Analysis
-
max time kernel
10s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 08:18
Static task
static1
Behavioral task
behavioral1
Sample
Picture47.JPG.scr
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Picture47.JPG.scr
Resource
win10v2004-20231222-en
General
-
Target
Picture47.JPG.scr
-
Size
165KB
-
MD5
caa0a13bd7ccf6af3241084e4c394647
-
SHA1
db0e58844b564bb70ab9547e258b55f08737dc78
-
SHA256
bdd822f9a0c5e69e3897d7feb4950ea58e1119ee5a656a55789c0827ee2bdce0
-
SHA512
50bb52758c88a5b40468d5a73977b688be1dd3ec3aecc157ab90f58733086503803b6c473d757c8051c580f4d68ceed82c4b68b89870ad67ace359e027744314
-
SSDEEP
3072:jgp5VH1kojjw70iESEDcaQhUxJnumqj12VDo0dzdo7MO:j4bMJE7DcJWxJpYH0Po7M
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
resource yara_rule behavioral1/memory/2324-2-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2324-4-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2324-5-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2324-10-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2324-9-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2324-8-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2324-7-0x0000000000400000-0x000000000044C000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Picture47.JPG.scr Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Picture47.JPG.scr -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ Picture47.JPG.scr File opened for modification C:\Windows\SysWOW64\igfxvk32.exe Picture47.JPG.scr File created C:\Windows\SysWOW64\igfxvk32.exe Picture47.JPG.scr -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2264 set thread context of 2324 2264 Picture47.JPG.scr 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2324 Picture47.JPG.scr 2324 Picture47.JPG.scr -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2324 2264 Picture47.JPG.scr 28 PID 2264 wrote to memory of 2324 2264 Picture47.JPG.scr 28 PID 2264 wrote to memory of 2324 2264 Picture47.JPG.scr 28 PID 2264 wrote to memory of 2324 2264 Picture47.JPG.scr 28 PID 2264 wrote to memory of 2324 2264 Picture47.JPG.scr 28 PID 2264 wrote to memory of 2324 2264 Picture47.JPG.scr 28 PID 2264 wrote to memory of 2324 2264 Picture47.JPG.scr 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Picture47.JPG.scr"C:\Users\Admin\AppData\Local\Temp\Picture47.JPG.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\Picture47.JPG.scr"C:\Users\Admin\AppData\Local\Temp\Picture47.JPG.scr" /S2⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2324 -
C:\Windows\SysWOW64\igfxvk32.exe"C:\Windows\SysWOW64\igfxvk32.exe" C:\Users\Admin\AppData\Local\Temp\PICTUR~1.SCR3⤵PID:2696
-
C:\Windows\SysWOW64\igfxvk32.exe"C:\Windows\SysWOW64\igfxvk32.exe" C:\Users\Admin\AppData\Local\Temp\PICTUR~1.SCR4⤵PID:2484
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD5caa0a13bd7ccf6af3241084e4c394647
SHA1db0e58844b564bb70ab9547e258b55f08737dc78
SHA256bdd822f9a0c5e69e3897d7feb4950ea58e1119ee5a656a55789c0827ee2bdce0
SHA51250bb52758c88a5b40468d5a73977b688be1dd3ec3aecc157ab90f58733086503803b6c473d757c8051c580f4d68ceed82c4b68b89870ad67ace359e027744314