Analysis

  • max time kernel
    39s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2024, 19:19

General

  • Target

    6dd2c71fa4b1627af5f2f5c2297114c9.exe

  • Size

    174KB

  • MD5

    6dd2c71fa4b1627af5f2f5c2297114c9

  • SHA1

    a5d3e31ba83afab3d5fd7f2155632e1384fcdefb

  • SHA256

    544c6fb7cd6551ed69623b5f1f728b46e20e183e871328bbb731988602bcb1ba

  • SHA512

    8fe0586578b7ca04374d7c4d1107cc2aa55cc804a6cabeddcda9487322a3495d101c74e40bfe3bd50db4303931012ef59eac55f476ce37d8a978b0ce055b4ee3

  • SSDEEP

    3072:w6V2H12f5cNyF5N9ntJrS1/dSnILItdzk1+3nyyicvT0ycrE8H+Q+Ya8x:WH1dutVnILkzOyzApx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • UPX packed file 36 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Maps connected drives based on registry 3 TTPs 8 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
    "C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
      "C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"
      2⤵
      • Checks computer location settings
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Windows\SysWOW64\igfxwd32.exe
        "C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\6DD2C7~1.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Windows\SysWOW64\igfxwd32.exe
          "C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\6DD2C7~1.EXE
          4⤵
          • Checks computer location settings
          • Deletes itself
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4824
          • C:\Windows\SysWOW64\igfxwd32.exe
            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3708
            • C:\Windows\SysWOW64\igfxwd32.exe
              "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Maps connected drives based on registry
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1692
              • C:\Windows\SysWOW64\igfxwd32.exe
                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3592
                • C:\Windows\SysWOW64\igfxwd32.exe
                  "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                  8⤵
                  • Executes dropped EXE
                  • Maps connected drives based on registry
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2248
                  • C:\Windows\SysWOW64\igfxwd32.exe
                    "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                    9⤵
                      PID:2648
                      • C:\Windows\SysWOW64\igfxwd32.exe
                        "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                        10⤵
                          PID:2932
                          • C:\Windows\SysWOW64\igfxwd32.exe
                            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                            11⤵
                              PID:3496
                              • C:\Windows\SysWOW64\igfxwd32.exe
                                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                12⤵
                                  PID:696
                                  • C:\Windows\SysWOW64\igfxwd32.exe
                                    "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                    13⤵
                                      PID:1932
                                      • C:\Windows\SysWOW64\igfxwd32.exe
                                        "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                        14⤵
                                          PID:3440
                                          • C:\Windows\SysWOW64\igfxwd32.exe
                                            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                            15⤵
                                              PID:4732
                                              • C:\Windows\SysWOW64\igfxwd32.exe
                                                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                16⤵
                                                  PID:980
                                                  • C:\Windows\SysWOW64\igfxwd32.exe
                                                    "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                    17⤵
                                                      PID:4472
                                                      • C:\Windows\SysWOW64\igfxwd32.exe
                                                        "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                        18⤵
                                                          PID:1572
                                                          • C:\Windows\SysWOW64\igfxwd32.exe
                                                            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                            19⤵
                                                              PID:1080
                                                              • C:\Windows\SysWOW64\igfxwd32.exe
                                                                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                20⤵
                                                                  PID:4056
                                                                  • C:\Windows\SysWOW64\igfxwd32.exe
                                                                    "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                    21⤵
                                                                      PID:3680
                                                                      • C:\Windows\SysWOW64\igfxwd32.exe
                                                                        "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                        22⤵
                                                                          PID:1280
                                                                          • C:\Windows\SysWOW64\igfxwd32.exe
                                                                            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                            23⤵
                                                                              PID:3288
                                                                              • C:\Windows\SysWOW64\igfxwd32.exe
                                                                                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                                24⤵
                                                                                  PID:3912
                                                                                  • C:\Windows\SysWOW64\igfxwd32.exe
                                                                                    "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                                    25⤵
                                                                                      PID:1228
                                                                                      • C:\Windows\SysWOW64\igfxwd32.exe
                                                                                        "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                                        26⤵
                                                                                          PID:632
                                                                                          • C:\Windows\SysWOW64\igfxwd32.exe
                                                                                            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                                            27⤵
                                                                                              PID:880
                                                                                              • C:\Windows\SysWOW64\igfxwd32.exe
                                                                                                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                                                28⤵
                                                                                                  PID:2052
                                                                                                  • C:\Windows\SysWOW64\igfxwd32.exe
                                                                                                    "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                                                    29⤵
                                                                                                      PID:1552
                                                                                                      • C:\Windows\SysWOW64\igfxwd32.exe
                                                                                                        "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                                                        30⤵
                                                                                                          PID:5048
                                                                                                          • C:\Windows\SysWOW64\igfxwd32.exe
                                                                                                            "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                                                            31⤵
                                                                                                              PID:2920
                                                                                                              • C:\Windows\SysWOW64\igfxwd32.exe
                                                                                                                "C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe
                                                                                                                32⤵
                                                                                                                  PID:3736

