Overview

overview

10

Static

static

3

04232afde9...30.exe

windows7-x64

10

04232afde9...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 03:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    04232afde988dbf882ed66355fd24b30.exe

  • Size

    258KB

  • MD5

    04232afde988dbf882ed66355fd24b30

  • SHA1

    a17104dc77f2b6ffa3d431d2d4810e592a735287

  • SHA256

    21ba7b8f019fb3966b00a61aa3d8ee3f9aedbc7b7923d80a40e4adb4e922ca42

  • SHA512

    b385ed1ec7d8e6e156a75de93d5d8410f7a1b4c7259bff69b83786d850e09b78d29c9cab6ae0e70c673985e2849584f00d5e4dc887f59c093952be67a520dd41

  • SSDEEP

    3072:+cavt6S/4etFqwTR2C+KaD0bbNlknbPFjufeNsVhAj6N2SQkOpCGcuHiC55hU1rC:+vVREyJubtumNAI6N26a

Score
10/10
metasploitbackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies firewall policy service 2 TTPs 8 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3396
      • C:\Users\Admin\AppData\Local\Temp\04232afde988dbf882ed66355fd24b30.exe
        "C:\Users\Admin\AppData\Local\Temp\04232afde988dbf882ed66355fd24b30.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Users\Admin\AppData\Local\Temp\04232afde988dbf882ed66355fd24b30.exe
          "C:\Users\Admin\AppData\Local\Temp\04232afde988dbf882ed66355fd24b30.exe"
          3⤵
          • Checks computer location settings
          • Maps connected drives based on registry
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4156
          • C:\Windows\SysWOW64\igfxbh32.exe
            "C:\Windows\SysWOW64\igfxbh32.exe" C:\Users\Admin\AppData\Local\Temp\04232A~1.EXE
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4072
            • C:\Windows\SysWOW64\igfxbh32.exe
              "C:\Windows\SysWOW64\igfxbh32.exe" C:\Users\Admin\AppData\Local\Temp\04232A~1.EXE
              5⤵
              • Modifies firewall policy service
              • Deletes itself
              • Executes dropped EXE
              • Adds Run key to start application
              • Maps connected drives based on registry
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3932

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\igfxbh32.exe
            Filesize

            258KB

            MD5

            04232afde988dbf882ed66355fd24b30

            SHA1

            a17104dc77f2b6ffa3d431d2d4810e592a735287

            SHA256

            21ba7b8f019fb3966b00a61aa3d8ee3f9aedbc7b7923d80a40e4adb4e922ca42

            SHA512

            b385ed1ec7d8e6e156a75de93d5d8410f7a1b4c7259bff69b83786d850e09b78d29c9cab6ae0e70c673985e2849584f00d5e4dc887f59c093952be67a520dd41

            Download Submit

          • C:\Windows\SysWOW64\igfxbh32.exe
            Filesize

            231KB

            MD5

            a8b0f12e79f6ac4846515150f45d186a

            SHA1

            1dae58c2c969e791171631936d49c09f466a6455

            SHA256

            44b791ba6240541fe9357dc6a55de2460e8ce31683feffd94747d7531e5ca3a7

            SHA512

            47e2735998ca4b0c598a4126e69b1b98399d90d3e8fd45ad1c4fcedb74f03b8321c8c31648412f64321573a2ea5b83f0cb217869730846e96f5ebad2b5f3c6ae

            Download Submit

          • C:\Windows\SysWOW64\igfxbh32.exe
            Filesize

            197KB

            MD5

            feaf9da207fe5b9c331327ebaec7a5b6

            SHA1

            9c772ef280b2a427c5cfb9b04556f6fa20fa3aa0

            SHA256

            2047e8f60c00f0a29fce7ce1d455531007b645da0628dcbc848e62698fc84841

            SHA512

            f4f7c67401bc660685f1cbb411b3f622667e2b3c3946d840a60cbbde1ac045fa336be171c8f4c34d591fb14d29d6ebde708d589220ac45dc544327e19cb8a8cb

            Download Submit

          • memory/3932-45-0x0000000000400000-0x0000000000467000-memory.dmp

            Filesize

            412KB

            Download

          • memory/3932-57-0x0000000000400000-0x0000000000467000-memory.dmp

            Filesize

            412KB

            Download

          • memory/3932-51-0x0000000000400000-0x0000000000467000-memory.dmp

            Filesize

            412KB

            Download

          • memory/3932-47-0x0000000000400000-0x0000000000467000-memory.dmp

            Filesize

            412KB

            Download

          • memory/3932-46-0x0000000000400000-0x0000000000467000-memory.dmp

            Filesize

            412KB

            Download

          • memory/4156-4-0x0000000000400000-0x0000000000467000-memory.dmp

            Filesize

            412KB

            Download

          • memory/4156-38-0x0000000000400000-0x0000000000467000-memory.dmp

            Filesize

            412KB

            Download

          • memory/4156-0-0x0000000000400000-0x0000000000467000-memory.dmp

            Filesize

            412KB

            Download

          • memory/4156-3-0x0000000000400000-0x0000000000467000-memory.dmp

            Filesize

            412KB

            Download

          • memory/4156-2-0x0000000000400000-0x0000000000467000-memory.dmp

            Filesize

            412KB

            Download