Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
6e1fe316ab7a6756dbb43f3985d67afd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6e1fe316ab7a6756dbb43f3985d67afd.exe
Resource
win10v2004-20231222-en
General
-
Target
6e1fe316ab7a6756dbb43f3985d67afd.exe
-
Size
204KB
-
MD5
6e1fe316ab7a6756dbb43f3985d67afd
-
SHA1
1d8e30a9165af6cec23708bc829a264c3ba98e8f
-
SHA256
c04530f2ef21c999c01a0d6322f4c43cbe2554aea5ed1cc0495b134d1f9cf12f
-
SHA512
db54b2bc2bd627e10af81645479e8052400f9b179beba19f5dd50763d95ea2e00a4fd1731901a4ddea4c5289bf7d0a2b3d429991e53328da1db958b89732c6c8
-
SSDEEP
3072:XwQVPSXzF4LiARv7APB6tyTkqIW4OvNphO1KDyOm2bcnWQysOutNOSGudq:gQUXzFEKwqIW4yphO1KiLOufOSGH
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 6e1fe316ab7a6756dbb43f3985d67afd.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxsb32.exe -
Deletes itself 1 IoCs
pid Process 2764 igfxsb32.exe -
Executes dropped EXE 25 IoCs
pid Process 4876 igfxsb32.exe 2764 igfxsb32.exe 1028 igfxsb32.exe 4836 igfxsb32.exe 3936 igfxsb32.exe 4028 igfxsb32.exe 3496 igfxsb32.exe 3092 igfxsb32.exe 4448 igfxsb32.exe 3012 igfxsb32.exe 372 igfxsb32.exe 3928 igfxsb32.exe 2116 igfxsb32.exe 4364 igfxsb32.exe 4372 igfxsb32.exe 2820 igfxsb32.exe 5056 igfxsb32.exe 4488 igfxsb32.exe 1804 igfxsb32.exe 3348 igfxsb32.exe 1128 igfxsb32.exe 4552 igfxsb32.exe 2828 igfxsb32.exe 404 igfxsb32.exe 1016 igfxsb32.exe -
resource yara_rule behavioral2/memory/828-0-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/828-2-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/828-4-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/828-3-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/828-38-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2764-43-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2764-45-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2764-47-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4836-53-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4836-56-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4028-63-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4028-65-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3092-71-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3092-75-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3012-82-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3012-84-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3928-90-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3928-93-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4364-100-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4364-102-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2820-109-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2820-111-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4488-118-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4488-120-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3348-125-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3348-127-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3348-126-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3348-131-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4552-137-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4552-142-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/404-147-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/404-152-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 26 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6e1fe316ab7a6756dbb43f3985d67afd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 6e1fe316ab7a6756dbb43f3985d67afd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsb32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ 6e1fe316ab7a6756dbb43f3985d67afd.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe 6e1fe316ab7a6756dbb43f3985d67afd.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe 6e1fe316ab7a6756dbb43f3985d67afd.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\ igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File created C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe File opened for modification C:\Windows\SysWOW64\igfxsb32.exe igfxsb32.exe -
