General

  • Target

    6e2d8686cfea2d3179f01002b5728f5d

  • Size

    344KB

  • Sample

    240121-31csbacbcj

  • MD5

    6e2d8686cfea2d3179f01002b5728f5d

  • SHA1

    7925d3e77125485a9bcae61378a0458a278bff31

  • SHA256

    85580bf956411dd11ed45e6e3217e8b17ff7ac4fd3b3fdc120388a4eabef0ba0

  • SHA512

    f35fd5cf1fd0edc6c1886e5969b61991deed8539a97988e5d589f21425d051952422daff80bcbaf651ab5d767ac4c018263530e39dbe2242b9d282f2081e0e98

  • SSDEEP

    6144:Sn3HgNUJYH+71wXU9tPkIHut6TGvS1OuAD6SYBPTRKhrakaJXNs:Sn3EUJNtPkIOgTGKoVEBPTROUXNs

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      igfxctv32.exe

    • Size

      139KB

    • MD5

      b5202ea069462c2e8b64ff72100faa28

    • SHA1

      7ffd5668f76d34515eb979bc38dde3b4daf84f74

    • SHA256

      d445f21a4bd3aa1d61ad5e26df3535e611d44b1d9c70149987ee6979f8e9d3e4

    • SHA512

      02a1edf3721d8c471f254dcb7dbf0a5b7ed7448e8f37e218fe5f8429b81dff501eb9edf97b628f4eaa4c204ed809349bd3434d6fde8c7988084689a1366670a1

    • SSDEEP

      3072:1whYNSrlVZOlVbKLbHLAxY1RThXrz6hI+hc99r4T183HtlNNuA:Sm6oVbu74Y1RThXr914wH9QA

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      wmpctv32.exe

    • Size

      139KB

    • MD5

      faab0a19040cdb5368b2237656a5cdde

    • SHA1

      7e040852bc17ac3b032d9c9282d3cbd102286d40

    • SHA256

      7524641ec7d2124e05c0aa2a4b874d022d7546a168c3e1fc6719cf2d7dd757a8

    • SHA512

      8be91fe5fe76b0eee45e1681f493d484419ecee704dc2e8e18cc13a5f1b0d86185a70680220c40c3dde20d733a2a36e3b8833cf5b4808cb46dbff35a6beadd78

    • SSDEEP

      3072:F92m5lHWg7MG2KfdzY3cPX321W8DQsalsDVMTJxxaw4vZI6IUw:b7Z7KZ3ccXalamJqG6Id

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks