Analysis

  • max time kernel
    10s
  • max time network
    0s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 08:18

General

  • Target

    Picture47.JPG.scr

  • Size

    165KB

  • MD5

    caa0a13bd7ccf6af3241084e4c394647

  • SHA1

    db0e58844b564bb70ab9547e258b55f08737dc78

  • SHA256

    bdd822f9a0c5e69e3897d7feb4950ea58e1119ee5a656a55789c0827ee2bdce0

  • SHA512

    50bb52758c88a5b40468d5a73977b688be1dd3ec3aecc157ab90f58733086503803b6c473d757c8051c580f4d68ceed82c4b68b89870ad67ace359e027744314

  • SSDEEP

    3072:jgp5VH1kojjw70iESEDcaQhUxJnumqj12VDo0dzdo7MO:j4bMJE7DcJWxJpYH0Po7M

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Picture47.JPG.scr
    "C:\Users\Admin\AppData\Local\Temp\Picture47.JPG.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Users\Admin\AppData\Local\Temp\Picture47.JPG.scr
      "C:\Users\Admin\AppData\Local\Temp\Picture47.JPG.scr" /S
      2⤵
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2324
      • C:\Windows\SysWOW64\igfxvk32.exe
        "C:\Windows\SysWOW64\igfxvk32.exe" C:\Users\Admin\AppData\Local\Temp\PICTUR~1.SCR
        3⤵
          PID:2696
          • C:\Windows\SysWOW64\igfxvk32.exe
            "C:\Windows\SysWOW64\igfxvk32.exe" C:\Users\Admin\AppData\Local\Temp\PICTUR~1.SCR
            4⤵
              PID:2484

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Windows\SysWOW64\igfxvk32.exe

        Filesize

        165KB

        MD5

        caa0a13bd7ccf6af3241084e4c394647

        SHA1

        db0e58844b564bb70ab9547e258b55f08737dc78

        SHA256

        bdd822f9a0c5e69e3897d7feb4950ea58e1119ee5a656a55789c0827ee2bdce0

        SHA512

        50bb52758c88a5b40468d5a73977b688be1dd3ec3aecc157ab90f58733086503803b6c473d757c8051c580f4d68ceed82c4b68b89870ad67ace359e027744314

      • memory/2324-0-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/2324-2-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/2324-4-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/2324-5-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/2324-10-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/2324-9-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/2324-8-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB

      • memory/2324-7-0x0000000000400000-0x000000000044C000-memory.dmp

        Filesize

        304KB