Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/01/2024, 11:05
Static task
static1
Behavioral task
behavioral1
Sample
6f835b6c3057fcc816392c3b72740345.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6f835b6c3057fcc816392c3b72740345.exe
Resource
win10v2004-20231222-en
General
-
Target
6f835b6c3057fcc816392c3b72740345.exe
-
Size
232KB
-
MD5
6f835b6c3057fcc816392c3b72740345
-
SHA1
1101247576532083c6b3a87ff52fc9ccd588668a
-
SHA256
55cea4bf97f08c33c864615a119c6b4ffc090069bbb7b4d64d2c7dd0e19dad59
-
SHA512
a4d583ea616c8b0e48edc6b74b419ff637e2f8b29cc98179e76ecf08968b4fb56ac2b4ceb7cb45626f444a2157fe64f78037389bfe084c5e633e50977c1ec533
-
SSDEEP
3072:BsLEbdIlxJ5SKlVgUtuN1OtH8OVtddjgctRSO8DjqmJxZSacqSt2PZgRvIL:CQSD3Nt1cE8XqmJnpPZce
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2600 igfxdw32.exe -
Executes dropped EXE 49 IoCs
pid Process 2848 igfxdw32.exe 2600 igfxdw32.exe 2016 igfxdw32.exe 3032 igfxdw32.exe 1080 igfxdw32.exe 2828 igfxdw32.exe 1780 igfxdw32.exe 1952 igfxdw32.exe 2504 igfxdw32.exe 1784 igfxdw32.exe 2984 igfxdw32.exe 1904 igfxdw32.exe 2312 igfxdw32.exe 2044 igfxdw32.exe 1392 igfxdw32.exe 1516 igfxdw32.exe 2644 igfxdw32.exe 1720 igfxdw32.exe 1500 igfxdw32.exe 1592 igfxdw32.exe 1244 igfxdw32.exe 2516 igfxdw32.exe 2712 igfxdw32.exe 2604 igfxdw32.exe 2636 igfxdw32.exe 2108 igfxdw32.exe 772 igfxdw32.exe 1460 igfxdw32.exe 2888 igfxdw32.exe 2932 igfxdw32.exe 1736 igfxdw32.exe 1988 igfxdw32.exe 2332 igfxdw32.exe 2352 igfxdw32.exe 2216 igfxdw32.exe 2240 igfxdw32.exe 1972 igfxdw32.exe 1788 igfxdw32.exe 1356 igfxdw32.exe 1696 igfxdw32.exe 2460 igfxdw32.exe 2276 igfxdw32.exe 964 igfxdw32.exe 2164 igfxdw32.exe 2748 igfxdw32.exe 2672 igfxdw32.exe 848 igfxdw32.exe 2716 igfxdw32.exe 2520 igfxdw32.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 6f835b6c3057fcc816392c3b72740345.exe 2220 6f835b6c3057fcc816392c3b72740345.exe 2848 igfxdw32.exe 2848 igfxdw32.exe 2600 igfxdw32.exe 2600 igfxdw32.exe 2016 igfxdw32.exe 2016 igfxdw32.exe 3032 igfxdw32.exe 3032 igfxdw32.exe 1080 igfxdw32.exe 1080 igfxdw32.exe 2828 igfxdw32.exe 2828 igfxdw32.exe 1780 igfxdw32.exe 1780 igfxdw32.exe 1952 igfxdw32.exe 1952 igfxdw32.exe 2504 igfxdw32.exe 2504 igfxdw32.exe 1784 igfxdw32.exe 1784 igfxdw32.exe 2984 igfxdw32.exe 2984 igfxdw32.exe 1904 igfxdw32.exe 1904 igfxdw32.exe 2312 igfxdw32.exe 2312 igfxdw32.exe 2044 igfxdw32.exe 2044 igfxdw32.exe 1392 igfxdw32.exe 1392 igfxdw32.exe 1516 igfxdw32.exe 1516 igfxdw32.exe 2644 igfxdw32.exe 2644 igfxdw32.exe 1720 igfxdw32.exe 1720 igfxdw32.exe 1500 igfxdw32.exe 1500 igfxdw32.exe 1592 igfxdw32.exe 1592 igfxdw32.exe 1244 igfxdw32.exe 1244 igfxdw32.exe 2516 igfxdw32.exe 2516 igfxdw32.exe 2712 igfxdw32.exe 2712 igfxdw32.exe 2604 igfxdw32.exe 2604 igfxdw32.exe 2636 igfxdw32.exe 2636 igfxdw32.exe 2108 igfxdw32.exe 2108 igfxdw32.exe 772 igfxdw32.exe 772 igfxdw32.exe 1460 igfxdw32.exe 1460 igfxdw32.exe 2888 igfxdw32.exe 2888 igfxdw32.exe 2932 igfxdw32.exe 2932 igfxdw32.exe 1736 igfxdw32.exe 1736 igfxdw32.exe -
resource yara_rule behavioral1/memory/2220-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2220-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2220-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2220-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2220-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2220-10-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2220-11-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2220-22-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-34-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-36-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-35-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2600-40-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3032-51-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3032-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3032-52-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3032-58-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