metasploit | ca6dd71f871e058ed817ac5924fefee978cc9f9035f9950d61d5df5f9638e417

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
Size

120KB
MD5

d44f4ced83e4bcd7ee0d90abeb73c2a4
SHA1

59b3afe0208f533ed727c0f949d5fd15b0529f60
SHA256

ca6dd71f871e058ed817ac5924fefee978cc9f9035f9950d61d5df5f9638e417
SHA512

da8cdfcd2cb5cdc70489e23f1db9a6913e4188b7f15b3ae6873e8ff0ccdd92fd2cc7fe50cded0d2894c98640a16dea7188d5fe560e37a2256403324eb2c92460
SSDEEP

3072:VQVnnBz6UdEXT1J4ImFVgdyYxXwqD5j8AFWQ1RWUDXPz7+W:VQVnBz/d1s0cXwu5YGV1AuWW

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2624	wnptd1.exe

Executes dropped EXE 52 IoCs

pid	Process
2772	wnptd1.exe
2624	wnptd1.exe
2212	wnptd1.exe
272	wnptd1.exe
2388	wnptd1.exe
2560	wnptd1.exe
2868	wnptd1.exe
2892	wnptd1.exe
2416	wnptd1.exe
1036	wnptd1.exe
1996	wnptd1.exe
1964	wnptd1.exe
1408	wnptd1.exe
2100	wnptd1.exe
1664	wnptd1.exe
2476	wnptd1.exe
1804	wnptd1.exe
2500	wnptd1.exe
1636	wnptd1.exe
2348	wnptd1.exe
1604	wnptd1.exe
2680	wnptd1.exe
2684	wnptd1.exe
2772	wnptd1.exe
1340	wnptd1.exe
1780	wnptd1.exe
1060	wnptd1.exe
2360	wnptd1.exe
2564	wnptd1.exe
1960	wnptd1.exe
792	wnptd1.exe
2372	wnptd1.exe
2264	wnptd1.exe
1156	wnptd1.exe
112	wnptd1.exe
1308	wnptd1.exe
1544	wnptd1.exe
1772	wnptd1.exe
652	wnptd1.exe
548	wnptd1.exe
1040	wnptd1.exe
1760	wnptd1.exe
1700	wnptd1.exe
340	wnptd1.exe
2840	wnptd1.exe
2960	wnptd1.exe
2720	wnptd1.exe
2956	wnptd1.exe
1340	wnptd1.exe
2452	wnptd1.exe
2636	wnptd1.exe
2556	wnptd1.exe

Loads dropped DLL 26 IoCs

pid	Process
2244	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
2624	wnptd1.exe
272	wnptd1.exe
2560	wnptd1.exe
2892	wnptd1.exe
1036	wnptd1.exe
1964	wnptd1.exe
2100	wnptd1.exe
2476	wnptd1.exe
2500	wnptd1.exe
2348	wnptd1.exe
2680	wnptd1.exe
2772	wnptd1.exe
1780	wnptd1.exe
2360	wnptd1.exe
1960	wnptd1.exe
2372	wnptd1.exe
1156	wnptd1.exe
1308	wnptd1.exe
1772	wnptd1.exe
548	wnptd1.exe
1760	wnptd1.exe
340	wnptd1.exe
2960	wnptd1.exe
2956	wnptd1.exe
2452	wnptd1.exe

Maps connected drives based on registry 3 TTPs 54 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnptd1.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe
File opened for modification	C:\Windows\SysWOW64\wnptd1.exe	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wnptd1.exe	wnptd1.exe

Suspicious use of SetThreadContext 27 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2244	2668	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	30
PID 2772 set thread context of 2624	2772	wnptd1.exe	32
PID 2212 set thread context of 272	2212	wnptd1.exe	34
PID 2388 set thread context of 2560	2388	wnptd1.exe	36
PID 2868 set thread context of 2892	2868	wnptd1.exe	38
PID 2416 set thread context of 1036	2416	wnptd1.exe	40
PID 1996 set thread context of 1964	1996	wnptd1.exe	42
PID 1408 set thread context of 2100	1408	wnptd1.exe	44
PID 1664 set thread context of 2476	1664	wnptd1.exe	46
PID 1804 set thread context of 2500	1804	wnptd1.exe	48
PID 1636 set thread context of 2348	1636	wnptd1.exe	50
PID 1604 set thread context of 2680	1604	wnptd1.exe	52
PID 2684 set thread context of 2772	2684	wnptd1.exe	54
PID 1340 set thread context of 1780	1340	wnptd1.exe	57
PID 1060 set thread context of 2360	1060	wnptd1.exe	59
PID 2564 set thread context of 1960	2564	wnptd1.exe	61
PID 792 set thread context of 2372	792	wnptd1.exe	63
PID 2264 set thread context of 1156	2264	wnptd1.exe	65
PID 112 set thread context of 1308	112	wnptd1.exe	67
PID 1544 set thread context of 1772	1544	wnptd1.exe	69
PID 652 set thread context of 548	652	wnptd1.exe	71
PID 1040 set thread context of 1760	1040	wnptd1.exe	73
PID 1700 set thread context of 340	1700	wnptd1.exe	75
PID 2840 set thread context of 2960	2840	wnptd1.exe	77
PID 2720 set thread context of 2956	2720	wnptd1.exe	79
PID 1340 set thread context of 2452	1340	wnptd1.exe	81
PID 2636 set thread context of 2556	2636	wnptd1.exe	83

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-2-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2244-6-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2244-4-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2244-8-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2244-9-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2244-10-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2244-11-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2244-21-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2624-32-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2624-31-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2624-33-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2624-39-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/272-49-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/272-55-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2560-65-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2560-71-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2892-81-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2892-86-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1036-97-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1036-103-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1964-113-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1964-120-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2100-130-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2100-136-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2476-146-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2476-153-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2500-163-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2500-169-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2348-179-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2348-185-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2680-195-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2680-202-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2772-212-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2772-219-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1780-230-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1780-235-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2360-246-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2360-251-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1960-262-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1960-267-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2372-276-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2372-283-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1156-294-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1156-298-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1308-310-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1772-320-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1772-323-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/548-333-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/548-336-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1760-346-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1760-349-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/340-359-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/340-362-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2960-370-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2960-375-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2956-387-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2452-395-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2452-400-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2556-410-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnptd1.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2244	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
2624	wnptd1.exe
272	wnptd1.exe
2560	wnptd1.exe
2892	wnptd1.exe
1036	wnptd1.exe
1964	wnptd1.exe
2100	wnptd1.exe
2476	wnptd1.exe
2500	wnptd1.exe
2348	wnptd1.exe
2680	wnptd1.exe
2772	wnptd1.exe
1780	wnptd1.exe
2360	wnptd1.exe
1960	wnptd1.exe
2372	wnptd1.exe
1156	wnptd1.exe
1308	wnptd1.exe
1772	wnptd1.exe
548	wnptd1.exe
1760	wnptd1.exe
340	wnptd1.exe
2960	wnptd1.exe
2956	wnptd1.exe
2452	wnptd1.exe
2556	wnptd1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2244	2668	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2244	2668	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2244	2668	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2244	2668	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2244	2668	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2244	2668	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2244	2668	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	30
PID 2244 wrote to memory of 2772	2244	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	31
PID 2244 wrote to memory of 2772	2244	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	31
PID 2244 wrote to memory of 2772	2244	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	31
PID 2244 wrote to memory of 2772	2244	d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2624	2772	wnptd1.exe	32
PID 2772 wrote to memory of 2624	2772	wnptd1.exe	32
PID 2772 wrote to memory of 2624	2772	wnptd1.exe	32
PID 2772 wrote to memory of 2624	2772	wnptd1.exe	32
PID 2772 wrote to memory of 2624	2772	wnptd1.exe	32
PID 2772 wrote to memory of 2624	2772	wnptd1.exe	32
PID 2772 wrote to memory of 2624	2772	wnptd1.exe	32
PID 2624 wrote to memory of 2212	2624	wnptd1.exe	33
PID 2624 wrote to memory of 2212	2624	wnptd1.exe	33
PID 2624 wrote to memory of 2212	2624	wnptd1.exe	33
PID 2624 wrote to memory of 2212	2624	wnptd1.exe	33
PID 2212 wrote to memory of 272	2212	wnptd1.exe	34
PID 2212 wrote to memory of 272	2212	wnptd1.exe	34
PID 2212 wrote to memory of 272	2212	wnptd1.exe	34
PID 2212 wrote to memory of 272	2212	wnptd1.exe	34
PID 2212 wrote to memory of 272	2212	wnptd1.exe	34
PID 2212 wrote to memory of 272	2212	wnptd1.exe	34
PID 2212 wrote to memory of 272	2212	wnptd1.exe	34
PID 272 wrote to memory of 2388	272	wnptd1.exe	35
PID 272 wrote to memory of 2388	272	wnptd1.exe	35
PID 272 wrote to memory of 2388	272	wnptd1.exe	35
PID 272 wrote to memory of 2388	272	wnptd1.exe	35
PID 2388 wrote to memory of 2560	2388	wnptd1.exe	36
PID 2388 wrote to memory of 2560	2388	wnptd1.exe	36
PID 2388 wrote to memory of 2560	2388	wnptd1.exe	36
PID 2388 wrote to memory of 2560	2388	wnptd1.exe	36
PID 2388 wrote to memory of 2560	2388	wnptd1.exe	36
PID 2388 wrote to memory of 2560	2388	wnptd1.exe	36
PID 2388 wrote to memory of 2560	2388	wnptd1.exe	36
PID 2560 wrote to memory of 2868	2560	wnptd1.exe	37
PID 2560 wrote to memory of 2868	2560	wnptd1.exe	37
PID 2560 wrote to memory of 2868	2560	wnptd1.exe	37
PID 2560 wrote to memory of 2868	2560	wnptd1.exe	37
PID 2868 wrote to memory of 2892	2868	wnptd1.exe	38
PID 2868 wrote to memory of 2892	2868	wnptd1.exe	38
PID 2868 wrote to memory of 2892	2868	wnptd1.exe	38
PID 2868 wrote to memory of 2892	2868	wnptd1.exe	38
PID 2868 wrote to memory of 2892	2868	wnptd1.exe	38
PID 2868 wrote to memory of 2892	2868	wnptd1.exe	38
PID 2868 wrote to memory of 2892	2868	wnptd1.exe	38
PID 2892 wrote to memory of 2416	2892	wnptd1.exe	39
PID 2892 wrote to memory of 2416	2892	wnptd1.exe	39
PID 2892 wrote to memory of 2416	2892	wnptd1.exe	39
PID 2892 wrote to memory of 2416	2892	wnptd1.exe	39
PID 2416 wrote to memory of 1036	2416	wnptd1.exe	40
PID 2416 wrote to memory of 1036	2416	wnptd1.exe	40
PID 2416 wrote to memory of 1036	2416	wnptd1.exe	40
PID 2416 wrote to memory of 1036	2416	wnptd1.exe	40
PID 2416 wrote to memory of 1036	2416	wnptd1.exe	40
PID 2416 wrote to memory of 1036	2416	wnptd1.exe	40
PID 2416 wrote to memory of 1036	2416	wnptd1.exe	40
PID 1036 wrote to memory of 1996	1036	wnptd1.exe	41
PID 1036 wrote to memory of 1996	1036	wnptd1.exe	41

