metasploit | 55dda01cfd510a816154e2123674bb9b04bafd22b56746193b3a098b43806040

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photo19.JPG_www.tinypic.exe
Size

151KB
MD5

f9661b5a1d1f85b637f19c988c49d657
SHA1

1e2e92ea95b4a62134ab60c9752615427da454e6
SHA256

f5b1c8cb0afde9644af26732e236ceab656b16ea5ae358f43d5fa81d83b0e4f7
SHA512

3ae0a09d06c90a225aa051dc90237df5ddd3872ef26e6a8ddbef52b5e99a844e13ec3ecf684bdabe869818555ea0febf9c30ac72ac2fd94eaa97e93e05bf885a
SSDEEP

3072:j2zAHt8gc03EK2/3qHOdctCD9kyR2mg0xv6XlIz0E+4il+vDe:Q037M3SOdcti9ky8V0ZulIzF+4il+v6

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2196	wmpdlp32.exe

Executes dropped EXE 32 IoCs

pid	Process
2836	wmpdlp32.exe
2196	wmpdlp32.exe
2608	wmpdlp32.exe
2664	wmpdlp32.exe
2852	wmpdlp32.exe
2916	wmpdlp32.exe
1476	wmpdlp32.exe
608	wmpdlp32.exe
1480	wmpdlp32.exe
572	wmpdlp32.exe
444	wmpdlp32.exe
2320	wmpdlp32.exe
1776	wmpdlp32.exe
1660	wmpdlp32.exe
2524	wmpdlp32.exe
2336	wmpdlp32.exe
1952	wmpdlp32.exe
1932	wmpdlp32.exe
2472	wmpdlp32.exe
2800	wmpdlp32.exe
2784	wmpdlp32.exe
2756	wmpdlp32.exe
1984	wmpdlp32.exe
2592	wmpdlp32.exe
2960	wmpdlp32.exe
1516	wmpdlp32.exe
1904	wmpdlp32.exe
348	wmpdlp32.exe
644	wmpdlp32.exe
2072	wmpdlp32.exe
2124	wmpdlp32.exe
2772	wmpdlp32.exe

Loads dropped DLL 64 IoCs

pid	Process
1064	Photo19.JPG_www.tinypic.exe
1064	Photo19.JPG_www.tinypic.exe
2836	wmpdlp32.exe
2836	wmpdlp32.exe
2196	wmpdlp32.exe
2196	wmpdlp32.exe
2608	wmpdlp32.exe
2608	wmpdlp32.exe
2664	wmpdlp32.exe
2664	wmpdlp32.exe
2852	wmpdlp32.exe
2852	wmpdlp32.exe
2916	wmpdlp32.exe
2916	wmpdlp32.exe
1476	wmpdlp32.exe
1476	wmpdlp32.exe
608	wmpdlp32.exe
608	wmpdlp32.exe
1480	wmpdlp32.exe
1480	wmpdlp32.exe
572	wmpdlp32.exe
572	wmpdlp32.exe
444	wmpdlp32.exe
444	wmpdlp32.exe
2320	wmpdlp32.exe
2320	wmpdlp32.exe
1776	wmpdlp32.exe
1776	wmpdlp32.exe
1660	wmpdlp32.exe
1660	wmpdlp32.exe
2524	wmpdlp32.exe
2524	wmpdlp32.exe
2336	wmpdlp32.exe
2336	wmpdlp32.exe
1952	wmpdlp32.exe
1952	wmpdlp32.exe
1932	wmpdlp32.exe
1932	wmpdlp32.exe
2472	wmpdlp32.exe
2472	wmpdlp32.exe
2800	wmpdlp32.exe
2800	wmpdlp32.exe
2784	wmpdlp32.exe
2784	wmpdlp32.exe
2756	wmpdlp32.exe
2756	wmpdlp32.exe
1984	wmpdlp32.exe
1984	wmpdlp32.exe
2592	wmpdlp32.exe
2592	wmpdlp32.exe
2960	wmpdlp32.exe
2960	wmpdlp32.exe
1516	wmpdlp32.exe
1516	wmpdlp32.exe
1904	wmpdlp32.exe
1904	wmpdlp32.exe
348	wmpdlp32.exe
348	wmpdlp32.exe
644	wmpdlp32.exe
644	wmpdlp32.exe
2072	wmpdlp32.exe
2072	wmpdlp32.exe
2124	wmpdlp32.exe
2124	wmpdlp32.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1064-2-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1064-4-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1064-6-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1064-11-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1064-10-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1064-9-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1064-8-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2196-36-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1064-35-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1064-39-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2664-57-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2196-56-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2196-59-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2664-76-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2916-94-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/608-113-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2320-127-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/572-132-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2320-150-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1660-168-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2336-186-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1932-200-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2800-212-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2592-220-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2756-225-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2592-237-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1516-249-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2072-257-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/348-262-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2072-274-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 34 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Photo19.JPG_www.tinypic.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Photo19.JPG_www.tinypic.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlp32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	Photo19.JPG_www.tinypic.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	Photo19.JPG_www.tinypic.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	Photo19.JPG_www.tinypic.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 620 set thread context of 1064	620	Photo19.JPG_www.tinypic.exe	30
PID 2836 set thread context of 2196	2836	wmpdlp32.exe	32
PID 2608 set thread context of 2664	2608	wmpdlp32.exe	35
PID 2852 set thread context of 2916	2852	wmpdlp32.exe	37
PID 1476 set thread context of 608	1476	wmpdlp32.exe	39
PID 1480 set thread context of 572	1480	wmpdlp32.exe	41
PID 444 set thread context of 2320	444	wmpdlp32.exe	43
PID 1776 set thread context of 1660	1776	wmpdlp32.exe	45
PID 2524 set thread context of 2336	2524	wmpdlp32.exe	47
PID 1952 set thread context of 1932	1952	wmpdlp32.exe	49
PID 2472 set thread context of 2800	2472	wmpdlp32.exe	51
PID 2784 set thread context of 2756	2784	wmpdlp32.exe	53
PID 1984 set thread context of 2592	1984	wmpdlp32.exe	55
PID 2960 set thread context of 1516	2960	wmpdlp32.exe	57
PID 1904 set thread context of 348	1904	wmpdlp32.exe	59
PID 644 set thread context of 2072	644	wmpdlp32.exe	61
PID 2124 set thread context of 2772	2124	wmpdlp32.exe	63

