Analysis
-
max time kernel
39s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
6dd2c71fa4b1627af5f2f5c2297114c9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6dd2c71fa4b1627af5f2f5c2297114c9.exe
Resource
win10v2004-20231222-en
General
-
Target
6dd2c71fa4b1627af5f2f5c2297114c9.exe
-
Size
174KB
-
MD5
6dd2c71fa4b1627af5f2f5c2297114c9
-
SHA1
a5d3e31ba83afab3d5fd7f2155632e1384fcdefb
-
SHA256
544c6fb7cd6551ed69623b5f1f728b46e20e183e871328bbb731988602bcb1ba
-
SHA512
8fe0586578b7ca04374d7c4d1107cc2aa55cc804a6cabeddcda9487322a3495d101c74e40bfe3bd50db4303931012ef59eac55f476ce37d8a978b0ce055b4ee3
-
SSDEEP
3072:w6V2H12f5cNyF5N9ntJrS1/dSnILItdzk1+3nyyicvT0ycrE8H+Q+Ya8x:WH1dutVnILkzOyzApx
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxwd32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 6dd2c71fa4b1627af5f2f5c2297114c9.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxwd32.exe -
Deletes itself 1 IoCs
pid Process 4824 igfxwd32.exe -
Executes dropped EXE 6 IoCs
pid Process 5016 igfxwd32.exe 4824 igfxwd32.exe 3708 igfxwd32.exe 1692 igfxwd32.exe 3592 igfxwd32.exe 2248 igfxwd32.exe -
resource yara_rule behavioral2/memory/528-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/528-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/528-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/528-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/528-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4824-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4824-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1692-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1692-56-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2248-61-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2248-64-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2248-63-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2248-62-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2248-66-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2932-72-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/696-78-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/696-80-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/696-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3440-90-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3440-92-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/980-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/980-101-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1572-107-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1572-110-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4056-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4056-120-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1280-127-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1280-129-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3912-136-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3912-140-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/632-146-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/632-151-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2052-156-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2052-161-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5048-167-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5048-171-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 8 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6dd2c71fa4b1627af5f2f5c2297114c9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 6dd2c71fa4b1627af5f2f5c2297114c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe 6dd2c71fa4b1627af5f2f5c2297114c9.exe File created C:\Windows\SysWOW64\igfxwd32.exe 6dd2c71fa4b1627af5f2f5c2297114c9.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ 6dd2c71fa4b1627af5f2f5c2297114c9.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 756 set thread context of 528 756 6dd2c71fa4b1627af5f2f5c2297114c9.exe 97 PID 5016 set thread context of 4824 5016 igfxwd32.exe 102 PID 3708 set thread context of 1692 3708 igfxwd32.exe 104 PID 3592 set thread context of 2248 3592 igfxwd32.exe 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6dd2c71fa4b1627af5f2f5c2297114c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwd32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 528 6dd2c71fa4b1627af5f2f5c2297114c9.exe 528 6dd2c71fa4b1627af5f2f5c2297114c9.exe 528 6dd2c71fa4b1627af5f2f5c2297114c9.exe 528 6dd2c71fa4b1627af5f2f5c2297114c9.exe 4824 igfxwd32.exe 4824 igfxwd32.exe 4824 igfxwd32.exe 4824 igfxwd32.exe 1692 igfxwd32.exe 1692 igfxwd32.exe 1692 igfxwd32.exe 1692 igfxwd32.exe 2248 igfxwd32.exe 2248 igfxwd32.exe 2248 igfxwd32.exe 2248 igfxwd32.