Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 09:06
Behavioral task
behavioral1
Sample
6ce8d558053644b193cc6d92474a6574.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6ce8d558053644b193cc6d92474a6574.exe
Resource
win10v2004-20231215-en
General
-
Target
6ce8d558053644b193cc6d92474a6574.exe
-
Size
196KB
-
MD5
6ce8d558053644b193cc6d92474a6574
-
SHA1
934420a5e9154da629eb3cf0ba015361b25e67a3
-
SHA256
0ed00481440fc1127dda04ad0e7f4d080eca99f2f5a4fa583e707135bb2deaaa
-
SHA512
6723bc234b495343f8184865c631064c2fdcabfc5f003feb91794e36bff45b8e1f73f4f01bfe5c5a11c2dfdc6a1055d723d73a952f91ddf53f6fb22ff6d46124
-
SSDEEP
6144:haUHpDburkt6PBZve6i20SXY8nzHkpgUoB:hfXtme2tnzcloB
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2792 igfxdkc32.exe -
Executes dropped EXE 42 IoCs
pid Process 2792 igfxdkc32.exe 2456 igfxdkc32.exe 2564 igfxdkc32.exe 2612 igfxdkc32.exe 472 igfxdkc32.exe 436 igfxdkc32.exe 1468 igfxdkc32.exe 1052 igfxdkc32.exe 1480 igfxdkc32.exe 320 igfxdkc32.exe 2872 igfxdkc32.exe 1708 igfxdkc32.exe 2364 igfxdkc32.exe 1272 igfxdkc32.exe 2356 igfxdkc32.exe 2968 igfxdkc32.exe 2080 igfxdkc32.exe 1064 igfxdkc32.exe 2088 igfxdkc32.exe 2300 igfxdkc32.exe 1628 igfxdkc32.exe 2680 igfxdkc32.exe 2616 igfxdkc32.exe 2484 igfxdkc32.exe 2636 igfxdkc32.exe 2880 igfxdkc32.exe 2352 igfxdkc32.exe 1464 igfxdkc32.exe 1084 igfxdkc32.exe 1944 igfxdkc32.exe 2548 igfxdkc32.exe 868 igfxdkc32.exe 2948 igfxdkc32.exe 1984 igfxdkc32.exe 2912 igfxdkc32.exe 608 igfxdkc32.exe 1544 igfxdkc32.exe 748 igfxdkc32.exe 884 igfxdkc32.exe 3040 igfxdkc32.exe 2968 igfxdkc32.exe 1496 igfxdkc32.exe -
Loads dropped DLL 64 IoCs
pid Process 1996 6ce8d558053644b193cc6d92474a6574.exe 1996 6ce8d558053644b193cc6d92474a6574.exe 2792 igfxdkc32.exe 2792 igfxdkc32.exe 2456 igfxdkc32.exe 2456 igfxdkc32.exe 2564 igfxdkc32.exe 2564 igfxdkc32.exe 2612 igfxdkc32.exe 2612 igfxdkc32.exe 472 igfxdkc32.exe 472 igfxdkc32.exe 436 igfxdkc32.exe 436 igfxdkc32.exe 1468 igfxdkc32.exe 1468 igfxdkc32.exe 1052 igfxdkc32.exe 1052 igfxdkc32.exe 1480 igfxdkc32.exe 1480 igfxdkc32.exe 320 igfxdkc32.exe 320 igfxdkc32.exe 2872 igfxdkc32.exe 2872 igfxdkc32.exe 1708 igfxdkc32.exe 1708 igfxdkc32.exe 2364 igfxdkc32.exe 2364 igfxdkc32.exe 1272 igfxdkc32.exe 1272 igfxdkc32.exe 2356 igfxdkc32.exe 2356 igfxdkc32.exe 2968 igfxdkc32.exe 2968 igfxdkc32.exe 2080 igfxdkc32.exe 2080 igfxdkc32.exe 1064 igfxdkc32.exe 1064 igfxdkc32.exe 2088 igfxdkc32.exe 2088 igfxdkc32.exe 2300 igfxdkc32.exe 2300 igfxdkc32.exe 1628 igfxdkc32.exe 1628 igfxdkc32.exe 2680 igfxdkc32.exe 2680 igfxdkc32.exe 2616 igfxdkc32.exe 2616 igfxdkc32.exe 2484 igfxdkc32.exe 2484 igfxdkc32.exe 2636 igfxdkc32.exe 2636 igfxdkc32.exe 2880 igfxdkc32.exe 2880 igfxdkc32.exe 2352 igfxdkc32.exe 2352 igfxdkc32.exe 1464 igfxdkc32.exe 1464 igfxdkc32.exe 1084 igfxdkc32.exe 1084 igfxdkc32.exe 1944 igfxdkc32.exe 1944 igfxdkc32.exe 2548 igfxdkc32.exe 2548 igfxdkc32.exe -
resource yara_rule behavioral1/memory/1996-0-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1996-2-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/files/0x0009000000012270-6.dat upx behavioral1/memory/1996-7-0x0000000004630000-0x00000000046C6000-memory.dmp upx behavioral1/memory/2792-14-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1996-16-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2792-15-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2792-20-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2456-24-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2564-29-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2456-28-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2612-34-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2564-35-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2612-36-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/472-43-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2612-42-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/472-49-0x0000000002EE0000-0x0000000002F76000-memory.dmp