                                                  Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Windows\SysWOW64\igfxwd32.exe

                                                          Filesize

                                                          57KB

                                                          MD5

                                                          887a275bab55e069027c8f1e6b81f3a5

                                                          SHA1

                                                          3ca6e636f22c457ad6d8d440647162b07b8bca41

                                                          SHA256

                                                          5e94765935b531a236b10b7117a5c2dfd35a6158cf4c7093e8d1928ecf9e535e

                                                          SHA512

                                                          e41220829c5cbab1b5de80d7e758113e77e9beca028c3de3f215f91fdaf6d4a542b925d90780d5860f54164c9d6af96cf73f142858785605eb00348a9f23c6d1

                                                        • C:\Windows\SysWOW64\igfxwd32.exe

                                                          Filesize

                                                          118KB

                                                          MD5

                                                          66e891de6087d139bf4eb069fdb3a98b

                                                          SHA1

                                                          de6774b4c31f75f7dc7a9fc5dce0c5ddcabd1dc2

                                                          SHA256

                                                          8d5e241cc8934584300aaaf669355112ea37e380f6180e15ac7c2bbd1826a780

                                                          SHA512

                                                          b811defc5db17451fb523eddccfc2758fb08215f8b5c98f98edb302fe759d1e3d248519f3074442b1d16cbc13c73bce23c04f2985308034e2cf7109faab4790a

                                                        • C:\Windows\SysWOW64\igfxwd32.exe

                                                          Filesize

                                                          163KB

                                                          MD5

                                                          a51cda2fc00d7318b48cd5eab1f95372

                                                          SHA1

                                                          d5a923852f67d526ac640432a09c73d59ef78980

                                                          SHA256

                                                          4f26df4e3e044633d59686f13da90de96f96e7056f8b98ec129caedc2119a5f0

                                                          SHA512

                                                          331397260edb482f4f7248d08b5b2cb2076df74feb6d2dd830e527410c9291716ea9b504106fad248d569af28bacf19859a3f395e902c7dec622b09b0a1f5563

                                                        • C:\Windows\SysWOW64\igfxwd32.exe

                                                          Filesize

                                                          149KB

                                                          MD5

                                                          f122e75424056c351bde23b03ccda54a

                                                          SHA1

                                                          41e2b65593cfa8b19bbfb800ea22645a9b65da1f

                                                          SHA256

                                                          426e6b5f8e290027c9df6cf1ff36c20e65d935991c8de27a5c9451214e637810

                                                          SHA512

                                                          ffc7b555c2e5fc12045e363d27a321dc42cd87ff981db76fba67042668e8ce4da8094b75b469a7c396d519b7bfbc145a81457073f2988374b04d746ffe625045

                                                        • C:\Windows\SysWOW64\igfxwd32.exe

                                                          Filesize

                                                          174KB

                                                          MD5

                                                          6dd2c71fa4b1627af5f2f5c2297114c9

                                                          SHA1

                                                          a5d3e31ba83afab3d5fd7f2155632e1384fcdefb

                                                          SHA256

                                                          544c6fb7cd6551ed69623b5f1f728b46e20e183e871328bbb731988602bcb1ba

                                                          SHA512

                                                          8fe0586578b7ca04374d7c4d1107cc2aa55cc804a6cabeddcda9487322a3495d101c74e40bfe3bd50db4303931012ef59eac55f476ce37d8a978b0ce055b4ee3

                                                        • C:\Windows\SysWOW64\igfxwd32.exe

                                                          Filesize

                                                          84KB

                                                          MD5

                                                          f9d1606ea0d50328cbd064375e313f57

                                                          SHA1

                                                          5c31c9c7f538410ed80b1e8cba9c233701239c51

                                                          SHA256

                                                          396feef00703a2b18050f5476c30fb3d8642f4863220657cc698c72e88408243

                                                          SHA512

                                                          61f71613e26a069e156bde026f6853415f46aefd525b132fee1f60c20c1997af1bde2d4faa8d87ff80cf03cd8669aa9e4cc1b4977b147889d9e05f00bf754b93

                                                        • memory/528-3-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/528-2-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/528-38-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/528-0-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/528-4-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/632-146-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/632-151-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/696-80-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/696-83-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/696-78-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/980-101-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/980-99-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/1280-127-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/1280-129-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/1572-110-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/1572-107-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/1692-56-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/1692-54-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/2052-161-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/2052-156-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/2248-61-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/2248-66-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/2248-64-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/2248-63-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/2248-62-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/2932-72-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/3440-90-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/3440-92-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/3912-140-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/3912-136-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/4056-120-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/4056-117-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/4824-47-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/4824-44-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/5048-167-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/5048-171-0x0000000000400000-0x0000000000466000-memory.dmp

                                                          Filesize

                                                          408KB