C:\Users\Admin\AppData\Local\Temp\d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d44f4ced83e4bcd7ee0d90abeb73c2a4_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\wnptd1.exe
    "C:\Windows\system32\wnptd1.exe" C:\Users\Admin\AppData\Local\Temp\D44F4C~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\wnptd1.exe
      "C:\Windows\system32\wnptd1.exe" C:\Users\Admin\AppData\Local\Temp\D44F4C~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:548
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1760
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:340
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\wnptd1.exe
        
        "C:\Windows\system32\wnptd1.exe" C:\Windows\SysWOW64\wnptd1.exe
        54⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wnptd1.exe

Filesize
120KB

MD5
d44f4ced83e4bcd7ee0d90abeb73c2a4

SHA1
59b3afe0208f533ed727c0f949d5fd15b0529f60

SHA256
ca6dd71f871e058ed817ac5924fefee978cc9f9035f9950d61d5df5f9638e417

SHA512
da8cdfcd2cb5cdc70489e23f1db9a6913e4188b7f15b3ae6873e8ff0ccdd92fd2cc7fe50cded0d2894c98640a16dea7188d5fe560e37a2256403324eb2c92460

Download Submit
memory/272-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/272-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-362-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/340-359-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/548-336-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/548-333-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1036-103-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1036-97-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1156-298-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1156-294-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1308-310-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1760-349-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1760-346-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1772-323-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1772-320-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1780-230-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1780-235-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1960-267-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1960-262-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1964-120-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1964-113-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2100-130-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2100-136-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-10-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-6-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-2-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-21-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-11-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2348-185-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2348-179-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2360-251-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2360-246-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2372-276-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2372-283-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2452-395-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2452-400-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2476-153-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2476-146-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2500-169-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2500-163-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2556-410-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2560-71-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2560-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2624-39-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2624-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2624-33-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2624-31-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2680-202-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2680-195-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2772-219-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2772-212-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2892-81-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2892-86-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2956-387-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2960-370-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2960-375-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download