Analysis
-
max time kernel
229s -
max time network
294s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 06:57
Static task
static1
Behavioral task
behavioral1
Sample
b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe
Resource
win10v2004-20220901-en
General
-
Target
b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe
-
Size
237KB
-
MD5
e8840fbf9dc879cdf2646d9732aaf4fb
-
SHA1
b4b9f15c9a97b318aa3ee624704621286610f73d
-
SHA256
b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637
-
SHA512
7658a51b5baff89ca68fc0f3defa36ffd2db217dcc7234e292c0cc2fbaa0cf7538b07592820f3f83417c93e46294807876c287b127441488db1a55fa488a099e
-
SSDEEP
3072:eGSriql1GY0iYCN/kkSophVyPb4/zS5DG5OUZ0Twff+Zuw8WyL+u:WWyT0qkxophPpfZ02
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
igfxhk64.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List igfxhk64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxhk64.exe = "C:\\Windows\\SysWOW64\\igfxhk64.exe:*:Enabled:Intel Help Console" igfxhk64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List igfxhk64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxhk64.exe = "C:\\Windows\\SysWOW64\\igfxhk64.exe:*:Enabled:Intel Help Console" igfxhk64.exe -
Executes dropped EXE 2 IoCs
Processes:
igfxhk64.exeigfxhk64.exepid process 1408 igfxhk64.exe 1556 igfxhk64.exe -
Processes:
resource yara_rule behavioral1/memory/928-55-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/928-57-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/928-58-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/928-60-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/928-63-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/928-65-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/928-66-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/928-67-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/928-68-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/928-73-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1556-87-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1556-86-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1556-88-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1556-89-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1556-90-0x0000000000400000-0x0000000000464000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
igfxhk64.exepid process 1556 igfxhk64.exe -
Loads dropped DLL 2 IoCs
Processes:
b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exepid process 928 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe 928 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
igfxhk64.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run igfxhk64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Help Console = "C:\\Windows\\SysWOW64\\igfxhk64.exe" igfxhk64.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exeigfxhk64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxhk64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxhk64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe -
Drops file in System32 directory 5 IoCs
Processes:
b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exeigfxhk64.exedescription ioc process File created C:\Windows\SysWOW64\igfxhk64.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe File opened for modification C:\Windows\SysWOW64\ igfxhk64.exe File opened for modification C:\Windows\SysWOW64\igfxhk64.exe igfxhk64.exe File opened for modification C:\Windows\SysWOW64\ b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe File opened for modification C:\Windows\SysWOW64\igfxhk64.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exeigfxhk64.exedescription pid process target process PID 1516 set thread context of 928 1516 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe PID 1408 set thread context of 1556 1408 igfxhk64.exe igfxhk64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exeigfxhk64.exepid process 928 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe 928 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe 1556 igfxhk64.exe 1556 igfxhk64.exe 1556 igfxhk64.exe 1556 igfxhk64.