Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
6dd2c71fa4b1627af5f2f5c2297114c9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6dd2c71fa4b1627af5f2f5c2297114c9.exe
Resource
win10v2004-20231222-en
General
-
Target
6dd2c71fa4b1627af5f2f5c2297114c9.exe
-
Size
174KB
-
MD5
6dd2c71fa4b1627af5f2f5c2297114c9
-
SHA1
a5d3e31ba83afab3d5fd7f2155632e1384fcdefb
-
SHA256
544c6fb7cd6551ed69623b5f1f728b46e20e183e871328bbb731988602bcb1ba
-
SHA512
8fe0586578b7ca04374d7c4d1107cc2aa55cc804a6cabeddcda9487322a3495d101c74e40bfe3bd50db4303931012ef59eac55f476ce37d8a978b0ce055b4ee3
-
SSDEEP
3072:w6V2H12f5cNyF5N9ntJrS1/dSnILItdzk1+3nyyicvT0ycrE8H+Q+Ya8x:WH1dutVnILkzOyzApx
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2448 igfxwd32.exe -
Executes dropped EXE 30 IoCs
pid Process 2768 igfxwd32.exe 2448 igfxwd32.exe 2616 igfxwd32.exe 1372 igfxwd32.exe 2156 igfxwd32.exe 2280 igfxwd32.exe 1028 igfxwd32.exe 2688 igfxwd32.exe 1444 igfxwd32.exe 2996 igfxwd32.exe 536 igfxwd32.exe 1312 igfxwd32.exe 1356 igfxwd32.exe 2568 igfxwd32.exe 1320 igfxwd32.exe 2468 igfxwd32.exe 1236 igfxwd32.exe 2324 igfxwd32.exe 1612 igfxwd32.exe 1828 igfxwd32.exe 2812 igfxwd32.exe 2624 igfxwd32.exe 376 igfxwd32.exe 2696 igfxwd32.exe 3064 igfxwd32.exe 2948 igfxwd32.exe 1668 igfxwd32.exe 2488 igfxwd32.exe 2708 igfxwd32.exe 1200 igfxwd32.exe -
Loads dropped DLL 30 IoCs
pid Process 2196 6dd2c71fa4b1627af5f2f5c2297114c9.exe 2768 igfxwd32.exe 2448 igfxwd32.exe 2616 igfxwd32.exe 1372 igfxwd32.exe 2156 igfxwd32.exe 2280 igfxwd32.exe 1028 igfxwd32.exe 2688 igfxwd32.exe 1444 igfxwd32.exe 2996 igfxwd32.exe 536 igfxwd32.exe 1312 igfxwd32.exe 1356 igfxwd32.exe 2568 igfxwd32.exe 1320 igfxwd32.exe 2468 igfxwd32.exe 1236 igfxwd32.exe 2324 igfxwd32.exe 1612 igfxwd32.exe 1828 igfxwd32.exe 2812 igfxwd32.exe 2624 igfxwd32.exe 376 igfxwd32.exe 2696 igfxwd32.exe 3064 igfxwd32.exe 2948 igfxwd32.exe 1668 igfxwd32.exe 2488 igfxwd32.exe 2708 igfxwd32.exe -
resource yara_rule behavioral1/memory/2196-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2196-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2196-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2196-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2196-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2196-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2196-16-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2448-28-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2448-27-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2448-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2448-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2448-33-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1372-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1372-49-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1372-51-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2280-67-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2688-78-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2688-82-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2996-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1312-112-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1312-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2568-135-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2468-151-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2324-167-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1828-178-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1828-180-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1828-187-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2624-197-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2624-204-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2696-220-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2948-230-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2948-235-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2488-247-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1200-255-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1200-260-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6dd2c71fa4b1627af5f2f5c2297114c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6dd2c71fa4b1627af5f2f5c2297114c9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwd32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxwd32.exe 6dd2c71fa4b1627af5f2f5c2297114c9.