Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe
Resource
win10v2004-20220812-en
General
-
Target
cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe
-
Size
264KB
-
MD5
99443f0fe6928746ba6a8b41fff141d8
-
SHA1
28f1a01d758c7285f8b87eaf78e11588f031cd4f
-
SHA256
cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c
-
SHA512
fb23c8e0e80cb37337affd699d7f15969766f8efa3b507695b150a418f6c73cd93c4e29b12a83667c08457bd6861b33b80ad3bd91d79b1716c58aeea702641e9
-
SSDEEP
6144:tC5ujFI7ZTHzevFiTpTyyGkY/U/no//XkY/U/no//XMMXgMXgMXgMXgMXgMXgMXv:tpS7Rze9QpnGkY/U/no//XkY/U/no//X
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
igfxds64.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List igfxds64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxds64.exe = "C:\\Windows\\SysWOW64\\igfxds64.exe:*:Enabled:Intel Display Starter" igfxds64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List igfxds64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxds64.exe = "C:\\Windows\\SysWOW64\\igfxds64.exe:*:Enabled:Intel Display Starter" igfxds64.exe -
Executes dropped EXE 2 IoCs
Processes:
igfxds64.exeigfxds64.exepid process 1060 igfxds64.exe 1992 igfxds64.exe -
Processes:
resource yara_rule behavioral1/memory/1620-55-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1620-57-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1620-58-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1620-60-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1620-64-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1620-65-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1620-66-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1620-67-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1620-72-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1992-85-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1992-86-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1992-87-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1992-88-0x0000000000400000-0x0000000000464000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
igfxds64.exepid process 1992 igfxds64.exe -
Loads dropped DLL 2 IoCs
Processes:
cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exepid process 1620 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe 1620 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
igfxds64.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run igfxds64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Display Starter = "C:\\Windows\\SysWOW64\\igfxds64.exe" igfxds64.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exeigfxds64.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxds64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxds64.exe -
Drops file in System32 directory 5 IoCs
Processes:
cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exeigfxds64.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe File opened for modification C:\Windows\SysWOW64\igfxds64.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe File created C:\Windows\SysWOW64\igfxds64.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe File opened for modification C:\Windows\SysWOW64\ igfxds64.exe File opened for modification C:\Windows\SysWOW64\igfxds64.exe igfxds64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exeigfxds64.exedescription pid process target process PID 1208 set thread context of 1620 1208 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe PID 1060 set thread context of 1992 1060 igfxds64.exe igfxds64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exeigfxds64.exepid process 1620 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe 1620 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe 1992 igfxds64.exe 1992 igfxds64.exe 1992 igfxds64.exe 1992 igfxds64.exe 1992 igfxds64.exe 1992 igfxds64.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.execee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exeigfxds64.exeigfxds64.exedescription pid process target process PID 1208 wrote to memory of 1620 1208 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe PID 1208 wrote to memory of 1620 1208 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe PID 1208 wrote to memory of 1620 1208 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe PID 1208 wrote to memory of 1620 1208 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe PID 1208 wrote to memory of 1620 1208 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe PID 1208 wrote to memory of 1620 1208 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe PID 1208 wrote to memory of 1620 1208 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe PID 1208 wrote to memory of 1620 1208 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe PID 1620 wrote to memory of 1060 1620 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe igfxds64.exe PID 1620 wrote to memory of 1060 1620 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe igfxds64.exe PID 1620 wrote to memory of 1060 1620 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe igfxds64.exe PID 1620 wrote to memory of 1060 1620 cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe igfxds64.exe PID 1060 wrote to memory of 1992 1060 igfxds64.exe igfxds64.exe PID 1060 wrote to memory of 1992 1060 igfxds64.exe igfxds64.exe PID 1060 wrote to memory of 1992 1060 igfxds64.exe igfxds64.exe PID 1060 wrote to memory of 1992 1060 igfxds64.exe igfxds64.exe PID 1060 wrote to memory of 1992 1060 igfxds64.exe igfxds64.exe PID 1060 wrote to memory of 1992 1060 igfxds64.exe igfxds64.exe PID 1060 wrote to memory of 1992 1060 igfxds64.exe igfxds64.exe PID 1060 wrote to memory of 1992 1060 igfxds64.exe igfxds64.exe PID 1992 wrote to memory of 1388 1992 igfxds64.exe Explorer.EXE PID 1992 wrote to memory of 1388 1992 igfxds64.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe"C:\Users\Admin\AppData\Local\Temp\cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe"C:\Users\Admin\AppData\Local\Temp\cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c.exe"3⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxds64.exe"C:\Windows\SysWOW64\igfxds64.exe" C:\Users\Admin\AppData\Local\Temp\CEE308~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxds64.exe"C:\Windows\SysWOW64\igfxds64.exe" C:\Users\Admin\AppData\Local\Temp\CEE308~1.EXE5⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\igfxds64.exeFilesize
264KB
MD599443f0fe6928746ba6a8b41fff141d8
SHA128f1a01d758c7285f8b87eaf78e11588f031cd4f
SHA256cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c
SHA512fb23c8e0e80cb37337affd699d7f15969766f8efa3b507695b150a418f6c73cd93c4e29b12a83667c08457bd6861b33b80ad3bd91d79b1716c58aeea702641e9
-
C:\Windows\SysWOW64\igfxds64.exeFilesize
264KB
MD599443f0fe6928746ba6a8b41fff141d8
SHA128f1a01d758c7285f8b87eaf78e11588f031cd4f
SHA256cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c
SHA512fb23c8e0e80cb37337affd699d7f15969766f8efa3b507695b150a418f6c73cd93c4e29b12a83667c08457bd6861b33b80ad3bd91d79b1716c58aeea702641e9
-
C:\Windows\SysWOW64\igfxds64.exeFilesize
264KB
MD599443f0fe6928746ba6a8b41fff141d8
SHA128f1a01d758c7285f8b87eaf78e11588f031cd4f
SHA256cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c
SHA512fb23c8e0e80cb37337affd699d7f15969766f8efa3b507695b150a418f6c73cd93c4e29b12a83667c08457bd6861b33b80ad3bd91d79b1716c58aeea702641e9
-
\Windows\SysWOW64\igfxds64.exeFilesize
264KB
MD599443f0fe6928746ba6a8b41fff141d8
SHA128f1a01d758c7285f8b87eaf78e11588f031cd4f
SHA256cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c
SHA512fb23c8e0e80cb37337affd699d7f15969766f8efa3b507695b150a418f6c73cd93c4e29b12a83667c08457bd6861b33b80ad3bd91d79b1716c58aeea702641e9
-
\Windows\SysWOW64\igfxds64.exeFilesize
264KB
MD599443f0fe6928746ba6a8b41fff141d8
SHA128f1a01d758c7285f8b87eaf78e11588f031cd4f
SHA256cee308ef86dc9e5e1516ac483910f5b4d4e9f08576aaa9a16dfcbf64e538c53c
SHA512fb23c8e0e80cb37337affd699d7f15969766f8efa3b507695b150a418f6c73cd93c4e29b12a83667c08457bd6861b33b80ad3bd91d79b1716c58aeea702641e9
-
memory/1060-70-0x0000000000000000-mapping.dmp
-
memory/1388-89-0x0000000002A50000-0x0000000002A6E000-memory.dmpFilesize
120KB
-
memory/1620-63-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1620-58-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-66-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-67-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-64-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-54-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-61-0x000000000044F470-mapping.dmp
-
memory/1620-60-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-72-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-65-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-57-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1620-55-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1992-85-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1992-86-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1992-87-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1992-88-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1992-81-0x000000000044F470-mapping.dmp