Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 00:04
Static task
static1
Behavioral task
behavioral1
Sample
9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe
-
Size
130KB
-
MD5
9800cc568d34ab93a585eb640313fdc2
-
SHA1
fd0817266331bcf3c48bba94d701ed0f4dd4b69b
-
SHA256
dbd6345e0329d3ffb4e04a695c678e27b71f887b8b767c7a7d8c7db0f91e8a3c
-
SHA512
836b7f4ee138f3f3716ea7ebbc30cf7a6f645a6e291183019f9cf73fef841aba8fd344ddd24f840cd28f0c3a866ff86498da8bcebaa3875ed1f46ff260dfd075
-
SSDEEP
3072:TLwEBbPERA6g2gThra6LQAKEfSo9pOcOWhVjtg:TMCPER02e9QqjpVOWBg
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 26 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wnfpt4.exe -
Deletes itself 1 IoCs
pid Process 1480 wnfpt4.exe -
Executes dropped EXE 51 IoCs
pid Process 1696 wnfpt4.exe 1480 wnfpt4.exe 1460 wnfpt4.exe 408 wnfpt4.exe 748 wnfpt4.exe 4388 wnfpt4.exe 3584 wnfpt4.exe 4864 wnfpt4.exe 4180 wnfpt4.exe 3176 wnfpt4.exe 4672 wnfpt4.exe 2456 wnfpt4.exe 1400 wnfpt4.exe 4288 wnfpt4.exe 4256 wnfpt4.exe 4928 wnfpt4.exe 60 wnfpt4.exe 2872 wnfpt4.exe 1228 wnfpt4.exe 1676 wnfpt4.exe 4576 wnfpt4.exe 2184 wnfpt4.exe 2996 wnfpt4.exe 2236 wnfpt4.exe 1652 wnfpt4.exe 4804 wnfpt4.exe 1776 wnfpt4.exe 4680 wnfpt4.exe 4396 wnfpt4.exe 872 wnfpt4.exe 4348 wnfpt4.exe 3808 wnfpt4.exe 3816 wnfpt4.exe 884 wnfpt4.exe 5104 wnfpt4.exe 2248 wnfpt4.exe 2892 wnfpt4.exe 4868 wnfpt4.exe 2680 wnfpt4.exe 4276 wnfpt4.exe 4084 wnfpt4.exe 2268 wnfpt4.exe 4152 wnfpt4.exe 4648 wnfpt4.exe 64 wnfpt4.exe 4940 wnfpt4.exe 760 wnfpt4.exe 2980 wnfpt4.exe 2692 wnfpt4.exe 4852 wnfpt4.exe 2016 wnfpt4.exe -
Maps connected drives based on registry 3 TTPs 52 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnfpt4.exe -
Drops file in System32 directory 52 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File opened for modification C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe File created C:\Windows\SysWOW64\wnfpt4.exe wnfpt4.exe -
Suspicious use of SetThreadContext 26 IoCs
description pid Process procid_target PID 4736 set thread context of 3952 4736 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 82 PID 1696 set thread context of 1480 1696 wnfpt4.exe 88 PID 1460 set thread context of 408 1460 wnfpt4.exe 93 PID 748 set thread context of 4388 748 wnfpt4.exe 95 PID 3584 set thread context of 4864 3584 wnfpt4.exe 97 PID 4180 set thread context of 3176 4180 wnfpt4.exe 99 PID 4672 set thread context of 2456 4672 wnfpt4.exe 102 PID 1400 set thread context of 4288 1400 wnfpt4.exe 104 PID 4256 set thread context of 4928 4256 wnfpt4.exe 107 PID 60 set thread context of 2872 60 wnfpt4.exe 109 PID 1228 set thread context of 1676 1228 wnfpt4.exe 111 PID 4576 set thread context of 2184 4576 wnfpt4.exe 113 PID 2996 set thread context of 2236 2996 wnfpt4.exe 115 PID 1652 set thread context of 4804 1652 wnfpt4.exe 117 PID 1776 set thread context of 4680 1776 wnfpt4.exe 119 PID 4396 set thread context of 872 4396 wnfpt4.exe 121 PID 4348 set thread context of 3808 4348 wnfpt4.exe 123 PID 3816 set thread context of 884 3816 wnfpt4.exe 125 PID 5104 set thread context of 2248 5104 wnfpt4.exe 127 PID 2892 set thread context of 4868 2892 wnfpt4.exe 129 PID 2680 set thread context of 4276 2680 wnfpt4.exe 131 PID 4084 set thread context of 2268 4084 wnfpt4.exe 133 PID 4152 set thread context of 4648 4152 wnfpt4.exe 135 PID 64 set thread context of 4940 64 wnfpt4.exe 137 PID 760 set thread context of 2980 760 wnfpt4.exe 139 PID 2692 set thread context of 4852 2692 wnfpt4.exe 141 -
resource yara_rule behavioral2/memory/3952-2-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3952-3-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3952-4-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3952-5-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3952-39-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/1480-44-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/1480-45-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/1480-46-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/1480-48-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/408-52-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/408-53-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/408-58-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4388-61-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4388-62-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