2828-69-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2828-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2828-70-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2828-75-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1952-87-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1952-93-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1784-113-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1904-131-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2044-149-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1516-167-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1720-186-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1592-198-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2516-210-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2604-222-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2108-234-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1460-246-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2932-258-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1988-270-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2352-280-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2352-285-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2240-297-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1788-309-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1696-319-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1696-324-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2276-336-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2164-348-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2672-360-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2716-372-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 50 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6f835b6c3057fcc816392c3b72740345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6f835b6c3057fcc816392c3b72740345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdw32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe 6f835b6c3057fcc816392c3b72740345.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ 6f835b6c3057fcc816392c3b72740345.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe -
Suspicious use of SetThreadContext 25 IoCs
description pid Process procid_target PID 3060 set thread context of 2220 3060 6f835b6c3057fcc816392c3b72740345.exe 28 PID 2848 set thread context of 2600 2848 igfxdw32.exe 30 PID 2016 set thread context of 3032 2016 igfxdw32.exe 32 PID 1080 set thread context of 2828 1080 igfxdw32.exe 34 PID 1780 set thread context of 1952 1780 igfxdw32.exe 36 PID 2504 set thread context of 1784 2504 igfxdw32.exe 40 PID 2984 set thread context of 1904 2984 igfxdw32.exe 42 PID 2312 set thread context of 2044 2312 igfxdw32.exe 44 PID 1392 set thread context of 1516 1392 igfxdw32.exe 46 PID 2644 set thread context of 1720 2644 igfxdw32.exe 48 PID 1500 set thread context of 1592 1500 igfxdw32.exe 50 PID 1244 set thread context of 2516 1244 igfxdw32.exe 52 PID 2712 set thread context of 2604 2712 igfxdw32.exe 54 PID 2636 set thread context of 2108 2636 igfxdw32.exe 56 PID 772 set thread context of 1460 772 igfxdw32.exe 58 PID 2888 set thread context of 2932 2888 igfxdw32.exe 60 PID 1736 set thread context of 1988 1736 igfxdw32.exe 62 PID 2332 set thread context of 2352 2332 igfxdw32.exe 64 PID 2216 set thread context of 2240 2216 igfxdw32.exe 66 PID 1972 set thread context of 1788 1972 igfxdw32.exe 68 PID 1356 set thread context of 1696 1356 igfxdw32.exe 70 PID 2460 set thread context of 2276 2460 igfxdw32.exe 72 PID 964 set thread context of 2164 964 igfxdw32.exe 74 PID 2748 set thread context of 2672 2748 igfxdw32.exe 76 PID 848 set thread context of 2716 848 igfxdw32.