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exeb4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exeigfxhk64.exeigfxhk64.exedescription pid process target process PID 1516 wrote to memory of 928 1516 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe PID 1516 wrote to memory of 928 1516 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe PID 1516 wrote to memory of 928 1516 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe PID 1516 wrote to memory of 928 1516 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe PID 1516 wrote to memory of 928 1516 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe PID 1516 wrote to memory of 928 1516 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe PID 1516 wrote to memory of 928 1516 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe PID 1516 wrote to memory of 928 1516 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe PID 928 wrote to memory of 1408 928 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe igfxhk64.exe PID 928 wrote to memory of 1408 928 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe igfxhk64.exe PID 928 wrote to memory of 1408 928 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe igfxhk64.exe PID 928 wrote to memory of 1408 928 b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe igfxhk64.exe PID 1408 wrote to memory of 1556 1408 igfxhk64.exe igfxhk64.exe PID 1408 wrote to memory of 1556 1408 igfxhk64.exe igfxhk64.exe PID 1408 wrote to memory of 1556 1408 igfxhk64.exe igfxhk64.exe PID 1408 wrote to memory of 1556 1408 igfxhk64.exe igfxhk64.exe PID 1408 wrote to memory of 1556 1408 igfxhk64.exe igfxhk64.exe PID 1408 wrote to memory of 1556 1408 igfxhk64.exe igfxhk64.exe PID 1408 wrote to memory of 1556 1408 igfxhk64.exe igfxhk64.exe PID 1408 wrote to memory of 1556 1408 igfxhk64.exe igfxhk64.exe PID 1556 wrote to memory of 1212 1556 igfxhk64.exe Explorer.EXE PID 1556 wrote to memory of 1212 1556 igfxhk64.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe"C:\Users\Admin\AppData\Local\Temp\b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe"C:\Users\Admin\AppData\Local\Temp\b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637.exe"3⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxhk64.exe"C:\Windows\SysWOW64\igfxhk64.exe" C:\Users\Admin\AppData\Local\Temp\B4C75C~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxhk64.exe"C:\Windows\SysWOW64\igfxhk64.exe" C:\Users\Admin\AppData\Local\Temp\B4C75C~1.EXE5⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\igfxhk64.exeFilesize
237KB
MD5e8840fbf9dc879cdf2646d9732aaf4fb
SHA1b4b9f15c9a97b318aa3ee624704621286610f73d
SHA256b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637
SHA5127658a51b5baff89ca68fc0f3defa36ffd2db217dcc7234e292c0cc2fbaa0cf7538b07592820f3f83417c93e46294807876c287b127441488db1a55fa488a099e
-
C:\Windows\SysWOW64\igfxhk64.exeFilesize
237KB
MD5e8840fbf9dc879cdf2646d9732aaf4fb
SHA1b4b9f15c9a97b318aa3ee624704621286610f73d
SHA256b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637
SHA5127658a51b5baff89ca68fc0f3defa36ffd2db217dcc7234e292c0cc2fbaa0cf7538b07592820f3f83417c93e46294807876c287b127441488db1a55fa488a099e
-
C:\Windows\SysWOW64\igfxhk64.exeFilesize
237KB
MD5e8840fbf9dc879cdf2646d9732aaf4fb
SHA1b4b9f15c9a97b318aa3ee624704621286610f73d
SHA256b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637
SHA5127658a51b5baff89ca68fc0f3defa36ffd2db217dcc7234e292c0cc2fbaa0cf7538b07592820f3f83417c93e46294807876c287b127441488db1a55fa488a099e
-
\Windows\SysWOW64\igfxhk64.exeFilesize
237KB
MD5e8840fbf9dc879cdf2646d9732aaf4fb
SHA1b4b9f15c9a97b318aa3ee624704621286610f73d
SHA256b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637
SHA5127658a51b5baff89ca68fc0f3defa36ffd2db217dcc7234e292c0cc2fbaa0cf7538b07592820f3f83417c93e46294807876c287b127441488db1a55fa488a099e
-
\Windows\SysWOW64\igfxhk64.exeFilesize
237KB
MD5e8840fbf9dc879cdf2646d9732aaf4fb
SHA1b4b9f15c9a97b318aa3ee624704621286610f73d
SHA256b4c75cde1442704ad67e162fdd087f7b6d0680cd2e349e4a5665e0a948390637
SHA5127658a51b5baff89ca68fc0f3defa36ffd2db217dcc7234e292c0cc2fbaa0cf7538b07592820f3f83417c93e46294807876c287b127441488db1a55fa488a099e
-
memory/928-63-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/928-73-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/928-64-0x0000000076931000-0x0000000076933000-memory.dmpFilesize
8KB
-
memory/928-65-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/928-66-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/928-67-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/928-68-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/928-61-0x000000000044F450-mapping.dmp
-
memory/928-60-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/928-58-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/928-55-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/928-54-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/928-57-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1212-91-0x0000000002A00000-0x0000000002A1E000-memory.dmpFilesize
120KB
-
memory/1408-71-0x0000000000000000-mapping.dmp
-
memory/1556-82-0x000000000044F450-mapping.dmp
-
memory/1556-87-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1556-86-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1556-88-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1556-89-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1556-90-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB