Malware Analysis Report

2025-08-05 12:47

Sample ID 240122-q6gx1agbhr
Target 6f98ee6b211b90003ed333a8a669be33
SHA256 656a3c926ba4c2cd44b4cc4189e69e398959392b5060d4f87bbd7b7e45f59bc8
Tags
metasploit backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

656a3c926ba4c2cd44b4cc4189e69e398959392b5060d4f87bbd7b7e45f59bc8

Threat Level: Known bad

The file 6f98ee6b211b90003ed333a8a669be33 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion persistence trojan upx

MetaSploit

Modifies firewall policy service

Loads dropped DLL

UPX packed file

Executes dropped EXE

Deletes itself

Maps connected drives based on registry

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 13:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 13:52

Reported

2024-01-22 13:54

Platform

win7-20231215-en

Max time kernel

141s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

MetaSploit

trojan backdoor metasploit

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxvc32.exe = "C:\\Windows\\SysWOW64\\igfxvc32.exe:*:Enabled:Intel Virtual Server" C:\Windows\SysWOW64\igfxvc32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\igfxvc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxvc32.exe = "C:\\Windows\\SysWOW64\\igfxvc32.exe:*:Enabled:Intel Virtual Server" C:\Windows\SysWOW64\igfxvc32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List C:\Windows\SysWOW64\igfxvc32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxvc32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxvc32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxvc32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Virtual Server = "C:\\Windows\\SysWOW64\\igfxvc32.exe" C:\Windows\SysWOW64\igfxvc32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxvc32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxvc32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxvc32.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe N/A
File created C:\Windows\SysWOW64\igfxvc32.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxvc32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2424 set thread context of 624 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
PID 2840 set thread context of 2856 N/A C:\Windows\SysWOW64\igfxvc32.exe C:\Windows\SysWOW64\igfxvc32.exe

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxvc32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
PID 2424 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
PID 2424 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
PID 2424 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
PID 2424 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
PID 2424 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
PID 2424 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
PID 624 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 624 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 624 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 624 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 2840 wrote to memory of 2856 N/A C:\Windows\SysWOW64\igfxvc32.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 2840 wrote to memory of 2856 N/A C:\Windows\SysWOW64\igfxvc32.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 2840 wrote to memory of 2856 N/A C:\Windows\SysWOW64\igfxvc32.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 2840 wrote to memory of 2856 N/A C:\Windows\SysWOW64\igfxvc32.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 2840 wrote to memory of 2856 N/A C:\Windows\SysWOW64\igfxvc32.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 2840 wrote to memory of 2856 N/A C:\Windows\SysWOW64\igfxvc32.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 2840 wrote to memory of 2856 N/A C:\Windows\SysWOW64\igfxvc32.exe C:\Windows\SysWOW64\igfxvc32.exe
PID 2856 wrote to memory of 1380 N/A C:\Windows\SysWOW64\igfxvc32.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1380 N/A C:\Windows\SysWOW64\igfxvc32.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe

"C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe"

C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe

"C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe"

C:\Windows\SysWOW64\igfxvc32.exe

"C:\Windows\SysWOW64\igfxvc32.exe" C:\Users\Admin\AppData\Local\Temp\6F98EE~1.EXE

C:\Windows\SysWOW64\igfxvc32.exe

"C:\Windows\SysWOW64\igfxvc32.exe" C:\Users\Admin\AppData\Local\Temp\6F98EE~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 s30.intelcore.su udp
KR 143.248.35.28:80 tcp
KR 143.248.35.28:80 tcp

Files

memory/624-0-0x0000000000400000-0x000000000044C000-memory.dmp

memory/624-2-0x0000000000400000-0x000000000044C000-memory.dmp

memory/624-4-0x0000000000400000-0x000000000044C000-memory.dmp

memory/624-6-0x0000000000400000-0x000000000044C000-memory.dmp

memory/624-8-0x0000000000400000-0x000000000044C000-memory.dmp

memory/624-10-0x0000000000400000-0x000000000044C000-memory.dmp

memory/624-11-0x0000000000400000-0x000000000044C000-memory.dmp

memory/624-9-0x0000000000400000-0x000000000044C000-memory.dmp

\Windows\SysWOW64\igfxvc32.exe

MD5 daf8ad2d8b1cf521c70eb346305f1017
SHA1 c70f07a3a888cbeb1dd3b1e3cbddcf431e8daf1e
SHA256 f64965304d283f8a5aef08e636d5fe7fda5c842439dc79989edc17194c8ba6e5
SHA512 74e618a4e9314afbb3cbf58f6866ebdb5349663e90561f5cab2e07b4c33ecbda1ebb663d69bfeb40b1c1d096d216574e74a69c429458bd3ece3d1d4a90deac93

C:\Windows\SysWOW64\igfxvc32.exe

MD5 6f98ee6b211b90003ed333a8a669be33
SHA1 e8b9f4beb3cb792c5a07c38430d26fdafdb42473
SHA256 656a3c926ba4c2cd44b4cc4189e69e398959392b5060d4f87bbd7b7e45f59bc8
SHA512 846395e21c77822777f237463668573bc6fda3f15ab6eecfa6e832905ec5dc1cae1b2797a3b53e0497712ab213e52f318d58c6685d12f9428440bac04c18b8e8

memory/624-33-0x0000000000400000-0x000000000044C000-memory.dmp

memory/624-34-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2856-35-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1380-36-0x0000000002550000-0x000000000256E000-memory.dmp

memory/1380-37-0x0000000002570000-0x0000000002571000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 13:52

Reported

2024-01-22 13:54

Platform

win10v2004-20231215-en

Max time kernel

134s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4604 set thread context of 1596 N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe

"C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe"

C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe

"C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 376

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 216.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp

Files

memory/1596-0-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1596-2-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1596-4-0x0000000000400000-0x0000000000427000-memory.dmp