Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-09-2024 03:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Picture29.JPG_www.facebook.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
Picture29.JPG_www.facebook.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
Picture29.JPG_www.facebook.exe
-
Size
139KB
-
MD5
255a2ff8712b8def6c7cd7b49afcf277
-
SHA1
7da7443a4ecad24887adcbc7d80b13dedea7c798
-
SHA256
29b37b7786abf5cf93cbdd9fe776975fe02aaa380ffb2045087b36711c1cc996
-
SHA512
c35369f5ac54e8d2d2e75cf9f079d6fcd961de54f3a563e5abda3ca531a183128eead4c75952d4e0e04c2e1d36eb694148630348826af9d2eacd83bb62996e05
-
SSDEEP
3072:P92aolTgOIShudBRfe5EmjlYRELmU0bi0q2qnaKWE:FXO0Rfe5EFRELmUki0SaKWE
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation Picture29.JPG_www.facebook.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wmpctv32.exe -
Deletes itself 1 IoCs
pid Process 3644 wmpctv32.exe -
Executes dropped EXE 32 IoCs
pid Process 3608 wmpctv32.exe 3644 wmpctv32.exe 2368 wmpctv32.exe 3060 wmpctv32.exe 1472 wmpctv32.exe 4108 wmpctv32.exe 2024 wmpctv32.exe 3336 wmpctv32.exe 1004 wmpctv32.exe 884 wmpctv32.exe 5060 wmpctv32.exe 2428 wmpctv32.exe 4660 wmpctv32.exe 412 wmpctv32.exe 4588 wmpctv32.exe 2884 wmpctv32.exe 4900 wmpctv32.exe 5000 wmpctv32.exe 1240 wmpctv32.exe 1064 wmpctv32.exe 3620 wmpctv32.exe 4384 wmpctv32.exe 2116 wmpctv32.exe 3828 wmpctv32.exe 2044 wmpctv32.exe 4784 wmpctv32.exe 1332 wmpctv32.exe 2300 wmpctv32.exe 1076 wmpctv32.exe 3324 wmpctv32.exe 3924 wmpctv32.exe 888 wmpctv32.exe -
resource yara_rule behavioral2/memory/2468-0-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2468-2-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2468-4-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2468-3-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2468-33-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3644-44-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2468-47-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3644-48-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3644-55-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3060-60-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3060-63-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4108-68-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4108-71-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3336-76-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3336-79-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/884-86-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2428-91-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2428-94-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/412-99-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/412-102-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2884-107-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2884-110-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/5000-115-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/5000-118-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1064-124-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1064-127-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4384-132-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4384-137-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3828-141-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3828-146-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4784-150-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4784-155-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2300-159-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2300-164-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3324-168-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3324-173-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Picture29.JPG_www.facebook.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Picture29.JPG_www.facebook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe Picture29.JPG_www.facebook.