Overview
overview
10Static
static
3Chams Sudd...rs.exe
windows7-x64
10Chams Sudd...rs.exe
windows10-2004-x64
10Chams Sudd...no.dll
windows7-x64
3Chams Sudd...no.dll
windows10-2004-x64
3Perx Wall ...ed.exe
windows7-x64
3Perx Wall ...ed.exe
windows10-2004-x64
3Perx Wall ...no.dll
windows7-x64
3Perx Wall ...no.dll
windows10-2004-x64
3Siyanur la...ck.exe
windows7-x64
7Siyanur la...ck.exe
windows10-2004-x64
7Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 13:15
Static task
static1
Behavioral task
behavioral1
Sample
Chams Sudden + Mado,s Injectors/Mado,s Injectors.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Chams Sudden + Mado,s Injectors/Mado,s Injectors.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Chams Sudden + Mado_s Injectors/UPDATE Chams Sudden Latino.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Chams Sudden + Mado_s Injectors/UPDATE Chams Sudden Latino.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Perx Wall hack S.ALatino/Perx Updated.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Perx Wall hack S.ALatino/Perx Updated.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Perx Wall hack S.ALatino/UPDATE Chams Sudden Latino.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Perx Wall hack S.ALatino/UPDATE Chams Sudden Latino.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Siyanur lag hack- S.A latino/siyanur - Lag Hack.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Siyanur lag hack- S.A latino/siyanur - Lag Hack.exe
Resource
win10v2004-20241007-en
General
-
Target
Chams Sudden + Mado,s Injectors/Mado,s Injectors.exe
-
Size
199KB
-
MD5
6f04b35e2ab8ef9b793aa3b6b21bd3f3
-
SHA1
456d2013c9c9558153a073bff5666225cb2957e2
-
SHA256
1829c3afcad6a480a1dccf4b33b4728cc731a2d2ad1a59b23566dd3497c80564
-
SHA512
b03d28859a743a2ba45c26091b480c0d7784e41aa44d23751bcfccc0c2afeda6e520d485e692708ce3016a542a79c97f8b08994dbcbd1f7d8da195f45b1930a6
-
SSDEEP
6144:QjbeiZ/rVBPKs27FbbMlIRf20vrtSQPUgXc:Qu8/QgIh/kQPUYc
Malware Config
Extracted
xtremerat
cutosky.dyndns.org
Signatures
-
Detect XtremeRAT payload 7 IoCs
resource yara_rule behavioral2/memory/5064-31-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/5064-35-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/3800-40-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/5064-100-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4508-106-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/1236-114-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/244-122-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" igfxex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" igfxex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\igfxex.exe" igfxex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\igfxex.exe" igfxex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\igfxex.exe" Loader.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\igfxex.exe" Loader.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Adds policy Run key to start application 2 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\igxpers = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" igfxex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\igxpers = "C:\\Windows\\system32\\igfxex.exe" igfxex.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run igfxex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\igxpers = "C:\\Windows\\system32\\igfxex.exe" igfxex.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run igfxex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\igxpers = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" igfxex.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run igfxex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\igxpers = "C:\\Windows\\system32\\igfxex.exe" Loader.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\igxpers = "C:\\Windows\\system32\\igfxex.exe" Loader.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\igxpers = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\igxpers = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Loader.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run igfxex.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4408I5R-TEVI-6M47-6JKR-GTWF030F0F7Q} igfxex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4408I5R-TEVI-6M47-6JKR-GTWF030F0F7Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe restart" igfxex.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4408I5R-TEVI-6M47-6JKR-GTWF030F0F7Q} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4408I5R-TEVI-6M47-6JKR-GTWF030F0F7Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4408I5R-TEVI-6M47-6JKR-GTWF030F0F7Q} igfxex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4408I5R-TEVI-6M47-6JKR-GTWF030F0F7Q}\StubPath = "C:\\Windows\\system32\\igfxex.exe restart" igfxex.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4408I5R-TEVI-6M47-6JKR-GTWF030F0F7Q} Loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4408I5R-TEVI-6M47-6JKR-GTWF030F0F7Q}\StubPath = "C:\\Windows\\system32\\igfxex.exe restart" Loader.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxex.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxex.exe -