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Photo19.JPG_www.tinypic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Photo19.JPG_www.tinypic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlp32.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1064	Photo19.JPG_www.tinypic.exe
1064	Photo19.JPG_www.tinypic.exe
2196	wmpdlp32.exe
2196	wmpdlp32.exe
2664	wmpdlp32.exe
2664	wmpdlp32.exe
2916	wmpdlp32.exe
2916	wmpdlp32.exe
608	wmpdlp32.exe
608	wmpdlp32.exe
572	wmpdlp32.exe
572	wmpdlp32.exe
2320	wmpdlp32.exe
2320	wmpdlp32.exe
1660	wmpdlp32.exe
1660	wmpdlp32.exe
2336	wmpdlp32.exe
2336	wmpdlp32.exe
1932	wmpdlp32.exe
1932	wmpdlp32.exe
2800	wmpdlp32.exe
2800	wmpdlp32.exe
2756	wmpdlp32.exe
2756	wmpdlp32.exe
2592	wmpdlp32.exe
2592	wmpdlp32.exe
1516	wmpdlp32.exe
1516	wmpdlp32.exe
348	wmpdlp32.exe
348	wmpdlp32.exe
2072	wmpdlp32.exe
2072	wmpdlp32.exe
2772	wmpdlp32.exe
2772	wmpdlp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1064	620	Photo19.JPG_www.tinypic.exe	30
PID 620 wrote to memory of 1064	620	Photo19.JPG_www.tinypic.exe	30
PID 620 wrote to memory of 1064	620	Photo19.JPG_www.tinypic.exe	30
PID 620 wrote to memory of 1064	620	Photo19.JPG_www.tinypic.exe	30
PID 620 wrote to memory of 1064	620	Photo19.JPG_www.tinypic.exe	30
PID 620 wrote to memory of 1064	620	Photo19.JPG_www.tinypic.exe	30
PID 620 wrote to memory of 1064	620	Photo19.JPG_www.tinypic.exe	30
PID 1064 wrote to memory of 2836	1064	Photo19.JPG_www.tinypic.exe	31
PID 1064 wrote to memory of 2836	1064	Photo19.JPG_www.tinypic.exe	31
PID 1064 wrote to memory of 2836	1064	Photo19.JPG_www.tinypic.exe	31
PID 1064 wrote to memory of 2836	1064	Photo19.JPG_www.tinypic.exe	31
PID 2836 wrote to memory of 2196	2836	wmpdlp32.exe	32
PID 2836 wrote to memory of 2196	2836	wmpdlp32.exe	32
PID 2836 wrote to memory of 2196	2836	wmpdlp32.exe	32
PID 2836 wrote to memory of 2196	2836	wmpdlp32.exe	32
PID 2836 wrote to memory of 2196	2836	wmpdlp32.exe	32
PID 2836 wrote to memory of 2196	2836	wmpdlp32.exe	32
PID 2836 wrote to memory of 2196	2836	wmpdlp32.exe	32
PID 2196 wrote to memory of 2608	2196	wmpdlp32.exe	34
PID 2196 wrote to memory of 2608	2196	wmpdlp32.exe	34
PID 2196 wrote to memory of 2608	2196	wmpdlp32.exe	34
PID 2196 wrote to memory of 2608	2196	wmpdlp32.exe	34
PID 2608 wrote to memory of 2664	2608	wmpdlp32.exe	35
PID 2608 wrote to memory of 2664	2608	wmpdlp32.exe	35
PID 2608 wrote to memory of 2664	2608	wmpdlp32.exe	35
PID 2608 wrote to memory of 2664	2608	wmpdlp32.exe	35
PID 2608 wrote to memory of 2664	2608	wmpdlp32.exe	35
PID 2608 wrote to memory of 2664	2608	wmpdlp32.exe	35
PID 2608 wrote to memory of 2664	2608	wmpdlp32.exe	35
PID 2664 wrote to memory of 2852	2664	wmpdlp32.exe	36
PID 2664 wrote to memory of 2852	2664	wmpdlp32.exe	36
PID 2664 wrote to memory of 2852	2664	wmpdlp32.exe	36
PID 2664 wrote to memory of 2852	2664	wmpdlp32.exe	36
PID 2852 wrote to memory of 2916	2852	wmpdlp32.exe	37
PID 2852 wrote to memory of 2916	2852	wmpdlp32.exe	37
PID 2852 wrote to memory of 2916	2852	wmpdlp32.exe	37
PID 2852 wrote to memory of 2916	2852	wmpdlp32.exe	37
PID 2852 wrote to memory of 2916	2852	wmpdlp32.exe	37
PID 2852 wrote to memory of 2916	2852	wmpdlp32.exe	37
PID 2852 wrote to memory of 2916	2852	wmpdlp32.exe	37
PID 2916 wrote to memory of 1476	2916	wmpdlp32.exe	38
PID 2916 wrote to memory of 1476	2916	wmpdlp32.exe	38
PID 2916 wrote to memory of 1476	2916	wmpdlp32.exe	38
PID 2916 wrote to memory of 1476	2916	wmpdlp32.exe	38
PID 1476 wrote to memory of 608	1476	wmpdlp32.exe	39
PID 1476 wrote to memory of 608	1476	wmpdlp32.exe	39
PID 1476 wrote to memory of 608	1476	wmpdlp32.exe	39
PID 1476 wrote to memory of 608	1476	wmpdlp32.exe	39
PID 1476 wrote to memory of 608	1476	wmpdlp32.exe	39
PID 1476 wrote to memory of 608	1476	wmpdlp32.exe	39
PID 1476 wrote to memory of 608	1476	wmpdlp32.exe	39
PID 608 wrote to memory of 1480	608	wmpdlp32.exe	40
PID 608 wrote to memory of 1480	608	wmpdlp32.exe	40
PID 608 wrote to memory of 1480	608	wmpdlp32.exe	40
PID 608 wrote to memory of 1480	608	wmpdlp32.exe	40
PID 1480 wrote to memory of 572	1480	wmpdlp32.exe	41
PID 1480 wrote to memory of 572	1480	wmpdlp32.exe	41
PID 1480 wrote to memory of 572	1480	wmpdlp32.exe	41
PID 1480 wrote to memory of 572	1480	wmpdlp32.exe	41
PID 1480 wrote to memory of 572	1480	wmpdlp32.exe	41
PID 1480 wrote to memory of 572	1480	wmpdlp32.exe	41
PID 1480 wrote to memory of 572	1480	wmpdlp32.exe	41
PID 572 wrote to memory of 444	572	wmpdlp32.exe	42
PID 572 wrote to memory of 444	572	wmpdlp32.exe	42