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2220 6f835b6c3057fcc816392c3b72740345.exe 2220 6f835b6c3057fcc816392c3b72740345.exe 2600 igfxdw32.exe 2600 igfxdw32.exe 3032 igfxdw32.exe 3032 igfxdw32.exe 2828 igfxdw32.exe 2828 igfxdw32.exe 1952 igfxdw32.exe 1952 igfxdw32.exe 1784 igfxdw32.exe 1784 igfxdw32.exe 1904 igfxdw32.exe 1904 igfxdw32.exe 2044 igfxdw32.exe 2044 igfxdw32.exe 1516 igfxdw32.exe 1516 igfxdw32.exe 1720 igfxdw32.exe 1720 igfxdw32.exe 1592 igfxdw32.exe 1592 igfxdw32.exe 2516 igfxdw32.exe 2516 igfxdw32.exe 2604 igfxdw32.exe 2604 igfxdw32.exe 2108 igfxdw32.exe 2108 igfxdw32.exe 1460 igfxdw32.exe 1460 igfxdw32.exe 2932 igfxdw32.exe 2932 igfxdw32.exe 1988 igfxdw32.exe 1988 igfxdw32.exe 2352 igfxdw32.exe 2352 igfxdw32.exe 2240 igfxdw32.exe 2240 igfxdw32.exe 1788 igfxdw32.exe 1788 igfxdw32.exe 1696 igfxdw32.exe 1696 igfxdw32.exe 2276 igfxdw32.exe 2276 igfxdw32.exe 2164 igfxdw32.exe 2164 igfxdw32.exe 2672 igfxdw32.exe 2672 igfxdw32.exe 2716 igfxdw32.exe 2716 igfxdw32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2220 3060 6f835b6c3057fcc816392c3b72740345.exe 28 PID 3060 wrote to memory of 2220 3060 6f835b6c3057fcc816392c3b72740345.exe 28 PID 3060 wrote to memory of 2220 3060 6f835b6c3057fcc816392c3b72740345.exe 28 PID 3060 wrote to memory of 2220 3060 6f835b6c3057fcc816392c3b72740345.exe 28 PID 3060 wrote to memory of 2220 3060 6f835b6c3057fcc816392c3b72740345.exe 28 PID 3060 wrote to memory of 2220 3060 6f835b6c3057fcc816392c3b72740345.exe 28 PID 3060 wrote to memory of 2220 3060 6f835b6c3057fcc816392c3b72740345.exe 28 PID 2220 wrote to memory of 2848 2220 6f835b6c3057fcc816392c3b72740345.exe 29 PID 2220 wrote to memory of 2848 2220 6f835b6c3057fcc816392c3b72740345.exe 29 PID 2220 wrote to memory of 2848 2220 6f835b6c3057fcc816392c3b72740345.exe 29 PID 2220 wrote to memory of 2848 2220 6f835b6c3057fcc816392c3b72740345.exe 29 PID 2848 wrote to memory of 2600 2848 igfxdw32.exe 30 PID 2848 wrote to memory of 2600 2848 igfxdw32.exe 30 PID 2848 wrote to memory of 2600 2848 igfxdw32.exe 30 PID 2848 wrote to memory of 2600 2848 igfxdw32.exe 30 PID 2848 wrote to memory of 2600 2848 igfxdw32.exe 30 PID 2848 wrote to memory of 2600 2848 igfxdw32.exe 30 PID 2848 wrote to memory of 2600 2848 igfxdw32.exe 30 PID 2600 wrote to memory of 2016 2600 igfxdw32.exe 31 PID 2600 wrote to memory of 2016 2600 igfxdw32.exe 31 PID 2600 wrote to memory of 2016 2600 igfxdw32.exe 31 PID 2600 wrote to memory of 2016 2600 igfxdw32.exe 31 PID 2016 wrote to memory of 3032 2016 igfxdw32.exe 32 PID 2016 wrote to memory of 3032 2016 igfxdw32.exe 32 PID 2016 wrote to memory of 3032 2016 igfxdw32.exe 32 PID 2016 wrote to memory of 3032 2016 igfxdw32.exe 32 PID 2016 wrote to memory of 3032 2016 igfxdw32.exe 32 PID 2016 wrote to memory of 3032 2016 igfxdw32.exe 32 PID 2016 wrote to memory of 3032 2016 igfxdw32.exe 32 PID 3032 wrote to memory of 1080 3032 igfxdw32.exe 33 PID 3032 wrote to memory of 1080 3032 igfxdw32.exe 33 PID 3032 wrote to memory of 1080 3032 igfxdw32.exe 33 PID 3032 wrote to memory of 1080 3032 igfxdw32.exe 33 PID 1080 wrote to memory of 2828 1080 igfxdw32.exe 34 PID 1080 wrote to memory of 2828 1080 igfxdw32.exe 34 PID 1080 wrote to memory of 2828 1080 igfxdw32.exe 34 PID 1080 wrote to memory of 2828 1080 igfxdw32.exe 34 PID 1080 wrote to memory of 2828 1080 igfxdw32.exe 34 PID 1080 wrote to memory of 2828 1080 igfxdw32.exe 34 PID 1080 wrote to memory of 2828 1080 igfxdw32.exe 34 PID 2828 wrote to memory of 1780 2828 igfxdw32.exe 35 PID 2828 wrote to memory of 1780 2828 igfxdw32.exe 35 PID 2828 wrote to memory of 1780 2828 igfxdw32.exe 35 PID 2828 wrote to memory of 1780 2828 igfxdw32.exe 35 PID 1780 wrote to memory of 1952 1780 igfxdw32.exe 36 PID 1780 wrote to memory of 1952 1780 igfxdw32.exe 36 PID 1780 wrote to memory of 1952 1780 igfxdw32.exe 36 PID 1780 wrote to memory of 1952 1780 igfxdw32.exe 36 PID 1780 wrote to memory of 1952 1780 igfxdw32.exe 36 PID 1780 wrote to memory of 1952 1780 igfxdw32.exe 36 PID 1780 wrote to memory of 1952 1780 igfxdw32.exe 36 PID 1952 wrote to memory of 2504 1952 igfxdw32.exe 37 PID 1952 wrote to memory of 2504 1952 igfxdw32.exe 37 