metasploit | 02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
Size

198KB
MD5

72da478f6ecd87e5cfb1d5ac32f25d86
SHA1

86412ed57392d65ecbc7aa5ef86f16b5f3826772
SHA256

02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070
SHA512

a50f6b82d0c077b8c2c6bb5d6c89ec20767f2bb4fdbace3a04deaa257d43fac119630c1ca5914db4bca7f7ae877eed6b9c3bb40c6198e3e0591433b2fb2eee14
SSDEEP

3072:6vZTRN8EQTZBNpLmPMNsEEZsDXu48J3UX/HxRL5WGyF8D92olU7WQYwT:6JRN8jBdmPJbsDXb8J3ioKJvU3Y6

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	igfxdr32.exe

Executes dropped EXE 1 IoCs

pid	Process
1260	igfxdr32.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
File opened for modification	C:\Windows\SysWOW64\igfxdr32.exe	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
File created	C:\Windows\SysWOW64\igfxdr32.exe	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
1260	igfxdr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe
1260	igfxdr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1260	igfxdr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 1260	4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe	101
PID 4704 wrote to memory of 1260	4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe	101
PID 4704 wrote to memory of 1260	4704	02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe	101
PID 1260 wrote to memory of 3864	1260	igfxdr32.exe	102
PID 1260 wrote to memory of 3864	1260	igfxdr32.exe	102
PID 1260 wrote to memory of 3864	1260	igfxdr32.exe	102

C:\Users\Admin\AppData\Local\Temp\02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe
"C:\Users\Admin\AppData\Local\Temp\02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\igfxdr32.exe
  "C:\Windows\system32\igfxdr32.exe" C:\Users\Admin\AppData\Local\Temp\02974C~1.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\igfxdr32.exe > nul
    3⤵
    PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4328 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxdr32.exe

Filesize
198KB

MD5
72da478f6ecd87e5cfb1d5ac32f25d86

SHA1
86412ed57392d65ecbc7aa5ef86f16b5f3826772

SHA256
02974ca035c4894e668679edbcb8cf72afc4d900d444bc816fb96093f63e6070

SHA512
a50f6b82d0c077b8c2c6bb5d6c89ec20767f2bb4fdbace3a04deaa257d43fac119630c1ca5914db4bca7f7ae877eed6b9c3bb40c6198e3e0591433b2fb2eee14

Download Submit
memory/1260-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1260-48-0x00000000005D0000-0x00000000005D4000-memory.dmp

Filesize
16KB

Download
memory/1260-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1260-45-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1260-44-0x00000000005D0000-0x00000000005D4000-memory.dmp

Filesize
16KB

Download
memory/4704-3-0x0000000000720000-0x0000000000724000-memory.dmp

Filesize
16KB

Download
memory/4704-33-0x0000000000720000-0x0000000000724000-memory.dmp

Filesize
16KB

Download
memory/4704-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4704-4-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4704-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4704-46-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4704-2-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4704-1-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download