C:\Users\Admin\AppData\Local\Temp\Photo19.JPG_www.tinypic.exe
"C:\Users\Admin\AppData\Local\Temp\Photo19.JPG_www.tinypic.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\Photo19.JPG_www.tinypic.exe
  "C:\Users\Admin\AppData\Local\Temp\Photo19.JPG_www.tinypic.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\wmpdlp32.exe
    "C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\PHOTO1~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\wmpdlp32.exe
      "C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\PHOTO1~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2320
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2800
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2592
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:348
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\wmpdlp32.exe
        
        "C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
        34⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmpdlp32.exe

Filesize
151KB

MD5
f9661b5a1d1f85b637f19c988c49d657

SHA1
1e2e92ea95b4a62134ab60c9752615427da454e6

SHA256
f5b1c8cb0afde9644af26732e236ceab656b16ea5ae358f43d5fa81d83b0e4f7

SHA512
3ae0a09d06c90a225aa051dc90237df5ddd3872ef26e6a8ddbef52b5e99a844e13ec3ecf684bdabe869818555ea0febf9c30ac72ac2fd94eaa97e93e05bf885a

Download Submit
memory/348-262-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/572-132-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/608-113-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-8-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-11-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-10-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-35-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-39-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-2-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-6-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1516-249-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1660-168-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1932-200-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2072-274-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2072-257-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2196-56-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2196-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2196-59-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2320-150-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2320-127-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2336-186-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2592-220-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2592-237-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2664-57-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2664-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2756-225-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2800-212-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2916-94-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download