metasploit | 92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

Analysis

max time kernel
189s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
Size

141KB
MD5

889270a067578729a4c7cbf0160d4a75
SHA1

622c17ca9219ea136e5df786f55cd3cd97212ee4
SHA256

92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2
SHA512

626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0
SSDEEP

3072:A4YNSelXjMy8gYIeeLcmNlgkXSqfWMYnYZfYJbaf8z2WCmW:A4mcgxeeLcmNy9aWMYEfTWc

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 16 IoCs

Processes:

igfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exe

pid	process
4320	igfxck32.exe
3236	igfxck32.exe
4548	igfxck32.exe
3256	igfxck32.exe
948	igfxck32.exe
1488	igfxck32.exe
1196	igfxck32.exe
4888	igfxck32.exe
4908	igfxck32.exe
1696	igfxck32.exe
2628	igfxck32.exe
1944	igfxck32.exe
4808	igfxck32.exe
4028	igfxck32.exe
3016	igfxck32.exe
4792	igfxck32.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/396-133-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/396-135-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/396-136-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/396-137-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/396-138-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/396-146-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3236-149-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3236-150-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3236-158-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3256-160-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3256-168-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1488-170-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1488-177-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4888-180-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4888-183-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1696-190-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1696-193-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1944-200-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1944-203-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4028-210-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4028-211-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4028-218-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4792-221-0x0000000000400000-0x000000000045A000-memory.dmp	upx

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

igfxck32.exe92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	igfxck32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	igfxck32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	igfxck32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	igfxck32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	igfxck32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	igfxck32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	igfxck32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	igfxck32.exe

Maps connected drives based on registry 3 TTPs 18 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

igfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exe92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxck32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxck32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxck32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxck32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxck32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxck32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxck32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxck32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxck32.exe

Drops file in System32 directory 27 IoCs

Processes:

igfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exe92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exeigfxck32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxck32.exe
File created	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\igfxck32.exe	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
File opened for modification	C:\Windows\SysWOW64\	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File created	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File created	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File created	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File created	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
File opened for modification	C:\Windows\SysWOW64\	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxck32.exe
File opened for modification	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File created	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File created	C:\Windows\SysWOW64\igfxck32.exe	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
File opened for modification	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe
File created	C:\Windows\SysWOW64\igfxck32.exe	igfxck32.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exe

description	pid	process	target process
PID 1800 set thread context of 396	1800	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
PID 4320 set thread context of 3236	4320	igfxck32.exe	igfxck32.exe
PID 4548 set thread context of 3256	4548	igfxck32.exe	igfxck32.exe
PID 948 set thread context of 1488	948	igfxck32.exe	igfxck32.exe
PID 1196 set thread context of 4888	1196	igfxck32.exe	igfxck32.exe
PID 4908 set thread context of 1696	4908	igfxck32.exe	igfxck32.exe
PID 2628 set thread context of 1944	2628	igfxck32.exe	igfxck32.exe
PID 4808 set thread context of 4028	4808	igfxck32.exe	igfxck32.exe
PID 3016 set thread context of 4792	3016	igfxck32.exe	igfxck32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

igfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exe92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exe

pid	process
396	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
396	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
396	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
396	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
3236	igfxck32.exe
3236	igfxck32.exe
3236	igfxck32.exe
3236	igfxck32.exe
3256	igfxck32.exe
3256	igfxck32.exe
3256	igfxck32.exe
3256	igfxck32.exe
1488	igfxck32.exe
1488	igfxck32.exe
1488	igfxck32.exe
1488	igfxck32.exe
4888	igfxck32.exe
4888	igfxck32.exe
4888	igfxck32.exe
4888	igfxck32.exe
1696	igfxck32.exe
1696	igfxck32.exe
1696	igfxck32.exe
1696	igfxck32.exe
1944	igfxck32.exe
1944	igfxck32.exe
1944	igfxck32.exe
1944	igfxck32.exe
4028	igfxck32.exe
4028	igfxck32.exe
4028	igfxck32.exe
4028	igfxck32.exe
4792	igfxck32.exe
4792	igfxck32.exe
4792	igfxck32.exe
4792	igfxck32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exeigfxck32.exe

