metasploit | 068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836

General

Target

068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
Size

212KB
MD5

c470697cbd81bdbb52eb434c423f9218
SHA1

2c3c29ea27e2afec2c55ee89ac56eb88e796ec32
SHA256

068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836
SHA512

e14a40e7276a51899048371a79b403b118bbbd65c2c91912bff7da8dd9322607c6d11d63e77232cabb4574c9d1b95a917c62ccffa78cf41d6a7cdf6b3c75669b
SSDEEP

3072:rOqElnKetCj6omkCHXeXxhUlx4yhP/3CiMkCAdPEgG+KpEYHjC9nhIIcp:wlnD1oWHqxhDGwEdPEgG+KpEYeWHp

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

igfxdh86.exe

pid process

1592 igfxdh86.exe

pid	process
1592	igfxdh86.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1172-58-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1172-56-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1172-59-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1172-62-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1172-63-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1172-64-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1172-65-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe

pid	process
1172	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
1172	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe

Drops file in System32 directory 3 IoCs

Processes:

068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
File opened for modification	C:\Windows\SysWOW64\igfxdh86.exe	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
File created	C:\Windows\SysWOW64\igfxdh86.exe	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe

description	pid	process	target process
PID 1224 set thread context of 1172	1224	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe

pid	process
1172	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
1172	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exeigfxdh86.exe

description	pid	process	target process
PID 1224 wrote to memory of 1172	1224	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
PID 1224 wrote to memory of 1172	1224	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
PID 1224 wrote to memory of 1172	1224	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
PID 1224 wrote to memory of 1172	1224	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
PID 1224 wrote to memory of 1172	1224	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
PID 1224 wrote to memory of 1172	1224	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
PID 1224 wrote to memory of 1172	1224	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
PID 1172 wrote to memory of 1592	1172	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	igfxdh86.exe
PID 1172 wrote to memory of 1592	1172	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	igfxdh86.exe
PID 1172 wrote to memory of 1592	1172	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	igfxdh86.exe
PID 1172 wrote to memory of 1592	1172	068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe	igfxdh86.exe
PID 1592 wrote to memory of 1664	1592	igfxdh86.exe	igfxdh86.exe
PID 1592 wrote to memory of 1664	1592	igfxdh86.exe	igfxdh86.exe
PID 1592 wrote to memory of 1664	1592	igfxdh86.exe	igfxdh86.exe
PID 1592 wrote to memory of 1664	1592	igfxdh86.exe	igfxdh86.exe

C:\Users\Admin\AppData\Local\Temp\068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
"C:\Users\Admin\AppData\Local\Temp\068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe
"C:\Users\Admin\AppData\Local\Temp\068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836.exe"
2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\igfxdh86.exe
"C:\Windows\SysWOW64\igfxdh86.exe" C:\Users\Admin\AppData\Local\Temp\068611~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\igfxdh86.exe
"C:\Windows\SysWOW64\igfxdh86.exe" C:\Users\Admin\AppData\Local\Temp\068611~1.EXE
4⤵
PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxdh86.exe

Filesize
212KB

MD5
c470697cbd81bdbb52eb434c423f9218

SHA1
2c3c29ea27e2afec2c55ee89ac56eb88e796ec32

SHA256
068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836

SHA512
e14a40e7276a51899048371a79b403b118bbbd65c2c91912bff7da8dd9322607c6d11d63e77232cabb4574c9d1b95a917c62ccffa78cf41d6a7cdf6b3c75669b

Download Submit
C:\Windows\SysWOW64\igfxdh86.exe

Filesize
212KB

MD5
c470697cbd81bdbb52eb434c423f9218

SHA1
2c3c29ea27e2afec2c55ee89ac56eb88e796ec32

SHA256
068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836

SHA512
e14a40e7276a51899048371a79b403b118bbbd65c2c91912bff7da8dd9322607c6d11d63e77232cabb4574c9d1b95a917c62ccffa78cf41d6a7cdf6b3c75669b

Download Submit
\Windows\SysWOW64\igfxdh86.exe

Filesize
212KB

MD5
c470697cbd81bdbb52eb434c423f9218

SHA1
2c3c29ea27e2afec2c55ee89ac56eb88e796ec32

SHA256
068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836

SHA512
e14a40e7276a51899048371a79b403b118bbbd65c2c91912bff7da8dd9322607c6d11d63e77232cabb4574c9d1b95a917c62ccffa78cf41d6a7cdf6b3c75669b

Download Submit
\Windows\SysWOW64\igfxdh86.exe

Filesize
212KB

MD5
c470697cbd81bdbb52eb434c423f9218

SHA1
2c3c29ea27e2afec2c55ee89ac56eb88e796ec32

SHA256
068611c8f936f1efb7cb76b1349a92720dcab52bd3ad1e268b0d300028e1a836

SHA512
e14a40e7276a51899048371a79b403b118bbbd65c2c91912bff7da8dd9322607c6d11d63e77232cabb4574c9d1b95a917c62ccffa78cf41d6a7cdf6b3c75669b

Download Submit
memory/1172-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1172-61-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1172-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1172-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1172-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1172-65-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1172-54-0x0000000000000000-mapping.dmp

Download
memory/1172-56-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1172-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1172-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1592-68-0x0000000000000000-mapping.dmp

Download
memory/1664-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads