Analysis Overview
SHA256
656a3c926ba4c2cd44b4cc4189e69e398959392b5060d4f87bbd7b7e45f59bc8
Threat Level: Known bad
The file 6f98ee6b211b90003ed333a8a669be33 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Modifies firewall policy service
Loads dropped DLL
UPX packed file
Executes dropped EXE
Deletes itself
Maps connected drives based on registry
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 13:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 13:52
Reported
2024-01-22 13:54
Platform
win7-20231215-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
MetaSploit
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxvc32.exe = "C:\\Windows\\SysWOW64\\igfxvc32.exe:*:Enabled:Intel Virtual Server" | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxvc32.exe = "C:\\Windows\\SysWOW64\\igfxvc32.exe:*:Enabled:Intel Virtual Server" | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Virtual Server = "C:\\Windows\\SysWOW64\\igfxvc32.exe" | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\igfxvc32.exe | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
| File created | C:\Windows\SysWOW64\igfxvc32.exe | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2424 set thread context of 624 | N/A | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe |
| PID 2840 set thread context of 2856 | N/A | C:\Windows\SysWOW64\igfxvc32.exe | C:\Windows\SysWOW64\igfxvc32.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\igfxvc32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
"C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe"
C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
"C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe"
C:\Windows\SysWOW64\igfxvc32.exe
"C:\Windows\SysWOW64\igfxvc32.exe" C:\Users\Admin\AppData\Local\Temp\6F98EE~1.EXE
C:\Windows\SysWOW64\igfxvc32.exe
"C:\Windows\SysWOW64\igfxvc32.exe" C:\Users\Admin\AppData\Local\Temp\6F98EE~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | s30.intelcore.su | udp |
| KR | 143.248.35.28:80 | tcp | |
| KR | 143.248.35.28:80 | tcp |
Files
memory/624-0-0x0000000000400000-0x000000000044C000-memory.dmp
memory/624-2-0x0000000000400000-0x000000000044C000-memory.dmp
memory/624-4-0x0000000000400000-0x000000000044C000-memory.dmp
memory/624-6-0x0000000000400000-0x000000000044C000-memory.dmp
memory/624-8-0x0000000000400000-0x000000000044C000-memory.dmp
memory/624-10-0x0000000000400000-0x000000000044C000-memory.dmp
memory/624-11-0x0000000000400000-0x000000000044C000-memory.dmp
memory/624-9-0x0000000000400000-0x000000000044C000-memory.dmp
\Windows\SysWOW64\igfxvc32.exe
| MD5 | daf8ad2d8b1cf521c70eb346305f1017 |
| SHA1 | c70f07a3a888cbeb1dd3b1e3cbddcf431e8daf1e |
| SHA256 | f64965304d283f8a5aef08e636d5fe7fda5c842439dc79989edc17194c8ba6e5 |
| SHA512 | 74e618a4e9314afbb3cbf58f6866ebdb5349663e90561f5cab2e07b4c33ecbda1ebb663d69bfeb40b1c1d096d216574e74a69c429458bd3ece3d1d4a90deac93 |
C:\Windows\SysWOW64\igfxvc32.exe
| MD5 | 6f98ee6b211b90003ed333a8a669be33 |
| SHA1 | e8b9f4beb3cb792c5a07c38430d26fdafdb42473 |
| SHA256 | 656a3c926ba4c2cd44b4cc4189e69e398959392b5060d4f87bbd7b7e45f59bc8 |
| SHA512 | 846395e21c77822777f237463668573bc6fda3f15ab6eecfa6e832905ec5dc1cae1b2797a3b53e0497712ab213e52f318d58c6685d12f9428440bac04c18b8e8 |
memory/624-33-0x0000000000400000-0x000000000044C000-memory.dmp
memory/624-34-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2856-35-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1380-36-0x0000000002550000-0x000000000256E000-memory.dmp
memory/1380-37-0x0000000002570000-0x0000000002571000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 13:52
Reported
2024-01-22 13:54
Platform
win10v2004-20231215-en
Max time kernel
134s
Max time network
156s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4604 set thread context of 1596 | N/A | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
"C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe"
C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe
"C:\Users\Admin\AppData\Local\Temp\6f98ee6b211b90003ed333a8a669be33.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1596 -ip 1596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1596 -ip 1596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 376
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
Files
memory/1596-0-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1596-2-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1596-4-0x0000000000400000-0x0000000000427000-memory.dmp