Analysis
-
max time kernel
114s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 02:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe
-
Size
169KB
-
MD5
e83af87e383252472f4ca9f82cccfbc5
-
SHA1
6214e06e15d90ab6bacfc0fd060ff5016d57f8fc
-
SHA256
4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c
-
SHA512
e881d5e3fa2738bbba085b5a3fc6594471f5851b25124113ec1c62ca3e52fae67734e96e02f0a023e2a3f69b8115a384a0d58c53482f6a24748c7fd61d087e2e
-
SSDEEP
3072:T2+GEkAt+zuO5J20X6dyAvqsmdgqMeictkS418Odmtuo5A7Soz2W+:rkbuO5J2Xyt1JS5Dmtuo5A2oKW+
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation igfxwl32.exe -
Deletes itself 1 IoCs
pid Process 2464 igfxwl32.exe -
Executes dropped EXE 25 IoCs
pid Process 2788 igfxwl32.exe 2464 igfxwl32.exe 2964 igfxwl32.exe 1952 igfxwl32.exe 2224 igfxwl32.exe 1856 igfxwl32.exe 2548 igfxwl32.exe 4600 igfxwl32.exe 4180 igfxwl32.exe 2932 igfxwl32.exe 2324 igfxwl32.exe 3824 igfxwl32.exe 4796 igfxwl32.exe 872 igfxwl32.exe 4980 igfxwl32.exe 2016 igfxwl32.exe 2628 igfxwl32.exe 1884 igfxwl32.exe 2512 igfxwl32.exe 5024 igfxwl32.exe 2032 igfxwl32.exe 5088 igfxwl32.exe 1804 igfxwl32.exe 2472 igfxwl32.exe 732 igfxwl32.exe -
Maps connected drives based on registry 3 TTPs 26 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwl32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwl32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File opened for modification C:\Windows\SysWOW64\ igfxwl32.exe File opened for modification C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe File created C:\Windows\SysWOW64\igfxwl32.exe igfxwl32.exe -
Suspicious use of SetThreadContext 13 IoCs
description pid Process procid_target PID 2364 set thread context of 3424 2364 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 82 PID 2788 set thread context of 2464 2788 igfxwl32.exe 91 PID 2964 set thread context of 1952 2964 igfxwl32.exe 93 PID 2224 set thread context of 1856 2224 igfxwl32.exe 97 PID 2548 set thread context of 4600 2548 igfxwl32.exe 99 PID 4180 set thread context of 2932 4180 igfxwl32.exe 101 PID 2324 set thread context of 3824 2324 igfxwl32.exe 103 PID 4796 set thread context of 872 4796 igfxwl32.exe 105 PID 4980 set thread context of 2016 4980 igfxwl32.exe 107 PID 2628 set thread context of 1884 2628 igfxwl32.exe 109 PID 2512 set thread context of 5024 2512 igfxwl32.exe 111 PID 2032 set thread context of 5088 2032 igfxwl32.exe 113 PID 1804 set thread context of 2472 1804 igfxwl32.exe 115 -
resource yara_rule behavioral2/memory/3424-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3424-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3424-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3424-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3424-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2464-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2464-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1952-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1856-60-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4600-68-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2932-76-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3824-83-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/872-89-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2016-97-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1884-104-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5024-110-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5088-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2472-127-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxwl32.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwl32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2364 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 2364 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 3424 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 3424 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 3424 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 3424 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 2788 igfxwl32.exe 2788 igfxwl32.exe 2464 igfxwl32.exe 2464 igfxwl32.exe 2464 igfxwl32.exe 2464 igfxwl32.exe 2964 igfxwl32.exe 2964 igfxwl32.exe 1952 igfxwl32.exe 1952 igfxwl32.exe 1952 igfxwl32.exe 1952 igfxwl32.exe 2224 igfxwl32.exe 2224 igfxwl32.exe 1856 igfxwl32.exe 1856 igfxwl32.exe 1856 igfxwl32.exe 1856 igfxwl32.exe 2548 igfxwl32.exe 2548 igfxwl32.exe 4600 igfxwl32.exe 4600 igfxwl32.exe 4600 igfxwl32.exe 4600 igfxwl32.exe 4180 igfxwl32.exe 4180 igfxwl32.exe 2932 igfxwl32.exe 2932 igfxwl32.exe 2932 igfxwl32.exe 2932 igfxwl32.exe 2324 igfxwl32.exe 2324 igfxwl32.exe 3824 igfxwl32.exe 3824 igfxwl32.exe 3824 igfxwl32.exe 3824 igfxwl32.exe 4796 igfxwl32.exe 4796 igfxwl32.exe 872 igfxwl32.exe 872 igfxwl32.exe 872 igfxwl32.exe 872 igfxwl32.exe 4980 igfxwl32.exe 4980 igfxwl32.exe 2016 igfxwl32.exe 2016 igfxwl32.exe 2016 igfxwl32.exe 2016 igfxwl32.exe 2628 igfxwl32.exe 2628 igfxwl32.exe 1884 igfxwl32.exe 1884 igfxwl32.exe 1884 igfxwl32.exe 1884 igfxwl32.exe 2512 igfxwl32.exe 2512 igfxwl32.exe 5024 igfxwl32.exe 5024 igfxwl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 3424 2364 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 82 PID 2364 wrote to memory of 3424 2364 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 82 PID 2364 wrote to memory of 3424 2364 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 82 PID 2364 wrote to memory of 3424 2364 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 82 PID 2364 wrote to memory of 3424 2364 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 82 PID 2364 wrote to memory of 3424 2364 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 82 PID 2364 wrote to memory of 3424 2364 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 82 PID 3424 wrote to memory of 2788 3424 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 86 PID 3424 wrote to memory of 2788 3424 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 86 PID 3424 wrote to memory of 2788 3424 4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe 86 PID 2788 wrote to memory of 2464 2788 igfxwl32.exe 91 PID 2788 wrote to memory of 2464 2788 igfxwl32.exe 91 PID 2788 wrote to memory of 2464 2788 igfxwl32.exe 91 PID 2788 wrote to memory of 2464 2788 igfxwl32.exe 91 PID 2788 wrote to memory of 2464 2788 igfxwl32.exe 91 PID 2788 wrote to memory of 2464 2788 igfxwl32.exe 91 PID 2788 wrote to memory of 2464 2788 igfxwl32.exe 91 PID 2464 wrote to memory of 2964 2464 igfxwl32.exe 92 PID 2464 wrote to memory of 2964 2464 igfxwl32.exe 92 PID 2464 wrote to memory of 2964 2464 igfxwl32.exe 92 PID 2964 wrote to memory of 1952 2964 igfxwl32.exe 93 PID 2964 wrote to memory of 1952 2964 igfxwl32.exe 93 PID 2964 wrote to memory of 1952 2964 igfxwl32.exe 93 PID 2964 wrote to memory of 1952 2964 igfxwl32.exe 93 PID 2964 wrote to memory of 1952 2964 igfxwl32.exe 93 PID 2964 wrote to memory of 1952 2964 igfxwl32.exe 93 PID 2964 wrote to memory of 1952 2964 igfxwl32.exe 93 PID 1952 wrote to memory of 2224 1952 igfxwl32.exe 94 PID 1952 wrote to memory of 2224 1952 igfxwl32.exe 94 PID 1952 wrote to memory of 2224 1952 igfxwl32.exe 94 PID 2224 wrote to memory of 1856 2224 igfxwl32.exe 97 PID 2224 wrote to memory of 1856 2224 igfxwl32.exe 97 PID 2224 wrote to memory of 1856 2224 igfxwl32.exe 97 PID 2224 wrote to memory of 1856 2224 igfxwl32.exe 97 PID 2224 wrote to memory of 1856 2224 igfxwl32.exe 97 PID 2224 wrote to memory of 1856 2224 igfxwl32.exe 97 PID 2224 wrote to memory of 1856 2224 igfxwl32.exe 97 PID 1856 wrote to memory of 2548 1856 igfxwl32.exe 98 PID 1856 wrote to memory of 2548 1856 igfxwl32.exe 98 PID 1856 wrote to memory of 2548 1856 igfxwl32.exe 98 PID 2548 wrote to memory of 4600 2548 igfxwl32.exe 99 PID 2548 wrote to memory of 4600 2548 igfxwl32.exe 99 PID 2548 wrote to memory of 4600 2548 igfxwl32.exe 99 PID 2548 wrote to memory of 4600 2548 igfxwl32.exe 99 PID 2548 wrote to memory of 4600 2548 igfxwl32.exe 99 PID 2548 wrote to memory of 4600 2548 igfxwl32.exe 99 PID 2548 wrote to memory of 4600 2548 igfxwl32.exe 99 PID 4600 wrote to memory of 4180 4600 igfxwl32.exe 100 PID 4600 wrote to memory of 4180 4600 igfxwl32.exe 100 PID 4600 wrote to memory of 4180 4600 igfxwl32.exe 100 PID 4180 wrote to memory of 2932 4180 igfxwl32.exe 101 PID 4180 wrote to memory of 2932 4180 igfxwl32.exe 101 PID 4180 wrote to memory of 2932 4180 igfxwl32.exe 101 PID 4180 wrote to memory of 2932 4180 igfxwl32.exe 101 PID 4180 wrote to memory of 2932 4180 igfxwl32.exe 101 PID 4180 wrote to memory of 2932 4180 igfxwl32.exe 101 PID 4180 wrote to memory of 2932 4180 igfxwl32.exe 101 PID 2932 wrote to memory of 2324 2932 igfxwl32.exe 102 PID 2932 wrote to memory of 2324 2932 igfxwl32.exe 102 PID 2932 wrote to memory of 2324 2932 igfxwl32.exe 102 PID 2324 wrote to memory of 3824 2324 igfxwl32.exe 103 PID 2324 wrote to memory of 3824 2324 igfxwl32.exe 103 PID 2324 wrote to memory of 3824 2324 igfxwl32.exe 103 PID 2324 wrote to memory of 3824 2324 igfxwl32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe"C:\Users\Admin\AppData\Local\Temp\4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe"C:\Users\Admin\AppData\Local\Temp\4fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\4FB3C8~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Users\Admin\AppData\Local\Temp\4FB3C8~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3824 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4796 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:872 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4980 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2016 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2628 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1884 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2512 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5024 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\igfxwl32.exe"C:\Windows\system32\igfxwl32.exe" C:\Windows\SysWOW64\igfxwl32.exe27⤵
- Executes dropped EXE
PID:732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5e83af87e383252472f4ca9f82cccfbc5
SHA16214e06e15d90ab6bacfc0fd060ff5016d57f8fc
SHA2564fb3c8a4e8ce38d764a2cbd398a0e76b22f1eee633ef780ab1eecf13c3baca2c
SHA512e881d5e3fa2738bbba085b5a3fc6594471f5851b25124113ec1c62ca3e52fae67734e96e02f0a023e2a3f69b8115a384a0d58c53482f6a24748c7fd61d087e2e