description	pid	process	target process
PID 1800 wrote to memory of 396	1800	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
PID 1800 wrote to memory of 396	1800	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
PID 1800 wrote to memory of 396	1800	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
PID 1800 wrote to memory of 396	1800	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
PID 1800 wrote to memory of 396	1800	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
PID 1800 wrote to memory of 396	1800	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
PID 1800 wrote to memory of 396	1800	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
PID 396 wrote to memory of 4320	396	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	igfxck32.exe
PID 396 wrote to memory of 4320	396	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	igfxck32.exe
PID 396 wrote to memory of 4320	396	92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe	igfxck32.exe
PID 4320 wrote to memory of 3236	4320	igfxck32.exe	igfxck32.exe
PID 4320 wrote to memory of 3236	4320	igfxck32.exe	igfxck32.exe
PID 4320 wrote to memory of 3236	4320	igfxck32.exe	igfxck32.exe
PID 4320 wrote to memory of 3236	4320	igfxck32.exe	igfxck32.exe
PID 4320 wrote to memory of 3236	4320	igfxck32.exe	igfxck32.exe
PID 4320 wrote to memory of 3236	4320	igfxck32.exe	igfxck32.exe
PID 4320 wrote to memory of 3236	4320	igfxck32.exe	igfxck32.exe
PID 3236 wrote to memory of 4548	3236	igfxck32.exe	igfxck32.exe
PID 3236 wrote to memory of 4548	3236	igfxck32.exe	igfxck32.exe
PID 3236 wrote to memory of 4548	3236	igfxck32.exe	igfxck32.exe
PID 4548 wrote to memory of 3256	4548	igfxck32.exe	igfxck32.exe
PID 4548 wrote to memory of 3256	4548	igfxck32.exe	igfxck32.exe
PID 4548 wrote to memory of 3256	4548	igfxck32.exe	igfxck32.exe
PID 4548 wrote to memory of 3256	4548	igfxck32.exe	igfxck32.exe
PID 4548 wrote to memory of 3256	4548	igfxck32.exe	igfxck32.exe
PID 4548 wrote to memory of 3256	4548	igfxck32.exe	igfxck32.exe
PID 4548 wrote to memory of 3256	4548	igfxck32.exe	igfxck32.exe
PID 3256 wrote to memory of 948	3256	igfxck32.exe	igfxck32.exe
PID 3256 wrote to memory of 948	3256	igfxck32.exe	igfxck32.exe
PID 3256 wrote to memory of 948	3256	igfxck32.exe	igfxck32.exe
PID 948 wrote to memory of 1488	948	igfxck32.exe	igfxck32.exe
PID 948 wrote to memory of 1488	948	igfxck32.exe	igfxck32.exe
PID 948 wrote to memory of 1488	948	igfxck32.exe	igfxck32.exe
PID 948 wrote to memory of 1488	948	igfxck32.exe	igfxck32.exe
PID 948 wrote to memory of 1488	948	igfxck32.exe	igfxck32.exe
PID 948 wrote to memory of 1488	948	igfxck32.exe	igfxck32.exe
PID 948 wrote to memory of 1488	948	igfxck32.exe	igfxck32.exe
PID 1488 wrote to memory of 1196	1488	igfxck32.exe	igfxck32.exe
PID 1488 wrote to memory of 1196	1488	igfxck32.exe	igfxck32.exe
PID 1488 wrote to memory of 1196	1488	igfxck32.exe	igfxck32.exe
PID 1196 wrote to memory of 4888	1196	igfxck32.exe	igfxck32.exe
PID 1196 wrote to memory of 4888	1196	igfxck32.exe	igfxck32.exe
PID 1196 wrote to memory of 4888	1196	igfxck32.exe	igfxck32.exe
PID 1196 wrote to memory of 4888	1196	igfxck32.exe	igfxck32.exe
PID 1196 wrote to memory of 4888	1196	igfxck32.exe	igfxck32.exe
PID 1196 wrote to memory of 4888	1196	igfxck32.exe	igfxck32.exe
PID 1196 wrote to memory of 4888	1196	igfxck32.exe	igfxck32.exe
PID 4888 wrote to memory of 4908	4888	igfxck32.exe	igfxck32.exe
PID 4888 wrote to memory of 4908	4888	igfxck32.exe	igfxck32.exe
PID 4888 wrote to memory of 4908	4888	igfxck32.exe	igfxck32.exe
PID 4908 wrote to memory of 1696	4908	igfxck32.exe	igfxck32.exe
PID 4908 wrote to memory of 1696	4908	igfxck32.exe	igfxck32.exe
PID 4908 wrote to memory of 1696	4908	igfxck32.exe	igfxck32.exe
PID 4908 wrote to memory of 1696	4908	igfxck32.exe	igfxck32.exe
PID 4908 wrote to memory of 1696	4908	igfxck32.exe	igfxck32.exe
PID 4908 wrote to memory of 1696	4908	igfxck32.exe	igfxck32.exe
PID 4908 wrote to memory of 1696	4908	igfxck32.exe	igfxck32.exe
PID 1696 wrote to memory of 2628	1696	igfxck32.exe	igfxck32.exe
PID 1696 wrote to memory of 2628	1696	igfxck32.exe	igfxck32.exe
PID 1696 wrote to memory of 2628	1696	igfxck32.exe	igfxck32.exe
PID 2628 wrote to memory of 1944	2628	igfxck32.exe	igfxck32.exe
PID 2628 wrote to memory of 1944	2628	igfxck32.exe	igfxck32.exe
PID 2628 wrote to memory of 1944	2628	igfxck32.exe	igfxck32.exe
PID 2628 wrote to memory of 1944	2628	igfxck32.exe	igfxck32.exe