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe 6dd2c71fa4b1627af5f2f5c2297114c9.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File created C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ 6dd2c71fa4b1627af5f2f5c2297114c9.exe File opened for modification C:\Windows\SysWOW64\igfxwd32.exe igfxwd32.exe File opened for modification C:\Windows\SysWOW64\ igfxwd32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 2236 set thread context of 2196 2236 6dd2c71fa4b1627af5f2f5c2297114c9.exe 28 PID 2768 set thread context of 2448 2768 igfxwd32.exe 30 PID 2616 set thread context of 1372 2616 igfxwd32.exe 32 PID 2156 set thread context of 2280 2156 igfxwd32.exe 34 PID 1028 set thread context of 2688 1028 igfxwd32.exe 36 PID 1444 set thread context of 2996 1444 igfxwd32.exe 40 PID 536 set thread context of 1312 536 igfxwd32.exe 42 PID 1356 set thread context of 2568 1356 igfxwd32.exe 44 PID 1320 set thread context of 2468 1320 igfxwd32.exe 46 PID 1236 set thread context of 2324 1236 igfxwd32.exe 48 PID 1612 set thread context of 1828 1612 igfxwd32.exe 50 PID 2812 set thread context of 2624 2812 igfxwd32.exe 52 PID 376 set thread context of 2696 376 igfxwd32.exe 54 PID 3064 set thread context of 2948 3064 igfxwd32.exe 56 PID 1668 set thread context of 2488 1668 igfxwd32.exe 58 PID 2708 set thread context of 1200 2708 igfxwd32.exe 60 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2196 6dd2c71fa4b1627af5f2f5c2297114c9.exe 2196 6dd2c71fa4b1627af5f2f5c2297114c9.exe 2448 igfxwd32.exe 2448 igfxwd32.exe 1372 igfxwd32.exe 1372 igfxwd32.exe 2280 igfxwd32.exe 2280 igfxwd32.exe 2688 igfxwd32.exe 2688 igfxwd32.exe 2996 igfxwd32.exe 2996 igfxwd32.exe 1312 igfxwd32.exe 1312 igfxwd32.exe 2568 igfxwd32.exe 2568 igfxwd32.exe 2468 igfxwd32.exe 2468 igfxwd32.exe 2324 igfxwd32.exe 2324 igfxwd32.exe 1828 igfxwd32.exe 1828 igfxwd32.exe 2624 igfxwd32.exe 2624 igfxwd32.exe 2696 igfxwd32.exe 2696 igfxwd32.exe 2948 igfxwd32.exe 2948 igfxwd32.exe 2488 igfxwd32.exe 2488 igfxwd32.exe 1200 igfxwd32.exe 1200 igfxwd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2196 2236 6dd2c71fa4b1627af5f2f5c2297114c9.exe 28 PID 2236 wrote to memory of 2196 2236 6dd2c71fa4b1627af5f2f5c2297114c9.exe 28 PID 2236 wrote to memory of 2196 2236 6dd2c71fa4b1627af5f2f5c2297114c9.exe 28 PID 2236 wrote to memory of 2196 2236 6dd2c71fa4b1627af5f2f5c2297114c9.exe 28 PID 2236 wrote to memory of 2196 2236 6dd2c71fa4b1627af5f2f5c2297114c9.exe 28 PID 2236 wrote to memory of 2196 2236 6dd2c71fa4b1627af5f2f5c2297114c9.exe 28 PID 2236 wrote to memory of 2196 2236 6dd2c71fa4b1627af5f2f5c2297114c9.exe 28 PID 2196 wrote to memory of 2768 2196 6dd2c71fa4b1627af5f2f5c2297114c9.exe 29 PID 2196 wrote to memory of 2768 2196 6dd2c71fa4b1627af5f2f5c2297114c9.exe 29 PID 2196 wrote to memory of 2768 2196 6dd2c71fa4b1627af5f2f5c2297114c9.exe 29 PID 2196 wrote to memory of 2768 2196 6dd2c71fa4b1627af5f2f5c2297114c9.exe 29 PID 2768 wrote to memory of 2448 2768 igfxwd32.exe 30 PID 2768 wrote to memory of 2448 2768 igfxwd32.exe 30 PID 2768 wrote to memory of 2448 2768 igfxwd32.exe 30 PID 2768 wrote to memory of 2448 2768 igfxwd32.exe 30 PID 2768 wrote to memory of 2448 2768 igfxwd32.exe 30 PID 2768 wrote to memory of 2448 2768 igfxwd32.exe 30 PID 2768 wrote to memory of 2448 2768 igfxwd32.exe 30 PID 2448 wrote to memory of 2616 2448 igfxwd32.exe 31 PID 2448 wrote to memory of 2616 2448 igfxwd32.exe 31 PID 2448 wrote to memory of 2616 2448 igfxwd32.exe 31 PID 2448 wrote to memory of 2616 2448 igfxwd32.exe 31 PID 2616 wrote to memory of 1372 2616 igfxwd32.exe 32 PID 2616 wrote to memory of 1372 2616 igfxwd32.exe 32 PID 2616 wrote to memory of 1372 2616 igfxwd32.exe 32 PID 2616 wrote to memory of 1372 2616 igfxwd32.exe 32 PID 2616 wrote to memory of 1372 2616 igfxwd32.exe 32 PID 2616 wrote to memory of 1372 2616 igfxwd32.exe 32 PID 2616 wrote to memory of 1372 2616 igfxwd32.exe 32 PID 1372 wrote to memory of 2156 1372 igfxwd32.exe 33 PID 1372 wrote to memory of 2156 1372 