_ca_keyerrors-cant-load-keyputty-private-key-file-mac-keycross-certifying new host keyNoninteractive SSH proxy cannot confirm host keyNoninteractive SSH proxy cannot confirm weak cached host keyNo validity expression configured for this keyServer refused our keyuser authentication keyEncrypted session keyssh.com SSH-2 private keynot a PuTTY SSH-2 private keynot a public key or a PuTTY SSH-2 private keySSH-1 private keyAltGr acts as Compose keyunable to identify algorithm of base keyThe Backspace keyAdd keyFull text of host's public keyOffered public keySSH-1 public keyFingerprint of signing CA keyHostKeyTelnetKeyScrollOnKeyComposeKeyPublicKeySteadycleanup after downstream went awayDisable bidirectional text displayX authority file for local displayX11Displayconfig-nodelayTCPNoDelaypublic_affine_ypublic_yLinuxaux-demo-config-boxPuTTYConfigBoxunixdisplay name '%s' has no ':number' suffixgssapi-keyexLocal\putty-connshare-mutexNTRU Prime / Curve25519 hybrid kexServer's host key did not match any used in previous GSS kexConnection/SSH/Kexhhctrl.ocxprivate_xpublic_affine_xFlashWindowExToUnicodeExPageantRequest%08x%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x%s%02x\'%02x
Source: adEHIudJGb.exe String found in binary or memory: config-serial-stopbits
Source: adEHIudJGb.exe String found in binary or memory: source-address
Source: adEHIudJGb.exe String found in binary or memory: /config-address-family.html
Source: adEHIudJGb.exe String found in binary or memory: /config-serial-stopbits.html
Source: adEHIudJGb.exe String found in binary or memory: j'/config-ssh-portfwd-address-family.html
Source: adEHIudJGb.exe String found in binary or memory: /faq-startmax.html
Source: adEHIudJGb.exe String found in binary or memory: /faq-startsess.html
Source: adEHIudJGb.exe String found in binary or memory: /faq-startssh.html
Source: adEHIudJGb.exe String found in binary or memory: /feedback-address.html
Source: adEHIudJGb.exe String found in binary or memory: /pageant-mainwin-addkey.html
Source: adEHIudJGb.exe String found in binary or memory: /pageant-start.html
Source: adEHIudJGb.exe String found in binary or memory: /plink-starting.html
Source: adEHIudJGb.exe String found in binary or memory: /pscp-starting.html
Source: adEHIudJGb.exe String found in binary or memory: /psftp-cmd-help.html
Source: adEHIudJGb.exe String found in binary or memory: /psftp-starting.html
Source: unknown Process created: C:\Users\user\Desktop\adEHIudJGb.exe "C:\Users\user\Desktop\adEHIudJGb.exe"
Source: C:\Users\user\Desktop\adEHIudJGb.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7300 -s 416
Source: C:\Users\user\Desktop\adEHIudJGb.exe Section loaded: apphelp.dll Jump to behavior
Source: adEHIudJGb.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: adEHIudJGb.exe Static file information: File size 1663264 > 1048576
Source: adEHIudJGb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: adEHIudJGb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: adEHIudJGb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: adEHIudJGb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: adEHIudJGb.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: adEHIudJGb.exe Static PE information: section name: .00cfg
Source: adEHIudJGb.exe Static PE information: section name: .gxfg
Source: adEHIudJGb.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\adEHIudJGb.exe Code function: 0_2_0000000140004E51 push CA36FFFFh; ret 0_2_0000000140004E6E
Source: C:\Users\user\Desktop\adEHIudJGb.exe Code function: 0_2_00000001400462C0 push rdi; ret 0_2_00000001400462C2
Source: adEHIudJGb.exe Static PE information: section name: .text entropy: 6.989384052357256
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe

Remote Access Functionality
barindex
Yara detected Metasploit Payload
Source: Yara match File source: adEHIudJGb.exe, type: SAMPLE
Source: Yara match File source: 0.0.adEHIudJGb.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.adEHIudJGb.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1771504707.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1979604577.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546792 Sample: adEHIudJGb.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 72 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected Metasploit Payload 2->19 6 adEHIudJGb.exe 2->6         started        process3 process4 8 WerFault.exe 19 16 6->8         started        file5 11 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->11 dropped
No contacted IP infos