metasploit | db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe
Size

185KB
MD5

15717cd327a723820d71900611545917
SHA1

99184ec149d329e98cd3e600cfaba22a2f9a0156
SHA256

db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
SHA512

a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49

Score

10^/10

metasploit backdoor evasion persistence suricata trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

wmsncs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe \"C:\\Windows\\Fonts\\wmsncs.exe\""	wmsncs.exe

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

wmsncs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	wmsncs.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	wmsncs.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

wmsncs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" wmsncs.exe
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE IRC Nick change on non-standard port
suricata: ET MALWARE IRC Nick change on non-standard port
suricata
Executes dropped EXE 1 IoCs

Processes:

wmsncs.exe

pid process

1892 wmsncs.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

wmsncs.exe

pid process

1892 wmsncs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	wmsncs.exe

pid	process
1892	wmsncs.exe

pid	process
1892	wmsncs.exe

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

wmsncs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wmsncs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wmsncs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service = "C:\\Windows\\system32\\spool\\drivers\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wins Service = "C:\\Windows\\system32\\wins\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe

Drops file in System32 directory 5 IoCs

Processes:

wmsncs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\spool\drivers\wmsncs.exe	wmsncs.exe
File created	C:\Windows\SysWOW64\wins\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\SysWOW64\wins\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wmsncs.exe
File created	C:\Windows\system32\spool\drivers\wmsncs.exe	wmsncs.exe

Drops file in Program Files directory 3 IoCs

Processes:

wmsncs.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\System\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Program Files (x86)\Common Files\System	wmsncs.exe
File created	C:\Program Files (x86)\Common Files\System\wmsncs.exe	wmsncs.exe

Drops file in Windows directory 2 IoCs

Processes:

db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe

description	ioc	process
File created	C:\Windows\Fonts\wmsncs.exe	db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 62 IoCs

Processes:

netsh.exenetsh.exenetsh.exewmsncs.exenetsh.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wmsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wmsncs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wmsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wmsncs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe"	wmsncs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534"	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service = "C:\\Windows\\system32\\spool\\drivers\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534"	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wmsncs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components	wmsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Wins Service = "C:\\Windows\\system32\\wins\\wmsncs.exe"	wmsncs.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup	wmsncs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exewmsncs.exe

description	pid	process
Token: 33	892	db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe
Token: SeIncBasePriorityPrivilege	892	db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe
Token: 33	1892	wmsncs.exe
Token: SeIncBasePriorityPrivilege	1892	wmsncs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

wmsncs.exe

description	pid	process	target process
PID 1892 wrote to memory of 1972	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 1972	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 1972	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 1972	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 1088	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 1088	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 1088	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 1088	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 520	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 520	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 520	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 520	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 640	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 640	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 640	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 640	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 336	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 336	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 336	1892	wmsncs.exe	netsh.exe
PID 1892 wrote to memory of 336	1892	wmsncs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe
"C:\Users\Admin\AppData\Local\Temp\db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\Fonts\wmsncs.exe
"C:\Windows\Fonts\wmsncs.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS
2⤵
- Modifies data under HKEY_USERS
PID:1972

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8080 PORT1
2⤵
- Modifies data under HKEY_USERS
PID:1088

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8081 PORT2
2⤵
- Modifies data under HKEY_USERS
PID:520

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL
2⤵
- Modifies data under HKEY_USERS
PID:640

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL
2⤵
- Modifies data under HKEY_USERS
PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\wmsncs.exe

Filesize
185KB

MD5
15717cd327a723820d71900611545917

SHA1
99184ec149d329e98cd3e600cfaba22a2f9a0156

SHA256
db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747

SHA512
a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49

Download Submit
C:\Windows\Fonts\wmsncs.exe

Filesize
185KB

MD5
15717cd327a723820d71900611545917

SHA1
99184ec149d329e98cd3e600cfaba22a2f9a0156

SHA256
db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747

SHA512
a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49

Download Submit
memory/336-63-0x0000000000000000-mapping.dmp

Download
memory/520-61-0x0000000000000000-mapping.dmp

Download
memory/640-62-0x0000000000000000-mapping.dmp

Download
memory/892-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/892-57-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1088-60-0x0000000000000000-mapping.dmp

Download
memory/1892-69-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1972-59-0x0000000000000000-mapping.dmp

Download