igfxwd32.exe 33 PID 1372 wrote to memory of 2156 1372 igfxwd32.exe 33 PID 1372 wrote to memory of 2156 1372 igfxwd32.exe 33 PID 2156 wrote to memory of 2280 2156 igfxwd32.exe 34 PID 2156 wrote to memory of 2280 2156 igfxwd32.exe 34 PID 2156 wrote to memory of 2280 2156 igfxwd32.exe 34 PID 2156 wrote to memory of 2280 2156 igfxwd32.exe 34 PID 2156 wrote to memory of 2280 2156 igfxwd32.exe 34 PID 2156 wrote to memory of 2280 2156 igfxwd32.exe 34 PID 2156 wrote to memory of 2280 2156 igfxwd32.exe 34 PID 2280 wrote to memory of 1028 2280 igfxwd32.exe 35 PID 2280 wrote to memory of 1028 2280 igfxwd32.exe 35 PID 2280 wrote to memory of 1028 2280 igfxwd32.exe 35 PID 2280 wrote to memory of 1028 2280 igfxwd32.exe 35 PID 1028 wrote to memory of 2688 1028 igfxwd32.exe 36 PID 1028 wrote to memory of 2688 1028 igfxwd32.exe 36 PID 1028 wrote to memory of 2688 1028 igfxwd32.exe 36 PID 1028 wrote to memory of 2688 1028 igfxwd32.exe 36 PID 1028 wrote to memory of 2688 1028 igfxwd32.exe 36 PID 1028 wrote to memory of 2688 1028 igfxwd32.exe 36 PID 1028 wrote to memory of 2688 1028 igfxwd32.exe 36 PID 2688 wrote to memory of 1444 2688 igfxwd32.exe 37 PID 2688 wrote to memory of 1444 2688 igfxwd32.exe 37 PID 2688 wrote to memory of 1444 2688 igfxwd32.exe 37 PID 2688 wrote to memory of 1444 2688 igfxwd32.exe 37 PID 1444 wrote to memory of 2996 1444 igfxwd32.exe 40 PID 1444 wrote to memory of 2996 1444 igfxwd32.exe 40 PID 1444 wrote to memory of 2996 1444 igfxwd32.exe 40 PID 1444 wrote to memory of 2996 1444 igfxwd32.exe 40 PID 1444 wrote to memory of 2996 1444 igfxwd32.exe 40 PID 1444 wrote to memory of 2996 1444 igfxwd32.exe 40 PID 1444 wrote to memory of 2996 1444 igfxwd32.exe 40 PID 2996 wrote to memory of 536 2996 igfxwd32.exe 41 PID 2996 wrote to memory of 536 2996 igfxwd32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\6DD2C7~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\6DD2C7~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:536 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1312 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1356 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2568 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1320 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2468 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1236 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2324 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1612 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1828 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2812 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2624 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:376 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2696 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3064 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2948 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1668 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2488 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2708 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe32⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1200 -
C:\Windows\SysWOW64\igfxwd32.exe"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe33⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD56dd2c71fa4b1627af5f2f5c2297114c9
SHA1a5d3e31ba83afab3d5fd7f2155632e1384fcdefb
SHA256544c6fb7cd6551ed69623b5f1f728b46e20e183e871328bbb731988602bcb1ba
SHA5128fe0586578b7ca04374d7c4d1107cc2aa55cc804a6cabeddcda9487322a3495d101c74e40bfe3bd50db4303931012ef59eac55f476ce37d8a978b0ce055b4ee3
-
Filesize
150KB
MD504371106792ae9a5be46c97a45f02ef0
SHA1f4a9994b0439e34bb032bd7ffc9b18d38d710087
SHA2566c9bac57479bb762d144b6f9b92e6ceca6bafd5479acfc23e602310fa3752841
SHA5126bfae38aac0ba5741b3dea0f8c764dfdc4944832310d22c3121693152a73fc943f4121c6acd36cb1bb826162b9ab382f9b4e5821ac7dd2cf5d6e999c1ecaff2c
-
Filesize
150KB
MD59714289f7e9227b339926af779ddbd05
SHA10f3bbecae85d903f3751ba382e32d320d37f48ba
SHA2564b4e247920aed7daa2722d4aa98205d7aaa58d3c3a336f7193d85f0f4d83d9e7
SHA5123785c62c1a2b94a130a78185abe1e3de749414971fb3e6a79c85931fff9f09d03f2146b136779bcdbfcae1c27f822b9258d7a0645c880d3983be9c1f6cd5f434