4388-63-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4864-73-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3176-81-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/2456-86-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4288-94-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4928-101-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/2872-108-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/1676-115-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/2184-121-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/2236-131-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4804-140-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4680-148-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/872-156-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3808-165-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/884-173-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/2248-181-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4868-189-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4276-197-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/2268-205-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4648-213-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4940-219-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/2980-225-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4852-231-0x0000000000400000-0x0000000000458000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 53 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnfpt4.exe -
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnfpt4.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 3952 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 3952 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 1480 wnfpt4.exe 1480 wnfpt4.exe 408 wnfpt4.exe 408 wnfpt4.exe 4388 wnfpt4.exe 4388 wnfpt4.exe 4864 wnfpt4.exe 4864 wnfpt4.exe 3176 wnfpt4.exe 3176 wnfpt4.exe 2456 wnfpt4.exe 2456 wnfpt4.exe 4288 wnfpt4.exe 4288 wnfpt4.exe 4928 wnfpt4.exe 4928 wnfpt4.exe 2872 wnfpt4.exe 2872 wnfpt4.exe 1676 wnfpt4.exe 1676 wnfpt4.exe 2184 wnfpt4.exe 2184 wnfpt4.exe 2236 wnfpt4.exe 2236 wnfpt4.exe 4804 wnfpt4.exe 4804 wnfpt4.exe 4680 wnfpt4.exe 4680 wnfpt4.exe 872 wnfpt4.exe 872 wnfpt4.exe 3808 wnfpt4.exe 3808 wnfpt4.exe 884 wnfpt4.exe 884 wnfpt4.exe 2248 wnfpt4.exe 2248 wnfpt4.exe 4868 wnfpt4.exe 4868 wnfpt4.exe 4276 wnfpt4.exe 4276 wnfpt4.exe 2268 wnfpt4.exe 2268 wnfpt4.exe 4648 wnfpt4.exe 4648 wnfpt4.exe 4940 wnfpt4.exe 4940 wnfpt4.exe 2980 wnfpt4.exe 2980 wnfpt4.exe 4852 wnfpt4.exe 4852 wnfpt4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4736 wrote to memory of 3952 4736 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 82 PID 4736 wrote to memory of 3952 4736 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 82 PID 4736 wrote to memory of 3952 4736 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 82 PID 4736 wrote to memory of 3952 4736 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 82 PID 4736 wrote to memory of 3952 4736 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 82 PID 4736 wrote to memory of 3952 4736 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 82 PID 4736 wrote to memory of 3952 4736 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 82 PID 3952 wrote to memory of 1696 3952 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 87 PID 3952 wrote to memory of 1696 3952 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 87 PID 3952 wrote to memory of 1696 3952 9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe 87 PID 1696 wrote to memory of 1480 1696 wnfpt4.exe 88 PID 1696 wrote to memory of 1480 1696 wnfpt4.exe 88 PID 1696 wrote to memory of 1480 1696 wnfpt4.exe 88 PID 1696 wrote to memory of 1480 1696 wnfpt4.exe 88 PID 1696 wrote to memory of 1480 1696 wnfpt4.exe 88 PID 1696 wrote to memory of 1480 1696 wnfpt4.exe 88 PID 1696 wrote to memory of 1480 1696 wnfpt4.exe 88 PID 1480 wrote to memory of 1460 1480 wnfpt4.exe 92 PID 1480 wrote to memory of 1460 1480 wnfpt4.exe 92 PID 1480 wrote to memory of 1460 1480 wnfpt4.exe 92 PID 1460 wrote to memory of 408 1460 wnfpt4.exe 93 PID 1460 wrote to memory of 408 1460 wnfpt4.exe 93 PID 1460 wrote to memory of 408 1460 wnfpt4.exe 93 PID 1460 wrote to memory of 408 1460 wnfpt4.exe 93 PID 1460 wrote to memory of 408 1460 wnfpt4.exe 93 PID 1460 wrote to