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe Picture29.JPG_www.facebook.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ Picture29.JPG_www.facebook.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 4084 set thread context of 2468 4084 Picture29.JPG_www.facebook.exe 86 PID 3608 set thread context of 3644 3608 wmpctv32.exe 96 PID 2368 set thread context of 3060 2368 wmpctv32.exe 100 PID 1472 set thread context of 4108 1472 wmpctv32.exe 102 PID 2024 set thread context of 3336 2024 wmpctv32.exe 106 PID 1004 set thread context of 884 1004 wmpctv32.exe 108 PID 5060 set thread context of 2428 5060 wmpctv32.exe 110 PID 4660 set thread context of 412 4660 wmpctv32.exe 112 PID 4588 set thread context of 2884 4588 wmpctv32.exe 114 PID 4900 set thread context of 5000 4900 wmpctv32.exe 116 PID 1240 set thread context of 1064 1240 wmpctv32.exe 118 PID 3620 set thread context of 4384 3620 wmpctv32.exe 120 PID 2116 set thread context of 3828 2116 wmpctv32.exe 122 PID 2044 set thread context of 4784 2044 wmpctv32.exe 124 PID 1332 set thread context of 2300 1332 wmpctv32.exe 126 PID 1076 set thread context of 3324 1076 wmpctv32.exe 128 PID 3924 set thread context of 888 3924 wmpctv32.exe 130 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picture29.JPG_www.facebook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picture29.JPG_www.facebook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpctv32.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Picture29.JPG_www.facebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2468 Picture29.JPG_www.facebook.exe 2468 Picture29.JPG_www.facebook.exe 2468 Picture29.JPG_www.facebook.exe 2468 Picture29.JPG_www.facebook.exe 3644 wmpctv32.exe 3644 wmpctv32.exe 3644 wmpctv32.exe 3644 wmpctv32.exe 3060 wmpctv32.exe 3060 wmpctv32.exe 3060 wmpctv32.exe 3060 wmpctv32.exe 4108 wmpctv32.exe 4108 wmpctv32.exe 4108 wmpctv32.exe 4108 wmpctv32.exe 3336 wmpctv32.exe 3336 wmpctv32.exe 3336 wmpctv32.exe 3336 wmpctv32.exe 884 wmpctv32.exe 884 wmpctv32.exe 884 wmpctv32.exe 884 wmpctv32.exe 2428 wmpctv32.exe 2428 wmpctv32.exe 2428 wmpctv32.exe 2428 wmpctv32.exe 412 wmpctv32.exe 412 wmpctv32.exe 412 wmpctv32.exe 412 wmpctv32.exe 2884 wmpctv32.exe 2884 wmpctv32.exe 2884 wmpctv32.exe 2884 wmpctv32.exe 5000 wmpctv32.exe 5000 wmpctv32.exe 5000 wmpctv32.exe 5000 wmpctv32.exe 1064 wmpctv32.exe 1064 wmpctv32.exe 1064 wmpctv32.exe 1064 wmpctv32.exe 4384 wmpctv32.exe 4384 wmpctv32.exe 4384 wmpctv32.exe 4384 wmpctv32.exe 3828 wmpctv32.exe 3828 wmpctv32.exe 3828 wmpctv32.exe 3828 wmpctv32.exe 4784 wmpctv32.exe 4784 wmpctv32.exe 4784 wmpctv32.exe 4784 wmpctv32.exe 2300 wmpctv32.exe 2300 wmpctv32.exe 2300 wmpctv32.exe 2300 wmpctv32.exe 3324 wmpctv32.exe 3324 wmpctv32.exe 3324 wmpctv32.exe 3324 wmpctv32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4084 wrote to memory of 2468 4084 Picture29.JPG_www.facebook.exe 86 PID 4084 wrote to memory of 2468 4084 Picture29.JPG_www.facebook.exe 86 PID 4084 wrote to memory of 2468 4084 Picture29.JPG_www.facebook.exe 86 PID 4084 wrote to memory of 2468 4084 Picture29.JPG_www.facebook.exe 86 PID 4084 wrote to memory of 2468 4084 Picture29.JPG_www.facebook.exe 86 PID 4084 wrote to memory of 2468 4084 Picture29.JPG_www.facebook.exe 86 PID 4084 wrote to memory of 2468 4084 Picture29.JPG_www.facebook.exe 86 PID 2468 wrote to memory of 3608 2468 Picture29.JPG_www.facebook.exe 95 PID 2468 wrote to memory of 3608 2468 Picture29.JPG_www.facebook.exe 95 PID 2468 wrote to memory of 3608 2468 Picture29.JPG_www.facebook.exe 95 PID 3608 wrote to memory of 3644 3608 wmpctv32.exe 96 PID 3608 wrote to memory of 3644 3608 wmpctv32.exe 96 PID 3608 wrote to memory of 3644 3608 wmpctv32.exe 96 PID 3608 wrote to memory of 3644 3608 wmpctv32.exe 96 PID 3608 wrote to memory of 3644 3608 wmpctv32.exe 96 PID 3608 wrote to memory of 3644 3608 wmpctv32.exe 96 PID 3608 wrote to memory