upx behavioral1/memory/472-48-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/436-50-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/436-54-0x00000000043A0000-0x0000000004436000-memory.dmp upx behavioral1/memory/436-56-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1468-57-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1052-63-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1468-62-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1052-67-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1480-69-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1480-73-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/320-74-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/320-75-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2872-83-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/320-82-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2872-87-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1708-89-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2364-95-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2364-96-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1708-94-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2364-99-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1272-102-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1272-106-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2356-107-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2356-111-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2968-112-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2968-113-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2968-116-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2080-119-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2080-120-0x0000000003210000-0x00000000032A6000-memory.dmp upx behavioral1/memory/1064-122-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2080-123-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2088-126-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1064-125-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2300-128-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2088-129-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1628-131-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2300-130-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2680-133-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/1628-132-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2680-134-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2616-136-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2484-140-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2616-138-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2484-141-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2636-142-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2636-144-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral1/memory/2880-145-0x0000000000400000-0x0000000000496000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6ce8d558053644b193cc6d92474a6574.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdkc32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6ce8d558053644b193cc6d92474a6574.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdkc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe 6ce8d558053644b193cc6d92474a6574.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe 6ce8d558053644b193cc6d92474a6574.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe File opened for modification C:\Windows\SysWOW64\ 6ce8d558053644b193cc6d92474a6574.exe File created C:\Windows\SysWOW64\igfxdkc32.exe igfxdkc32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1996 6ce8d558053644b193cc6d92474a6574.exe 1996 6ce8d558053644b193cc6d92474a6574.exe 2792 igfxdkc32.exe 2792 igfxdkc32.exe 2456 igfxdkc32.exe 2456 igfxdkc32.exe 2564 igfxdkc32.exe 2564 igfxdkc32.exe 2612 igfxdkc32.exe 2612 igfxdkc32.exe 472 igfxdkc32.exe 472 igfxdkc32.exe 436 igfxdkc32.exe 436 igfxdkc32.exe 1468 igfxdkc32.exe 1468 igfxdkc32.exe 1052 igfxdkc32.exe 1052 igfxdkc32.exe 1480 igfxdkc32.exe 1480 igfxdkc32.exe 320 igfxdkc32.exe 320 igfxdkc32.exe 2872 igfxdkc32.exe 2872 igfxdkc32.exe 1708 igfxdkc32.exe 1708 igfxdkc32.exe 2364 igfxdkc32.exe 2364 igfxdkc32.exe 1272 igfxdkc32.exe 1272 igfxdkc32.exe 2356 igfxdkc32.exe 2356 igfxdkc32.exe 2968 igfxdkc32.exe 2968 igfxdkc32.exe 2080 igfxdkc32.exe 2080 igfxdkc32.exe 1064 igfxdkc32.exe 1064 igfxdkc32.exe 2088 igfxdkc32.exe 2088 igfxdkc32.exe 2300 igfxdkc32.exe 2300 igfxdkc32.exe 1628 igfxdkc32.exe 1628 igfxdkc32.exe 2680 igfxdkc32.exe 2680 igfxdkc32.exe 2616 igfxdkc32.exe 2616 igfxdkc32.exe 2484 igfxdkc32.exe 2484 igfxdkc32.exe 2636 igfxdkc32.exe 2636 igfxdkc32.exe 2880 igfxdkc32.exe 2880 igfxdkc32.exe 2352 igfxdkc32.exe 2352 igfxdkc32.exe 1464 igfxdkc32.exe 1464 igfxdkc32.exe 1084 igfxdkc32.exe 1084 igfxdkc32.exe 1944 igfxdkc32.exe 1944 igfxdkc32.exe 2548 igfxdkc32.exe 2548 igfxdkc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2792 1996 6ce8d558053644b193cc6d92474a6574.exe 28 PID 1996 wrote to memory of 2792 1996 6ce8d558053644b193cc6d92474a6574.exe 28 PID 1996 wrote to memory of 2792 1996 6ce8d558053644b193cc6d92474a6574.exe 28 PID 1996 wrote to memory of 2792 1996 6ce8d558053644b193cc6d92474a6574.exe 28 PID 2792 wrote to memory of 2456 2792 igfxdkc32.exe 29 PID 2792 wrote to memory of 2456 2792 igfxdkc32.exe 29 PID 2792 wrote to memory of 2456 2792 igfxdkc32.exe 29 PID 2792 wrote to memory of 2456 2792 igfxdkc32.exe 29 PID 2456 wrote to memory of 2564 2456 igfxdkc32.exe 30 PID 2456 wrote to memory of 2564 2456 igfxdkc32.exe 30 PID 2456 wrote to memory of 2564 2456 igfxdkc32.exe 30 PID 2456 wrote to memory of 2564 2456 igfxdkc32.exe 30 PID 2564 wrote to memory of 2612 2564 igfxdkc32.exe 31 PID 2564 wrote to memory of 2612 2564 igfxdkc32.exe 31 PID 2564 wrote to memory of 2612 2564 igfxdkc32.exe 31 PID 2564 wrote to memory of 2612 2564 igfxdkc32.exe 31 PID 2612 wrote to memory of 472 2612 igfxdkc32.exe 32 PID 2612 wrote to memory of 472 2612 igfxdkc32.exe 32 PID 2612 wrote to memory of 472 2612 igfxdkc32.exe 32 PID 2612 wrote to memory of 472 2612 igfxdkc32.exe 32 PID 472 wrote to memory of 436 472 igfxdkc32.exe 33 PID 472 wrote to memory of 436 472 igfxdkc32.exe 33 PID 472 wrote to memory of 436 472 igfxdkc32.exe 33 PID 472 wrote to memory of 436 472 igfxdkc32.exe 33 PID 436 wrote to memory of 1468 436 igfxdkc32.exe 34 PID 436 wrote to memory of 1468 436 igfxdkc32.exe 34 PID 436 wrote to memory of 1468 436 igfxdkc32.exe 34 PID 436 wrote to memory of 1468 436 igfxdkc32.exe 34 PID 1468 wrote to memory of 1052 1468 igfxdkc32.exe 35 PID 1468 wrote to memory of 1052 1468 igfxdkc32.exe 35 PID 1468 wrote to memory of 1052 1468 igfxdkc32.exe 35 PID 1468 wrote to memory of 1052 1468 igfxdkc32.exe 35 PID 1052 wrote to memory of 1480 1052 igfxdkc32.exe 36 PID 1052 wrote to memory of 1480 1052 igfxdkc32.exe 36 PID 1052 wrote to memory of 1480 1052 igfxdkc32.exe 36 PID 1052 wrote to memory of 1480 1052 igfxdkc32.exe 36 PID 1480 wrote to memory of 320 1480 igfxdkc32.exe 37 PID 1480 wrote to memory of 320 1480 igfxdkc32.exe 37 PID 1480 wrote to memory of 320 1480 igfxdkc32.exe 37 PID 1480 wrote to memory of 320 1480 igfxdkc32.exe 37 PID 320 wrote to memory of 2872 320 igfxdkc32.exe 40 PID 320 wrote to memory of 2872 320 igfxdkc32.exe 40 PID 320 wrote to memory of 2872 320 igfxdkc32.exe 40 