C:\Users\Admin\AppData\Local\Temp\92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
"C:\Users\Admin\AppData\Local\Temp\92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe
"C:\Users\Admin\AppData\Local\Temp\92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2.exe"
2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Users\Admin\AppData\Local\Temp\92E875~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Users\Admin\AppData\Local\Temp\92E875~1.EXE
4⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
8⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
10⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
12⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
14⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1944

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4808

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
16⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4028

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3016

C:\Windows\SysWOW64\igfxck32.exe
"C:\Windows\system32\igfxck32.exe" C:\Windows\SysWOW64\igfxck32.exe
18⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
C:\Windows\SysWOW64\igfxck32.exe
Filesize
141KB

MD5
889270a067578729a4c7cbf0160d4a75

SHA1
622c17ca9219ea136e5df786f55cd3cd97212ee4

SHA256
92e875cbfd1e8c71d1c72df50e586a23bae16aae68ce73dd390a348ad2d9e3c2

SHA512
626dab51cb6806c0c4e3b0e941e7c94982dd5a529eafc642fa441b89dbc80e33a8d3b81842802810a89ce3a995d9c40dd41be1274d29038358ed6e05d8edf7d0

Download Submit
memory/396-132-0x0000000000000000-mapping.dmp

Download
memory/396-137-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/396-146-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/396-133-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/396-135-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/396-136-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/396-138-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/948-161-0x0000000000000000-mapping.dmp

Download
memory/1196-171-0x0000000000000000-mapping.dmp

Download
memory/1488-177-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1488-163-0x0000000000000000-mapping.dmp

Download
memory/1488-170-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1696-193-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1696-184-0x0000000000000000-mapping.dmp

Download
memory/1696-190-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1944-200-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1944-203-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1944-194-0x0000000000000000-mapping.dmp

Download
memory/2628-191-0x0000000000000000-mapping.dmp

Download
memory/3016-212-0x0000000000000000-mapping.dmp

Download
memory/3236-142-0x0000000000000000-mapping.dmp

Download
memory/3236-149-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3236-150-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3236-158-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3256-160-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3256-153-0x0000000000000000-mapping.dmp

Download
memory/3256-168-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4028-204-0x0000000000000000-mapping.dmp

Download
memory/4028-210-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4028-211-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4028-218-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4320-139-0x0000000000000000-mapping.dmp

Download
memory/4548-151-0x0000000000000000-mapping.dmp

Download
memory/4792-214-0x0000000000000000-mapping.dmp

Download
memory/4792-221-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4808-201-0x0000000000000000-mapping.dmp

Download
memory/4888-173-0x0000000000000000-mapping.dmp

Download
memory/4888-180-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4888-183-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4908-181-0x0000000000000000-mapping.dmp

Download