Executes dropped EXE 11 IoCs
pid Process 4988 MADO_S~1.EXE 3268 Loader.exe 5064 Loader.exe 1140 igfxex.exe 4508 igfxex.exe 2844 igfxex.exe 244 igfxex.exe 4884 igfxex.exe 1540 igfxex.exe 828 igfxex.exe 4244 igfxex.exe -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\igxpers = "C:\\Windows\\system32\\igfxex.exe" igfxex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Mado,s Injectors.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\igxpers = "C:\\Windows\\system32\\igfxex.exe" Loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\igxpers = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" igfxex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\igxpers = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" igfxex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\igxpers = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\igxpers = "C:\\Windows\\system32\\igfxex.exe" Loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\igxpers = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\igfxex.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\igxpers = "C:\\Windows\\system32\\igfxex.exe" igfxex.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxex.exe igfxex.exe File opened for modification C:\Windows\SysWOW64\igfxex.exe igfxex.exe File opened for modification C:\Windows\SysWOW64\igfxex.exe Loader.exe File opened for modification C:\Windows\SysWOW64\ Loader.exe File opened for modification C:\Windows\SysWOW64\igfxex.exe igfxex.exe File opened for modification C:\Windows\SysWOW64\ igfxex.exe File created C:\Windows\SysWOW64\igfxex.exe Loader.exe File opened for modification C:\Windows\SysWOW64\igfxex.exe igfxex.exe File opened for modification C:\Windows\SysWOW64\igfxex.exe igfxex.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3268 set thread context of 5064 3268 Loader.exe 96 PID 1140 set thread context of 4508 1140 igfxex.exe 110 PID 2844 set thread context of 244 2844 igfxex.exe 122 PID 4884 set thread context of 828 4884 igfxex.exe 140 PID 1540 set thread context of 4244 1540 igfxex.exe 141 -
resource yara_rule behavioral2/memory/5064-26-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/5064-29-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/5064-32-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/5064-31-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/5064-35-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3800-40-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/5064-100-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4508-105-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4508-106-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1236-114-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/244-121-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/244-122-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mado,s Injectors.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MADO_S~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxex.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Loader.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxex.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxex.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3268 Loader.exe 1140 igfxex.exe 2844 igfxex.exe 4884 igfxex.exe 1540 igfxex.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5060 wrote to memory of 4988 5060 Mado,s Injectors.exe 84 PID 5060 wrote to memory of 4988 5060 Mado,s Injectors.exe 84 PID 5060 wrote to memory of 4988 5060 Mado,s Injectors.exe 84 PID 5060 wrote to memory of 3268 5060 Mado,s Injectors.exe 95 PID 5060 wrote to memory of 3268 5060 Mado,s Injectors.exe 95 PID 5060 wrote to memory of 3268 5060 Mado,s Injectors.exe 95 PID 3268 wrote to memory of 5064 3268 Loader.exe 96 PID 3268 wrote to memory of 5064 3268 Loader.exe 96 PID 3268 wrote to memory of 5064 3268 Loader.exe 96 PID 3268 wrote to memory of 5064 3268 Loader.exe 96 PID 3268 wrote to memory of 5064 3268 Loader.exe 96 PID 3268 wrote to memory of 5064 3268 Loader.exe 96 PID 3268 wrote to memory of 5064 3268 Loader.exe 96 PID 3268 wrote to memory of 5064 3268 Loader.exe 96 PID 5064 wrote to memory of 3800 5064 Loader.exe 100 PID 5064 wrote to memory of 3800 5064 Loader.exe 100 PID 5064 wrote to memory of 3800 5064 Loader.exe 100 PID 5064 wrote to memory of 3800 5064 Loader.exe 