PID 1952 wrote to memory of 2504 1952 igfxdw32.exe 37 PID 1952 wrote to memory of 2504 1952 igfxdw32.exe 37 PID 2504 wrote to memory of 1784 2504 igfxdw32.exe 40 PID 2504 wrote to memory of 1784 2504 igfxdw32.exe 40 PID 2504 wrote to memory of 1784 2504 igfxdw32.exe 40 PID 2504 wrote to memory of 1784 2504 igfxdw32.exe 40 PID 2504 wrote to memory of 1784 2504 igfxdw32.exe 40 PID 2504 wrote to memory of 1784 2504 igfxdw32.exe 40 PID 2504 wrote to memory of 1784 2504 igfxdw32.exe 40 PID 1784 wrote to memory of 2984 1784 igfxdw32.exe 41 PID 1784 wrote to memory of 2984 1784 igfxdw32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f835b6c3057fcc816392c3b72740345.exe"C:\Users\Admin\AppData\Local\Temp\6f835b6c3057fcc816392c3b72740345.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\6f835b6c3057fcc816392c3b72740345.exe"C:\Users\Admin\AppData\Local\Temp\6f835b6c3057fcc816392c3b72740345.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Users\Admin\AppData\Local\Temp\6F835B~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Users\Admin\AppData\Local\Temp\6F835B~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2984 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1904 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2312 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2044 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1392 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1516 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2644 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1720 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1500 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1592 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1244 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2516 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2712 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2604 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2636 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2108 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:772 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1460 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2888 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2932 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1736 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2332 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2352 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2216 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe38⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2240 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1972 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe40⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1356 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe42⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1696 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2460 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe44⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2276 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:964 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe46⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2748 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe48⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2672 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:848 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe50⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2716 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe51⤵
- Executes dropped EXE
PID:2520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD56f835b6c3057fcc816392c3b72740345
SHA11101247576532083c6b3a87ff52fc9ccd588668a
SHA25655cea4bf97f08c33c864615a119c6b4ffc090069bbb7b4d64d2c7dd0e19dad59
SHA512a4d583ea616c8b0e48edc6b74b419ff637e2f8b29cc98179e76ecf08968b4fb56ac2b4ceb7cb45626f444a2157fe64f78037389bfe084c5e633e50977c1ec533