Suspicious use of SetThreadContext 13 IoCs
description pid Process procid_target PID 1508 set thread context of 828 1508 6e1fe316ab7a6756dbb43f3985d67afd.exe 93 PID 4876 set thread context of 2764 4876 igfxsb32.exe 102 PID 1028 set thread context of 4836 1028 igfxsb32.exe 104 PID 3936 set thread context of 4028 3936 igfxsb32.exe 108 PID 3496 set thread context of 3092 3496 igfxsb32.exe 110 PID 4448 set thread context of 3012 4448 igfxsb32.exe 112 PID 372 set thread context of 3928 372 igfxsb32.exe 115 PID 2116 set thread context of 4364 2116 igfxsb32.exe 117 PID 4372 set thread context of 2820 4372 igfxsb32.exe 119 PID 5056 set thread context of 4488 5056 igfxsb32.exe 129 PID 1804 set thread context of 3348 1804 igfxsb32.exe 131 PID 1128 set thread context of 4552 1128 igfxsb32.exe 133 PID 2828 set thread context of 404 2828 igfxsb32.exe 138 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6e1fe316ab7a6756dbb43f3985d67afd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsb32.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 828 6e1fe316ab7a6756dbb43f3985d67afd.exe 828 6e1fe316ab7a6756dbb43f3985d67afd.exe 828 6e1fe316ab7a6756dbb43f3985d67afd.exe 828 6e1fe316ab7a6756dbb43f3985d67afd.exe 2764 igfxsb32.exe 2764 igfxsb32.exe 2764 igfxsb32.exe 2764 igfxsb32.exe 4836 igfxsb32.exe 4836 igfxsb32.exe 4836 igfxsb32.exe 4836 igfxsb32.exe 4028 igfxsb32.exe 4028 igfxsb32.exe 4028 igfxsb32.exe 4028 igfxsb32.exe 3092 igfxsb32.exe 3092 igfxsb32.exe 3092 igfxsb32.exe 3092 igfxsb32.exe 3012 igfxsb32.exe 3012 igfxsb32.exe 3012 igfxsb32.exe 3012 igfxsb32.exe 3928 igfxsb32.exe 3928 igfxsb32.exe 3928 igfxsb32.exe 3928 igfxsb32.exe 4364 igfxsb32.exe 4364 igfxsb32.exe 4364 igfxsb32.exe 4364 igfxsb32.exe 2820 igfxsb32.exe 2820 igfxsb32.exe 2820 igfxsb32.exe 2820 igfxsb32.exe 4488 igfxsb32.exe 4488 igfxsb32.exe 4488 igfxsb32.exe 4488 igfxsb32.exe 3348 igfxsb32.exe 3348 igfxsb32.exe 3348 igfxsb32.exe 3348 igfxsb32.exe 4552 igfxsb32.exe 4552 igfxsb32.exe 4552 igfxsb32.exe 4552 igfxsb32.exe 404 igfxsb32.exe 404 igfxsb32.exe 404 igfxsb32.exe 404 igfxsb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1508 wrote to memory of 828 1508 6e1fe316ab7a6756dbb43f3985d67afd.exe 93 PID 1508 wrote to memory of 828 1508 6e1fe316ab7a6756dbb43f3985d67afd.exe 93 PID 1508 wrote to memory of 828 1508 6e1fe316ab7a6756dbb43f3985d67afd.exe 93 PID 1508 wrote to memory of 828 1508 6e1fe316ab7a6756dbb43f3985d67afd.exe 93 PID 1508 wrote to memory of 828 1508 6e1fe316ab7a6756dbb43f3985d67afd.exe 93 PID 1508 wrote to memory of 828 1508 6e1fe316ab7a6756dbb43f3985d67afd.exe 93 PID 1508 wrote to memory of 828 1508 6e1fe316ab7a6756dbb43f3985d67afd.exe 93 PID 828 wrote to memory of 4876 828 6e1fe316ab7a6756dbb43f3985d67afd.exe 101 PID 828 wrote to memory of 4876 828 6e1fe316ab7a6756dbb43f3985d67afd.exe 101 PID 828 wrote to memory of 4876 828 6e1fe316ab7a6756dbb43f3985d67afd.exe 101 PID 4876 wrote to memory of 2764 4876 igfxsb32.exe 102 PID 4876 wrote to memory of 2764 4876 igfxsb32.exe 102 PID 4876 wrote to memory of 2764 4876 igfxsb32.exe 102 PID 4876 wrote to memory of 2764 4876 igfxsb32.exe 102 PID 4876 wrote to memory of 2764 4876 igfxsb32.exe 102 PID 4876 wrote to memory of 2764 4876 igfxsb32.exe 102 PID 4876 wrote to memory of 2764 4876 igfxsb32.exe 102 PID 2764 wrote to memory of 1028 2764 igfxsb32.exe 103 PID 2764 wrote to memory of 1028 2764 igfxsb32.exe 103 PID 2764 wrote to memory of 1028 2764 igfxsb32.exe 103 PID 1028 wrote to memory of 4836 1028 igfxsb32.exe 104 PID 1028 wrote to memory of 4836 1028 igfxsb32.exe 104 PID 1028 wrote to memory of 4836 1028 igfxsb32.exe 104 PID 1028 wrote to memory of 4836 1028 igfxsb32.exe 104 PID 1028 wrote to memory of 4836 1028 igfxsb32.exe 104 PID 1028 wrote to memory of 4836 1028 igfxsb32.exe 104 PID 1028 wrote to memory of 4836 1028 igfxsb32.exe 104 PID 4836 wrote to memory of 3936 4836 igfxsb32.exe 