Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
6e1fe316ab7a6756dbb43f3985d67afd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6e1fe316ab7a6756dbb43f3985d67afd.exe
Resource
win10v2004-20231222-en
General
-
Target
6e1fe316ab7a6756dbb43f3985d67afd.exe
-
Size
204KB
-
MD5
6e1fe316ab7a6756dbb43f3985d67afd
-
SHA1
1d8e30a9165af6cec23708bc829a264c3ba98e8f
-
SHA256
c04530f2ef21c999c01a0d6322f4c43cbe2554aea5ed1cc0495b134d1f9cf12f
-
SHA512
db54b2bc2bd627e10af81645479e8052400f9b179beba19f5dd50763d95ea2e00a4fd1731901a4ddea4c5289bf7d0a2b3d429991e53328da1db958b89732c6c8
-
SSDEEP
3072:XwQVPSXzF4LiARv7APB6tyTkqIW4OvNphO1KDyOm2bcnWQysOutNOSGudq:gQUXzFEKwqIW4yphO1KiLOufOSGH
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2400 igfxsb32.exe -
Executes dropped EXE 24 IoCs
pid Process 2848 igfxsb32.exe 2400 igfxsb32.exe 1372 igfxsb32.exe 2588 igfxsb32.exe 1192 igfxsb32.exe 1056 igfxsb32.exe 580 igfxsb32.exe 1476 igfxsb32.exe 2100 igfxsb32.exe 272 igfxsb32.exe 2372 igfxsb32.exe 1496 igfxsb32.exe 1572 igfxsb32.exe 1120 igfxsb32.exe 1536 igfxsb32.exe 1628 igfxsb32.exe 1600 igfxsb32.exe 2504 igfxsb32.exe 2884 igfxsb32.exe 2712 igfxsb32.exe 2772 igfxsb32.exe 2608 igfxsb32.exe 2900 igfxsb32.exe 2944 igfxsb32.exe -
Loads dropped DLL 48 IoCs
pid Process 2520 6e1fe316ab7a6756dbb43f3985d67afd.exe 2520 6e1fe316ab7a6756dbb43f3985d67afd.exe 2848 igfxsb32.exe 2848 igfxsb32.exe 2400 igfxsb32.exe 2400 igfxsb32.exe 1372 igfxsb32.exe 1372 igfxsb32.exe 2588 igfxsb32.exe 2588 igfxsb32.exe 1192 igfxsb32.exe 1192 igfxsb32.exe 1056 igfxsb32.exe 1056 igfxsb32.exe 580 igfxsb32.exe 580 igfxsb32.exe 1476 igfxsb32.exe 1476 igfxsb32.exe 2100 igfxsb32.exe 2100 igfxsb32.exe 272 igfxsb32.exe 272 igfxsb32.exe 2372 igfxsb32.exe 2372 igfxsb32.exe 1496 igfxsb32.exe 1496 igfxsb32.exe 1572 igfxsb32.exe 1572 igfxsb32.exe 1120 igfxsb32.exe 1120 igfxsb32.exe 1536 igfxsb32.exe 1536 igfxsb32.exe 1628 igfxsb32.exe 1628 igfxsb32.exe 1600 igfxsb32.exe 1600 igfxsb32.exe 2504 igfxsb32.exe 2504 igfxsb32.exe 2884 igfxsb32.exe 2884 igfxsb32.exe 2712 igfxsb32.exe 2712 igfxsb32.exe 2772 igfxsb32.exe 2772 igfxsb32.exe 2608 igfxsb32.exe 2608 igfxsb32.exe 2900 igfxsb32.exe 2900 igfxsb32.exe -
resource yara_rule behavioral1/memory/2520-2-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2520-3-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2520-4-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2520-6-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2520-7-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2520-8-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2520-9-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2520-20-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2400-32-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2400-34-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2400-33-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2400-39-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2588-56-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1056-73-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1476-90-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/272-109-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1496-128-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1120-146-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1628-164-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2504-182-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2712-194-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2608-206-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 26 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6e1fe316ab7a6756dbb43f3985d67afd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6e1fe316ab7a6756dbb43f3985d67afd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe 6e1fe316ab7a6756dbb43f3985d67afd.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ 6e1fe316ab7a6756dbb43f3985d67afd.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe 6e1fe316ab7a6756dbb43f3985d67afd.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe -
Suspicious use of SetThreadContext 13 IoCs
description pid Process procid_target PID 1728 set thread context of 2520 1728 6e1fe316ab7a6756dbb43f3985d67afd.exe 28 PID 2848 set thread context of 2400 2848 igfxsb32.exe 30 PID 1372 set thread context of 2588 1372 igfxsb32.exe 32 PID 1192 set thread context of 1056 1192 igfxsb32.exe 36 PID 580 set thread context of 1476 580 igfxsb32.exe 38 PID 2100 set thread context of 272 2100 igfxsb32.exe 40 PID 2372 set thread context of 1496 2372 igfxsb32.exe 42 PID 1572 set thread context of 1120 1572 igfxsb32.exe 44 PID 1536 set thread context of 1628 1536 igfxsb32.exe 46 PID 1600 set thread context of 2504 1600 igfxsb32.exe 48 PID 2884 set thread context of 2712 2884 igfxsb32.exe 50 PID 2772 set thread context of 2608 2772 igfxsb32.exe 52 PID 2900 set thread context of 2944 2900 igfxsb32.exe 54 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2520 6e1fe316ab7a6756dbb43f3985d67afd.exe 2520 6e1fe316ab7a6756dbb43f3985d67afd.exe 2400 igfxsb32.exe 2400 igfxsb32.exe 2588 igfxsb32.exe 2588 igfxsb32.exe 1056 igfxsb32.exe 1056 igfxsb32.exe 1476 igfxsb32.exe 1476 igfxsb32.exe 272 igfxsb32.exe 272 igfxsb32.exe 1496 igfxsb32.exe 1496 igfxsb32.exe 1120 igfxsb32.exe 1120 igfxsb32.exe 1628 igfxsb32.exe 1628 igfxsb32.exe 2504 igfxsb32.exe 2504 igfxsb32.exe 2712 igfxsb32.exe 2712 igfxsb32.exe 2608 igfxsb32.exe 2608 igfxsb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2520 1728 6e1fe316ab7a6756dbb43f3985d67afd.exe 28 PID 1728 wrote to memory of 2520 1728 6e1fe316ab7a6756dbb43f3985d67afd.exe 28 PID 1728 wrote to memory of 2520 1728 6e1fe316ab7a6756dbb43f3985d67afd.exe 28 PID 1728 wrote to memory of 2520 1728 6e1fe316ab7a6756dbb43f3985d67afd.exe 28 PID 1728 wrote to memory of 2520 1728 6e1fe316ab7a6756dbb43f3985d67afd.exe 28 PID 1728 wrote to memory of 2520 1728 6e1fe316ab7a6756dbb43f3985d67afd.exe 28 PID 1728 wrote to memory of 2520 1728 6e1fe316ab7a6756dbb43f3985d67afd.exe 28 PID 2520 wrote to memory of 2848 2520 6e1fe316ab7a6756dbb43f3985d67afd.exe 29 PID 2520 wrote to memory of 2848 2520 6e1fe316ab7a6756dbb43f3985d67afd.exe 29 PID 2520 wrote to memory of 2848 2520 6e1fe316ab7a6756dbb43f3985d67afd.exe 29 PID 2520 wrote to memory of 2848 2520 6e1fe316ab7a6756dbb43f3985d67afd.exe 29 PID 2848 wrote to memory of 2400 2848 igfxsb32.exe 30 PID 2848 wrote to memory of 2400 2848 igfxsb32.exe 30 PID 2848 wrote to memory of 2400 2848 igfxsb32.exe 30 PID 2848 wrote to memory of 2400 2848 igfxsb32.exe 30 PID 2848 wrote to memory of 2400 2848 igfxsb32.exe 30 PID 2848 wrote to memory of 2400 2848 igfxsb32.exe 30 PID 2848 wrote to memory of 2400 2848 igfxsb32.exe 30 PID 2400 wrote to memory of 1372 2400 igfxsb32.exe 31 PID 2400 wrote to memory of 1372 2400 igfxsb32.exe 31 PID 2400 wrote to memory of 1372 2400 igfxsb32.exe 31 PID 2400 wrote to memory of 1372 2400 igfxsb32.exe 31 PID 1372 wrote to memory of 2588 1372 igfxsb32.exe 32 PID 1372 wrote to memory of 2588 1372 igfxsb32.exe 32 PID 1372 wrote to memory of 2588 1372 igfxsb32.exe 32 PID 1372 wrote to memory of 2588 1372 igfxsb32.exe 32 PID 1372 wrote to memory of 2588 