PID 320 wrote to memory of 2872 320 igfxdkc32.exe 40 PID 2872 wrote to memory of 1708 2872 igfxdkc32.exe 41 PID 2872 wrote to memory of 1708 2872 igfxdkc32.exe 41 PID 2872 wrote to memory of 1708 2872 igfxdkc32.exe 41 PID 2872 wrote to memory of 1708 2872 igfxdkc32.exe 41 PID 1708 wrote to memory of 2364 1708 igfxdkc32.exe 42 PID 1708 wrote to memory of 2364 1708 igfxdkc32.exe 42 PID 1708 wrote to memory of 2364 1708 igfxdkc32.exe 42 PID 1708 wrote to memory of 2364 1708 igfxdkc32.exe 42 PID 2364 wrote to memory of 1272 2364 igfxdkc32.exe 43 PID 2364 wrote to memory of 1272 2364 igfxdkc32.exe 43 PID 2364 wrote to memory of 1272 2364 igfxdkc32.exe 43 PID 2364 wrote to memory of 1272 2364 igfxdkc32.exe 43 PID 1272 wrote to memory of 2356 1272 igfxdkc32.exe 44 PID 1272 wrote to memory of 2356 1272 igfxdkc32.exe 44 PID 1272 wrote to memory of 2356 1272 igfxdkc32.exe 44 PID 1272 wrote to memory of 2356 1272 igfxdkc32.exe 44 PID 2356 wrote to memory of 2968 2356 igfxdkc32.exe 45 PID 2356 wrote to memory of 2968 2356 igfxdkc32.exe 45 PID 2356 wrote to memory of 2968 2356 igfxdkc32.exe 45 PID 2356 wrote to memory of 2968 2356 igfxdkc32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ce8d558053644b193cc6d92474a6574.exe"C:\Users\Admin\AppData\Local\Temp\6ce8d558053644b193cc6d92474a6574.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Users\Admin\AppData\Local\Temp\6CE8D5~1.EXE2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE13⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE15⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE17⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2968 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2080 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE19⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1064 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2088 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE21⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1628 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE23⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2680 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2616 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE25⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2484 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2636 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE27⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2880 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2352 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE29⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1084 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE31⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2548 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE33⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE35⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:1984 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE38⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE39⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE40⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:884 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE41⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE42⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\igfxdkc32.exe"C:\Windows\system32\igfxdkc32.exe" C:\Windows\SysWOW64\IGFXDK~1.EXE43⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:1496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
MD56ce8d558053644b193cc6d92474a6574
SHA1934420a5e9154da629eb3cf0ba015361b25e67a3
SHA2560ed00481440fc1127dda04ad0e7f4d080eca99f2f5a4fa583e707135bb2deaaa
SHA5126723bc234b495343f8184865c631064c2fdcabfc5f003feb91794e36bff45b8e1f73f4f01bfe5c5a11c2dfdc6a1055d723d73a952f91ddf53f6fb22ff6d46124