107 PID 4836 wrote to memory of 3936 4836 igfxsb32.exe 107 PID 4836 wrote to memory of 3936 4836 igfxsb32.exe 107 PID 3936 wrote to memory of 4028 3936 igfxsb32.exe 108 PID 3936 wrote to memory of 4028 3936 igfxsb32.exe 108 PID 3936 wrote to memory of 4028 3936 igfxsb32.exe 108 PID 3936 wrote to memory of 4028 3936 igfxsb32.exe 108 PID 3936 wrote to memory of 4028 3936 igfxsb32.exe 108 PID 3936 wrote to memory of 4028 3936 igfxsb32.exe 108 PID 3936 wrote to memory of 4028 3936 igfxsb32.exe 108 PID 4028 wrote to memory of 3496 4028 igfxsb32.exe 109 PID 4028 wrote to memory of 3496 4028 igfxsb32.exe 109 PID 4028 wrote to memory of 3496 4028 igfxsb32.exe 109 PID 3496 wrote to memory of 3092 3496 igfxsb32.exe 110 PID 3496 wrote to memory of 3092 3496 igfxsb32.exe 110 PID 3496 wrote to memory of 3092 3496 igfxsb32.exe 110 PID 3496 wrote to memory of 3092 3496 igfxsb32.exe 110 PID 3496 wrote to memory of 3092 3496 igfxsb32.exe 110 PID 3496 wrote to memory of 3092 3496 igfxsb32.exe 110 PID 3496 wrote to memory of 3092 3496 igfxsb32.exe 110 PID 3092 wrote to memory of 4448 3092 igfxsb32.exe 111 PID 3092 wrote to memory of 4448 3092 igfxsb32.exe 111 PID 3092 wrote to memory of 4448 3092 igfxsb32.exe 111 PID 4448 wrote to memory of 3012 4448 igfxsb32.exe 112 PID 4448 wrote to memory of 3012 4448 igfxsb32.exe 112 PID 4448 wrote to memory of 3012 4448 igfxsb32.exe 112 PID 4448 wrote to memory of 3012 4448 igfxsb32.exe 112 PID 4448 wrote to memory of 3012 4448 igfxsb32.exe 112 PID 4448 wrote to memory of 3012 4448 igfxsb32.exe 112 PID 4448 wrote to memory of 3012 4448 igfxsb32.exe 112 PID 3012 wrote to memory of 372 3012 igfxsb32.exe 114 PID 3012 wrote to memory of 372 3012 igfxsb32.exe 114 PID 3012 wrote to memory of 372 3012 igfxsb32.exe 114 PID 372 wrote to memory of 3928 372 igfxsb32.exe 115 PID 372 wrote to memory of 3928 372 igfxsb32.exe 115 PID 372 wrote to memory of 3928 372 igfxsb32.exe 115 PID 372 wrote to memory of 3928 372 igfxsb32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e1fe316ab7a6756dbb43f3985d67afd.exe"C:\Users\Admin\AppData\Local\Temp\6e1fe316ab7a6756dbb43f3985d67afd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\6e1fe316ab7a6756dbb43f3985d67afd.exe"C:\Users\Admin\AppData\Local\Temp\6e1fe316ab7a6756dbb43f3985d67afd.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Users\Admin\AppData\Local\Temp\6E1FE3~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Users\Admin\AppData\Local\Temp\6E1FE3~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3928 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2116 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4364 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4372 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2820 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5056 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4488 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1804 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3348 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1128 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4552 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2828 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:404 -
C:\Windows\SysWOW64\igfxsb32.exe"C:\Windows\system32\igfxsb32.exe" C:\Windows\SysWOW64\igfxsb32.exe27⤵
- Executes dropped EXE
PID:1016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD56e1fe316ab7a6756dbb43f3985d67afd
SHA11d8e30a9165af6cec23708bc829a264c3ba98e8f
SHA256c04530f2ef21c999c01a0d6322f4c43cbe2554aea5ed1cc0495b134d1f9cf12f
SHA512db54b2bc2bd627e10af81645479e8052400f9b179beba19f5dd50763d95ea2e00a4fd1731901a4ddea4c5289bf7d0a2b3d429991e53328da1db958b89732c6c8
-
Filesize
133KB
MD542ee747b77893b9645d430f8197a1a99
SHA15a731dd78ae785218053d9ec4612224a5ec54da3
SHA2569294899d5233fe2915a1f9a336304328471f85d699a96232a0f765cecc2a9d8a
SHA512094dbdb0b224e332c7906f87a616732284ad33ef335a69122a5c0ae7632cbd66ba14b6493cee3759b26d00f25f4e5bd9799d3cc87ea3d48f77b64b2728b50796