Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 00:04

General

  • Target

    9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe

  • Size

    130KB

  • MD5

    9800cc568d34ab93a585eb640313fdc2

  • SHA1

    fd0817266331bcf3c48bba94d701ed0f4dd4b69b

  • SHA256

    dbd6345e0329d3ffb4e04a695c678e27b71f887b8b767c7a7d8c7db0f91e8a3c

  • SHA512

    836b7f4ee138f3f3716ea7ebbc30cf7a6f645a6e291183019f9cf73fef841aba8fd344ddd24f840cd28f0c3a866ff86498da8bcebaa3875ed1f46ff260dfd075

  • SSDEEP

    3072:TLwEBbPERA6g2gThra6LQAKEfSo9pOcOWhVjtg:TMCPER02e9QqjpVOWBg

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Checks computer location settings 2 TTPs 26 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 51 IoCs
  • Maps connected drives based on registry 3 TTPs 52 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 52 IoCs
  • Suspicious use of SetThreadContext 26 IoCs
  • UPX packed file 37 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Local\Temp\9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\SysWOW64\wnfpt4.exe
        "C:\Windows\system32\wnfpt4.exe" C:\Users\Admin\AppData\Local\Temp\9800CC~1.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\SysWOW64\wnfpt4.exe
          "C:\Windows\system32\wnfpt4.exe" C:\Users\Admin\AppData\Local\Temp\9800CC~1.EXE
          4⤵
          • Checks computer location settings
          • Deletes itself
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1480
          • C:\Windows\SysWOW64\wnfpt4.exe
            "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1460
            • C:\Windows\SysWOW64\wnfpt4.exe
              "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Maps connected drives based on registry
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:408
              • C:\Windows\SysWOW64\wnfpt4.exe
                "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:748
                • C:\Windows\SysWOW64\wnfpt4.exe
                  "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Maps connected drives based on registry
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4388
                  • C:\Windows\SysWOW64\wnfpt4.exe
                    "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3584
                    • C:\Windows\SysWOW64\wnfpt4.exe
                      "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Maps connected drives based on registry
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:4864
                      • C:\Windows\SysWOW64\wnfpt4.exe
                        "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:4180
                        • C:\Windows\SysWOW64\wnfpt4.exe
                          "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Maps connected drives based on registry
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:3176
                          • C:\Windows\SysWOW64\wnfpt4.exe
                            "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:4672
                            • C:\Windows\SysWOW64\wnfpt4.exe
                              "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Maps connected drives based on registry
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2456
                              • C:\Windows\SysWOW64\wnfpt4.exe
                                "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:1400
                                • C:\Windows\SysWOW64\wnfpt4.exe
                                  "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Maps connected drives based on registry
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4288
                                  • C:\Windows\SysWOW64\wnfpt4.exe
                                    "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    PID:4256
                                    • C:\Windows\SysWOW64\wnfpt4.exe
                                      "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Maps connected drives based on registry
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:4928
                                      • C:\Windows\SysWOW64\wnfpt4.exe
                                        "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        PID:60
                                        • C:\Windows\SysWOW64\wnfpt4.exe
                                          "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Maps connected drives based on registry
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2872
                                          • C:\Windows\SysWOW64\wnfpt4.exe
                                            "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            PID:1228
                                            • C:\Windows\SysWOW64\wnfpt4.exe
                                              "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Maps connected drives based on registry
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1676
                                              • C:\Windows\SysWOW64\wnfpt4.exe
                                                "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                PID:4576
                                                • C:\Windows\SysWOW64\wnfpt4.exe
                                                  "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Maps connected drives based on registry
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:2184
                                                  • C:\Windows\SysWOW64\wnfpt4.exe
                                                    "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2996
                                                    • C:\Windows\SysWOW64\wnfpt4.exe
                                                      "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                      26⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Maps connected drives based on registry
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:2236
                                                      • C:\Windows\SysWOW64\wnfpt4.exe
                                                        "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1652
                                                        • C:\Windows\SysWOW64\wnfpt4.exe
                                                          "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                          28⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Maps connected drives based on registry
                                                          • Drops file in System32 directory
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:4804
                                                          • C:\Windows\SysWOW64\wnfpt4.exe
                                                            "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1776
                                                            • C:\Windows\SysWOW64\wnfpt4.exe
                                                              "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Maps connected drives based on registry
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:4680
                                                              • C:\Windows\SysWOW64\wnfpt4.exe
                                                                "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4396
                                                                • C:\Windows\SysWOW64\wnfpt4.exe
                                                                  "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                  32⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Maps connected drives based on registry
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:872
                                                                  • C:\Windows\SysWOW64\wnfpt4.exe
                                                                    "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4348
                                                                    • C:\Windows\SysWOW64\wnfpt4.exe
                                                                      "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                      34⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Maps connected drives based on registry
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:3808
                                                                      • C:\Windows\SysWOW64\wnfpt4.exe
                                                                        "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:3816
                                                                        • C:\Windows\SysWOW64\wnfpt4.exe
                                                                          "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                          36⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Maps connected drives based on registry
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          PID:884
                                                                          • C:\Windows\SysWOW64\wnfpt4.exe
                                                                            "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5104
                                                                            • C:\Windows\SysWOW64\wnfpt4.exe
                                                                              "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                              38⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Maps connected drives based on registry
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:2248
                                                                              • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:2892
                                                                                • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                  "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                  40⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Maps connected drives based on registry
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:4868
                                                                                  • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                    "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2680
                                                                                    • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                      "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                      42⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Maps connected drives based on registry
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:4276
                                                                                      • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                        "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:4084
                                                                                        • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                          "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                          44⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Maps connected drives based on registry
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:2268
                                                                                          • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                            "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:4152
                                                                                            • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                              "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                              46⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Maps connected drives based on registry
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              PID:4648
                                                                                              • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:64
                                                                                                • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                  "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                  48⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Maps connected drives based on registry
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:4940
                                                                                                  • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                    "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:760
                                                                                                    • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                      "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                      50⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Maps connected drives based on registry
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      PID:2980
                                                                                                      • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                        "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:2692
                                                                                                        • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                          "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                          52⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Maps connected drives based on registry
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          PID:4852
                                                                                                          • C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                            "C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:2016

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
    160 B
    1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\wnfpt4.exe

    Filesize

    130KB

    MD5

    9800cc568d34ab93a585eb640313fdc2

    SHA1

    fd0817266331bcf3c48bba94d701ed0f4dd4b69b

    SHA256

    dbd6345e0329d3ffb4e04a695c678e27b71f887b8b767c7a7d8c7db0f91e8a3c

    SHA512

    836b7f4ee138f3f3716ea7ebbc30cf7a6f645a6e291183019f9cf73fef841aba8fd344ddd24f840cd28f0c3a866ff86498da8bcebaa3875ed1f46ff260dfd075

  • memory/408-58-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/408-52-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/408-53-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/872-156-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/884-173-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/1480-44-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/1480-46-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/1480-45-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/1480-48-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/1676-115-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2184-121-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2236-131-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2248-181-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2268-205-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2456-86-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2872-108-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/2980-225-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3176-81-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3808-165-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3952-3-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3952-2-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3952-4-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3952-5-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3952-39-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4276-197-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4288-94-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4388-61-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4388-62-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4388-63-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4648-213-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4680-148-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4804-140-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4852-231-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4864-73-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4868-189-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4928-101-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4940-219-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.