100 PID 5064 wrote to memory of 4140 5064 Loader.exe 101 PID 5064 wrote to memory of 4140 5064 Loader.exe 101 PID 5064 wrote to memory of 4140 5064 Loader.exe 101 PID 5064 wrote to memory of 2576 5064 Loader.exe 102 PID 5064 wrote to memory of 2576 5064 Loader.exe 102 PID 5064 wrote to memory of 2576 5064 Loader.exe 102 PID 5064 wrote to memory of 2092 5064 Loader.exe 103 PID 5064 wrote to memory of 2092 5064 Loader.exe 103 PID 5064 wrote to memory of 2092 5064 Loader.exe 103 PID 5064 wrote to memory of 3120 5064 Loader.exe 104 PID 5064 wrote to memory of 3120 5064 Loader.exe 104 PID 5064 wrote to memory of 3120 5064 Loader.exe 104 PID 5064 wrote to memory of 3492 5064 Loader.exe 105 PID 5064 wrote to memory of 3492 5064 Loader.exe 105 PID 5064 wrote to memory of 3492 5064 Loader.exe 105 PID 5064 wrote to memory of 4608 5064 Loader.exe 106 PID 5064 wrote to memory of 4608 5064 Loader.exe 106 PID 5064 wrote to memory of 4608 5064 Loader.exe 106 PID 5064 wrote to memory of 3368 5064 Loader.exe 107 PID 5064 wrote to memory of 3368 5064 Loader.exe 107 PID 5064 wrote to memory of 3368 5064 Loader.exe 107 PID 5064 wrote to memory of 3532 5064 Loader.exe 108 PID 5064 wrote to memory of 3532 5064 Loader.exe 108 PID 5064 wrote to memory of 1140 5064 Loader.exe 109 PID 5064 wrote to memory of 1140 5064 Loader.exe 109 PID 5064 wrote to memory of 1140 5064 Loader.exe 109 PID 1140 wrote to memory of 4508 1140 igfxex.exe 110 PID 1140 wrote to memory of 4508 1140 igfxex.exe 110 PID 1140 wrote to memory of 4508 1140 igfxex.exe 110 PID 1140 wrote to memory of 4508 1140 igfxex.exe 110 PID 1140 wrote to memory of 4508 1140 igfxex.exe 110 PID 1140 wrote to memory of 4508 1140 igfxex.exe 110 PID 1140 wrote to memory of 4508 1140 igfxex.exe 110 PID 1140 wrote to memory of 4508 1140 igfxex.exe 110 PID 4508 wrote to memory of 1236 4508 igfxex.exe 112 PID 4508 wrote to memory of 1236 4508 igfxex.exe 112 PID 4508 wrote to memory of 1236 4508 igfxex.exe 112 PID 4508 wrote to memory of 1236 4508 igfxex.exe 112 PID 4508 wrote to memory of 1340 4508 igfxex.exe 113 PID 4508 wrote to memory of 1340 4508 igfxex.exe 113 PID 4508 wrote to memory of 1340 4508 igfxex.exe 113 PID 4508 wrote to memory of 4548 4508 igfxex.exe 114 PID 4508 wrote to memory of 4548 4508 igfxex.exe 114 PID 4508 wrote to memory of 4548 4508 igfxex.exe 114 PID 4508 wrote to memory of 3616 4508 igfxex.exe 115 PID 4508 wrote to memory of 3616 4508 igfxex.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chams Sudden + Mado,s Injectors\Mado,s Injectors.exe"C:\Users\Admin\AppData\Local\Temp\Chams Sudden + Mado,s Injectors\Mado,s Injectors.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MADO_S~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MADO_S~1.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe"3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:3800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3532
-
-
C:\Windows\SysWOW64\igfxex.exe"C:\Windows\system32\igfxex.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\igfxex.exe"C:\Windows\SysWOW64\igfxex.exe"5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1236 -
C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4884 -
C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"8⤵
- Executes dropped EXE
PID:828
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4112
-
-
C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844 -
C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"7⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:244 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:560
-
-
C:\Windows\SysWOW64\igfxex.exe"C:\Windows\system32\igfxex.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1540 -
C:\Windows\SysWOW64\igfxex.exe"C:\Windows\SysWOW64\igfxex.exe"9⤵
- Executes dropped EXE
PID:4244
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5cb275238e6c08192075e261eecdbc0c8
SHA1d1d7a89ae800bede57ef509de76dce39aff5f84d
SHA2562dce79436d9b5235d04c6e1d0318d2deb2dca03d1decc704cf58fabdff171578
SHA51237940f1f3e8f9f3b7969b9c3410a53102255b6f227ea0ab94d6d7aef541509025c5bdfd0948334fa471a07e7e11a4a57b2f8e7b1191a7113f87ccdd9b00e36de
-
Filesize
420KB
MD52efd4a79ced9c8760b7341199b306e43
SHA1d4addcbb0b769ceb93fb8bd6a0d806137f3e3e05
SHA25664d4c916b2f76cb14c481f8656d04d175fe4520632a97509de1ad320e95f8216
SHA5126e0421c6f298a6ed0182f982ae634eca2b6ace5aae47bf97a626a9dde6ae7db613791a7b0d503334738456dc4ad718eaf21d9b9e69c0a5ee414a75aec372c74f
-
Filesize
1KB
MD5514468d945ec5abfc0f92cc933b8eb12
SHA15c82a888e771ebdf168bd78a1e99b6fbbae8e3eb
SHA256292056d2a81831a7159dd9b61d87232df8f3de5b0150bf48890b5e13db36944b
SHA5123da97b90763a038e0a192a0fefb35eedd8f601689974d23e1ec7f1ded2ebaa7f4fd34d1d2c839f18b770a8e920e00062f04566d016eef628386de331cdaa5a74