of 3644 3608 wmpctv32.exe 96 PID 3644 wrote to memory of 2368 3644 wmpctv32.exe 99 PID 3644 wrote to memory of 2368 3644 wmpctv32.exe 99 PID 3644 wrote to memory of 2368 3644 wmpctv32.exe 99 PID 2368 wrote to memory of 3060 2368 wmpctv32.exe 100 PID 2368 wrote to memory of 3060 2368 wmpctv32.exe 100 PID 2368 wrote to memory of 3060 2368 wmpctv32.exe 100 PID 2368 wrote to memory of 3060 2368 wmpctv32.exe 100 PID 2368 wrote to memory of 3060 2368 wmpctv32.exe 100 PID 2368 wrote to memory of 3060 2368 wmpctv32.exe 100 PID 2368 wrote to memory of 3060 2368 wmpctv32.exe 100 PID 3060 wrote to memory of 1472 3060 wmpctv32.exe 101 PID 3060 wrote to memory of 1472 3060 wmpctv32.exe 101 PID 3060 wrote to memory of 1472 3060 wmpctv32.exe 101 PID 1472 wrote to memory of 4108 1472 wmpctv32.exe 102 PID 1472 wrote to memory of 4108 1472 wmpctv32.exe 102 PID 1472 wrote to memory of 4108 1472 wmpctv32.exe 102 PID 1472 wrote to memory of 4108 1472 wmpctv32.exe 102 PID 1472 wrote to memory of 4108 1472 wmpctv32.exe 102 PID 1472 wrote to memory of 4108 1472 wmpctv32.exe 102 PID 1472 wrote to memory of 4108 1472 wmpctv32.exe 102 PID 4108 wrote to memory of 2024 4108 wmpctv32.exe 105 PID 4108 wrote to memory of 2024 4108 wmpctv32.exe 105 PID 4108 wrote to memory of 2024 4108 wmpctv32.exe 105 PID 2024 wrote to memory of 3336 2024 wmpctv32.exe 106 PID 2024 wrote to memory of 3336 2024 wmpctv32.exe 106 PID 2024 wrote to memory of 3336 2024 wmpctv32.exe 106 PID 2024 wrote to memory of 3336 2024 wmpctv32.exe 106 PID 2024 wrote to memory of 3336 2024 wmpctv32.exe 106 PID 2024 wrote to memory of 3336 2024 wmpctv32.exe 106 PID 2024 wrote to memory of 3336 2024 wmpctv32.exe 106 PID 3336 wrote to memory of 1004 3336 wmpctv32.exe 107 PID 3336 wrote to memory of 1004 3336 wmpctv32.exe 107 PID 3336 wrote to memory of 1004 3336 wmpctv32.exe 107 PID 1004 wrote to memory of 884 1004 wmpctv32.exe 108 PID 1004 wrote to memory of 884 1004 wmpctv32.exe 108 PID 1004 wrote to memory of 884 1004 wmpctv32.exe 108 PID 1004 wrote to memory of 884 1004 wmpctv32.exe 108 PID 1004 wrote to memory of 884 1004 wmpctv32.exe 108 PID 1004 wrote to memory of 884 1004 wmpctv32.exe 108 PID 1004 wrote to memory of 884 1004 wmpctv32.exe 108 PID 884 wrote to memory of 5060 884 wmpctv32.exe 109 PID 884 wrote to memory of 5060 884 wmpctv32.exe 109 PID 884 wrote to memory of 5060 884 wmpctv32.exe 109 PID 5060 wrote to memory of 2428 5060 wmpctv32.exe 110 PID 5060 wrote to memory of 2428 5060 wmpctv32.exe 110 PID 5060 wrote to memory of 2428 5060 wmpctv32.exe 110 PID 5060 wrote to memory of 2428 5060 wmpctv32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Picture29.JPG_www.facebook.exe"C:\Users\Admin\AppData\Local\Temp\Picture29.JPG_www.facebook.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\Picture29.JPG_www.facebook.exe"C:\Users\Admin\AppData\Local\Temp\Picture29.JPG_www.facebook.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Users\Admin\AppData\Local\Temp\PICTUR~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Users\Admin\AppData\Local\Temp\PICTUR~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2428 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:412 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2884 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5000 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1064 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4384 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3828 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4784 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3324 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5255a2ff8712b8def6c7cd7b49afcf277
SHA17da7443a4ecad24887adcbc7d80b13dedea7c798
SHA25629b37b7786abf5cf93cbdd9fe776975fe02aaa380ffb2045087b36711c1cc996
SHA512c35369f5ac54e8d2d2e75cf9f079d6fcd961de54f3a563e5abda3ca531a183128eead4c75952d4e0e04c2e1d36eb694148630348826af9d2eacd83bb62996e05