memory of 408 1460 wnfpt4.exe 93 PID 1460 wrote to memory of 408 1460 wnfpt4.exe 93 PID 408 wrote to memory of 748 408 wnfpt4.exe 94 PID 408 wrote to memory of 748 408 wnfpt4.exe 94 PID 408 wrote to memory of 748 408 wnfpt4.exe 94 PID 748 wrote to memory of 4388 748 wnfpt4.exe 95 PID 748 wrote to memory of 4388 748 wnfpt4.exe 95 PID 748 wrote to memory of 4388 748 wnfpt4.exe 95 PID 748 wrote to memory of 4388 748 wnfpt4.exe 95 PID 748 wrote to memory of 4388 748 wnfpt4.exe 95 PID 748 wrote to memory of 4388 748 wnfpt4.exe 95 PID 748 wrote to memory of 4388 748 wnfpt4.exe 95 PID 4388 wrote to memory of 3584 4388 wnfpt4.exe 96 PID 4388 wrote to memory of 3584 4388 wnfpt4.exe 96 PID 4388 wrote to memory of 3584 4388 wnfpt4.exe 96 PID 3584 wrote to memory of 4864 3584 wnfpt4.exe 97 PID 3584 wrote to memory of 4864 3584 wnfpt4.exe 97 PID 3584 wrote to memory of 4864 3584 wnfpt4.exe 97 PID 3584 wrote to memory of 4864 3584 wnfpt4.exe 97 PID 3584 wrote to memory of 4864 3584 wnfpt4.exe 97 PID 3584 wrote to memory of 4864 3584 wnfpt4.exe 97 PID 3584 wrote to memory of 4864 3584 wnfpt4.exe 97 PID 4864 wrote to memory of 4180 4864 wnfpt4.exe 98 PID 4864 wrote to memory of 4180 4864 wnfpt4.exe 98 PID 4864 wrote to memory of 4180 4864 wnfpt4.exe 98 PID 4180 wrote to memory of 3176 4180 wnfpt4.exe 99 PID 4180 wrote to memory of 3176 4180 wnfpt4.exe 99 PID 4180 wrote to memory of 3176 4180 wnfpt4.exe 99 PID 4180 wrote to memory of 3176 4180 wnfpt4.exe 99 PID 4180 wrote to memory of 3176 4180 wnfpt4.exe 99 PID 4180 wrote to memory of 3176 4180 wnfpt4.exe 99 PID 4180 wrote to memory of 3176 4180 wnfpt4.exe 99 PID 3176 wrote to memory of 4672 3176 wnfpt4.exe 101 PID 3176 wrote to memory of 4672 3176 wnfpt4.exe 101 PID 3176 wrote to memory of 4672 3176 wnfpt4.exe 101 PID 4672 wrote to memory of 2456 4672 wnfpt4.exe 102 PID 4672 wrote to memory of 2456 4672 wnfpt4.exe 102 PID 4672 wrote to memory of 2456 4672 wnfpt4.exe 102 PID 4672 wrote to memory of 2456 4672 wnfpt4.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9800cc568d34ab93a585eb640313fdc2_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Users\Admin\AppData\Local\Temp\9800CC~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Users\Admin\AppData\Local\Temp\9800CC~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2456 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4288 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4256 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4928 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:60 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2872 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2184 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2236 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4804 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4680 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4396 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:872 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4348 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3808 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3816 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:884 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5104 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2248 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4868 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4276 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2268 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4152 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4648 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:64 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4940 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2980 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4852 -
C:\Windows\SysWOW64\wnfpt4.exe"C:\Windows\system32\wnfpt4.exe" C:\Windows\SysWOW64\wnfpt4.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request68.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
68.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD59800cc568d34ab93a585eb640313fdc2
SHA1fd0817266331bcf3c48bba94d701ed0f4dd4b69b
SHA256dbd6345e0329d3ffb4e04a695c678e27b71f887b8b767c7a7d8c7db0f91e8a3c
SHA512836b7f4ee138f3f3716ea7ebbc30cf7a6f645a6e291183019f9cf73fef841aba8fd344ddd24f840cd28f0c3a866ff86498da8bcebaa3875ed1f46ff260dfd075