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 756 wrote to memory of 528 756 6dd2c71fa4b1627af5f2f5c2297114c9.exe 97 PID 756 wrote to memory of 528 756 6dd2c71fa4b1627af5f2f5c2297114c9.exe 97 PID 756 wrote to memory of 528 756 6dd2c71fa4b1627af5f2f5c2297114c9.exe 97 PID 756 wrote to memory of 528 756 6dd2c71fa4b1627af5f2f5c2297114c9.exe 97 PID 756 wrote to memory of 528 756 6dd2c71fa4b1627af5f2f5c2297114c9.exe 97 PID 756 wrote to memory of 528 756 6dd2c71fa4b1627af5f2f5c2297114c9.exe 97 PID 756 wrote to memory of 528 756 6dd2c71fa4b1627af5f2f5c2297114c9.exe 97 PID 528 wrote to memory of 5016 528 6dd2c71fa4b1627af5f2f5c2297114c9.exe 100 PID 528 wrote to memory of 5016 528 6dd2c71fa4b1627af5f2f5c2297114c9.exe 100 PID 528 wrote to memory of 5016 528 6dd2c71fa4b1627af5f2f5c2297114c9.exe 100 PID 5016 wrote to memory of 4824 5016 igfxwd32.exe 102 PID 5016 wrote to memory of 4824 5016 igfxwd32.exe 102 PID 5016 wrote to memory of 4824 5016 igfxwd32.exe 102 PID 5016 wrote to memory of 4824 5016 igfxwd32.exe 102 PID 5016 wrote to memory of 4824 5016 igfxwd32.exe 102 PID 5016 wrote to memory of 4824 5016 igfxwd32.exe 102 PID 5016 wrote to memory of 4824 5016 igfxwd32.exe 102 PID 4824 wrote to memory of 3708 4824 igfxwd32.exe 103 PID 4824 wrote to memory of 3708 4824 igfxwd32.exe 103 PID 4824 wrote to memory of 3708 4824 igfxwd32.exe 103 PID 3708 wrote to memory of 1692 3708 igfxwd32.exe 104 PID 3708 wrote to memory of 1692 3708 igfxwd32.exe 104 PID 3708 wrote to memory of 1692 3708 igfxwd32.exe 104 PID 3708 wrote to memory of 1692 3708 igfxwd32.exe 104 PID 3708 wrote to memory of 1692 3708 igfxwd32.exe 104 PID 3708 wrote to memory of 1692 3708 igfxwd32.exe 104 PID 3708 wrote to memory of 1692 3708 igfxwd32.exe 104 PID 1692 wrote to memory of 3592 1692 igfxwd32.exe 105 PID 1692 wrote to memory of 3592 1692 igfxwd32.exe 105 PID 1692 wrote to memory of 3592 1692 igfxwd32.exe 105 PID 3592 wrote to memory of 2248 3592 igfxwd32.exe 108 PID 3592 wrote to memory of 2248 3592 igfxwd32.exe 108 PID 3592 wrote to memory of 2248 3592 igfxwd32.exe 108 PID 3592 wrote to memory of 2248 3592 igfxwd32.exe 108 PID 3592 wrote to memory of 2248 3592 igfxwd32.exe 108 PID 3592 wrote to memory of 2248 3592 igfxwd32.exe 108 PID 3592 wrote to memory of 2248 3592 igfxwd32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\6DD2C7~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\6DD2C7~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe8⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2248 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe9⤵PID:2648
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe10⤵PID:2932
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe11⤵PID:3496
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe12⤵PID:696
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe13⤵PID:1932
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe14⤵PID:3440
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe15⤵PID:4732
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe16⤵PID:980
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe17⤵PID:4472
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe18⤵PID:1572
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe19⤵PID:1080
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe20⤵PID:4056
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe21⤵PID:3680
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe22⤵PID:1280
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe23⤵PID:3288
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe24⤵PID:3912
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe25⤵PID:1228
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe26⤵PID:632
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe27⤵PID:880
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe28⤵PID:2052
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe29⤵PID:1552
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe30⤵PID:5048
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe31⤵PID:2920
-
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe32⤵PID:3736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5887a275bab55e069027c8f1e6b81f3a5
SHA13ca6e636f22c457ad6d8d440647162b07b8bca41
SHA2565e94765935b531a236b10b7117a5c2dfd35a6158cf4c7093e8d1928ecf9e535e
SHA512e41220829c5cbab1b5de80d7e758113e77e9beca028c3de3f215f91fdaf6d4a542b925d90780d5860f54164c9d6af96cf73f142858785605eb00348a9f23c6d1
-
Filesize
118KB
MD566e891de6087d139bf4eb069fdb3a98b
SHA1de6774b4c31f75f7dc7a9fc5dce0c5ddcabd1dc2
SHA2568d5e241cc8934584300aaaf669355112ea37e380f6180e15ac7c2bbd1826a780
SHA512b811defc5db17451fb523eddccfc2758fb08215f8b5c98f98edb302fe759d1e3d248519f3074442b1d16cbc13c73bce23c04f2985308034e2cf7109faab4790a
-
Filesize
163KB
MD5a51cda2fc00d7318b48cd5eab1f95372
SHA1d5a923852f67d526ac640432a09c73d59ef78980
SHA2564f26df4e3e044633d59686f13da90de96f96e7056f8b98ec129caedc2119a5f0
SHA512331397260edb482f4f7248d08b5b2cb2076df74feb6d2dd830e527410c9291716ea9b504106fad248d569af28bacf19859a3f395e902c7dec622b09b0a1f5563
-
Filesize
149KB
MD5f122e75424056c351bde23b03ccda54a
SHA141e2b65593cfa8b19bbfb800ea22645a9b65da1f
SHA256426e6b5f8e290027c9df6cf1ff36c20e65d935991c8de27a5c9451214e637810
SHA512ffc7b555c2e5fc12045e363d27a321dc42cd87ff981db76fba67042668e8ce4da8094b75b469a7c396d519b7bfbc145a81457073f2988374b04d746ffe625045
-
Filesize
174KB
MD56dd2c71fa4b1627af5f2f5c2297114c9
SHA1a5d3e31ba83afab3d5fd7f2155632e1384fcdefb
SHA256544c6fb7cd6551ed69623b5f1f728b46e20e183e871328bbb731988602bcb1ba
SHA5128fe0586578b7ca04374d7c4d1107cc2aa55cc804a6cabeddcda9487322a3495d101c74e40bfe3bd50db4303931012ef59eac55f476ce37d8a978b0ce055b4ee3
-
Filesize
84KB
MD5f9d1606ea0d50328cbd064375e313f57
SHA15c31c9c7f538410ed80b1e8cba9c233701239c51
SHA256396feef00703a2b18050f5476c30fb3d8642f4863220657cc698c72e88408243
SHA51261f71613e26a069e156bde026f6853415f46aefd525b132fee1f60c20c1997af1bde2d4faa8d87ff80cf03cd8669aa9e4cc1b4977b147889d9e05f00bf754b93