1372 igfxsb32.exe 32 PID 1372 wrote to memory of 2588 1372 igfxsb32.exe 32 PID 1372 wrote to memory of 2588 1372 igfxsb32.exe 32 PID 2588 wrote to memory of 1192 2588 igfxsb32.exe 33 PID 2588 wrote to memory of 1192 2588 igfxsb32.exe 33 PID 2588 wrote to memory of 1192 2588 igfxsb32.exe 33 PID 2588 wrote to memory of 1192 2588 igfxsb32.exe 33 PID 1192 wrote to memory of 1056 1192 igfxsb32.exe 36 PID 1192 wrote to memory of 1056 1192 igfxsb32.exe 36 PID 1192 wrote to memory of 1056 1192 igfxsb32.exe 36 PID 1192 wrote to memory of 1056 1192 igfxsb32.exe 36 PID 1192 wrote to memory of 1056 1192 igfxsb32.exe 36 PID 1192 wrote to memory of 1056 1192 igfxsb32.exe 36 PID 1192 wrote to memory of 1056 1192 igfxsb32.exe 36 PID 1056 wrote to memory of 580 1056 igfxsb32.exe 37 PID 1056 wrote to memory of 580 1056 igfxsb32.exe 37 PID 1056 wrote to memory of 580 1056 igfxsb32.exe 37 PID 1056 wrote to memory of 580 1056 igfxsb32.exe 37 PID 580 wrote to memory of 1476 580 igfxsb32.exe 38 PID 580 wrote to memory of 1476 580 igfxsb32.exe 38 PID 580 wrote to memory of 1476 580 igfxsb32.exe 38 PID 580 wrote to memory of 1476 580 igfxsb32.exe 38 PID 580 wrote to memory of 1476 580 igfxsb32.exe 38 PID 580 wrote to memory of 1476 580 igfxsb32.exe 38 PID 580 wrote to memory of 1476 580 igfxsb32.exe 38 PID 1476 wrote to memory of 2100 1476 igfxsb32.exe 39 PID 1476 wrote to memory of 2100 1476 igfxsb32.exe 39 PID 1476 wrote to memory of 2100 1476 igfxsb32.exe 39 PID 1476 wrote to memory of 2100 1476 igfxsb32.exe 39 PID 2100 wrote to memory of 272 2100 igfxsb32.exe 40 PID 2100 wrote to memory of 272 2100 igfxsb32.exe 40 PID 2100 wrote to memory of 272 2100 igfxsb32.exe 40 PID 2100 wrote to memory of 272 2100 igfxsb32.exe 40 PID 2100 wrote to memory of 272 2100 igfxsb32.exe 40 PID 2100 wrote to memory of 272 2100 igfxsb32.exe 40 PID 2100 wrote to memory of 272 2100 igfxsb32.exe 40 PID 272 wrote to memory of 2372 272 igfxsb32.exe 41 PID 272 wrote to memory of 2372 272 igfxsb32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e1fe316ab7a6756dbb43f3985d67afd.exe"C:\Users\Admin\AppData\Local\Temp\6e1fe316ab7a6756dbb43f3985d67afd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\6e1fe316ab7a6756dbb43f3985d67afd.exe"C:\Users\Admin\AppData\Local\Temp\6e1fe316ab7a6756dbb43f3985d67afd.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Users\Admin\AppData\Local\Temp\6E1FE3~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Users\Admin\AppData\Local\Temp\6E1FE3~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2372 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1496 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1572 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1120 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1536 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1628 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1600 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2884 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2712 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2772 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2608 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2900 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe26⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD56e1fe316ab7a6756dbb43f3985d67afd
SHA11d8e30a9165af6cec23708bc829a264c3ba98e8f
SHA256c04530f2ef21c999c01a0d6322f4c43cbe2554aea5ed1cc0495b134d1f9cf12f
SHA512db54b2bc2bd627e10af81645479e8052400f9b179beba19f5dd50763d95ea2e00a4fd1731901a4ddea4c5289bf7d0a2b3d429991e53328da1db958b89732c6c8