Analysis
-
max time kernel
168s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 15:24
Static task
static1
Behavioral task
behavioral1
Sample
ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
Resource
win10v2004-20220812-en
General
-
Target
ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
-
Size
722KB
-
MD5
90ac06a2414f7e75aed6dcb016eb41b0
-
SHA1
8b2a95f7626309bdf010e90b7319f46ea6f96a4f
-
SHA256
ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782
-
SHA512
0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4
-
SSDEEP
12288:wXqEOatU3laKYngXav2lhGicknX2ZChoJNrlcknBckn:wpt4laKvXavUcicShWpc2c
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1676 audiodgi.exe 880 wmpmetwk.exe 804 wmpmetwk.exe -
resource yara_rule behavioral1/memory/1364-58-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/1364-60-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/1364-62-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/1364-64-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/1364-66-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/1364-67-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/1364-68-0x0000000013140000-0x000000001320B000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmpmetwk.exe -
Loads dropped DLL 3 IoCs
pid Process 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 1676 audiodgi.exe 1676 audiodgi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft? Windows? Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\Credentials\\audiodgi.exe" audiodgi.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2024 set thread context of 1364 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 30 PID 880 set thread context of 804 880 wmpmetwk.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmpmetwk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmpmetwk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmpmetwk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier wmpmetwk.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmpmetwk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe 1676 audiodgi.exe 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 880 wmpmetwk.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeIncreaseQuotaPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeSecurityPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeTakeOwnershipPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeLoadDriverPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeSystemProfilePrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeSystemtimePrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeProfSingleProcessPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeIncBasePriorityPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeCreatePagefilePrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeBackupPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeRestorePrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeShutdownPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeDebugPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeSystemEnvironmentPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeChangeNotifyPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeRemoteShutdownPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeUndockPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeManageVolumePrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeImpersonatePrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeCreateGlobalPrivilege 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: 33 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: 34 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: 35 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeDebugPrivilege 1676 audiodgi.exe Token: SeDebugPrivilege 880 wmpmetwk.exe Token: SeIncreaseQuotaPrivilege 804 wmpmetwk.exe Token: SeSecurityPrivilege 804 wmpmetwk.exe Token: SeTakeOwnershipPrivilege 804 wmpmetwk.exe Token: SeLoadDriverPrivilege 804 wmpmetwk.exe Token: SeSystemProfilePrivilege 804 wmpmetwk.exe Token: SeSystemtimePrivilege 804 wmpmetwk.exe Token: SeProfSingleProcessPrivilege 804 wmpmetwk.exe Token: SeIncBasePriorityPrivilege 804 wmpmetwk.exe Token: SeCreatePagefilePrivilege 804 wmpmetwk.exe Token: SeBackupPrivilege 804 wmpmetwk.exe Token: SeRestorePrivilege 804 wmpmetwk.exe Token: SeShutdownPrivilege 804 wmpmetwk.exe Token: SeDebugPrivilege 804 wmpmetwk.exe Token: SeSystemEnvironmentPrivilege 804 wmpmetwk.exe Token: SeChangeNotifyPrivilege 804 wmpmetwk.exe Token: SeRemoteShutdownPrivilege 804 wmpmetwk.exe Token: SeUndockPrivilege 804 wmpmetwk.exe Token: SeManageVolumePrivilege 804 wmpmetwk.exe Token: SeImpersonatePrivilege 804 wmpmetwk.exe Token: SeCreateGlobalPrivilege 804 wmpmetwk.exe Token: 33 804 wmpmetwk.exe Token: 34 804 wmpmetwk.exe Token: 35 804 wmpmetwk.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2004 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 28 PID 2024 wrote to memory of 2004 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 28 PID 2024 wrote to memory of 2004 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 28 PID 2024 wrote to memory of 2004 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 28 PID 2024 wrote to memory of 1364 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 30 PID 2024 wrote to memory of 1364 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 30 PID 2024 wrote to memory of 1364 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 30 PID 2024 wrote to memory of 1364 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 30 PID 2024 wrote to memory of 1364 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 30 PID 2024 wrote to memory of 1364 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 30 PID 2024 wrote to memory of 1364 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 30 PID 2024 wrote to memory of 1364 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 30 PID 2024 wrote to memory of 1676 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 31 PID 2024 wrote to memory of 1676 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 31 PID 2024 wrote to memory of 1676 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 31 PID 2024 wrote to memory of 1676 2024 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 31 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1364 wrote to memory of 364 1364 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 32 PID 1676 wrote to memory of 880 1676 audiodgi.exe 33 PID 1676 wrote to memory of 880 1676 audiodgi.exe 33 PID 1676 wrote to memory of 880 1676 audiodgi.exe 33 PID 1676 wrote to memory of 880 1676 audiodgi.exe 33 PID 880 wrote to memory of 804 880 wmpmetwk.exe 34 PID 880 wrote to memory of 804 880 wmpmetwk.exe 34 PID 880 wrote to memory of 804 880 wmpmetwk.exe 34 PID 880 wrote to memory of 804 880 wmpmetwk.exe 34 PID 880 wrote to memory of 804 880 wmpmetwk.exe 34 PID 880 wrote to memory of 804 880 wmpmetwk.exe 34 PID 880 wrote to memory of 804 880 wmpmetwk.exe 34 PID 880 wrote to memory of 804 880 wmpmetwk.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe"C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exeed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe2⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵PID:364
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exewmpmetwk.exe4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5ee0f561c8a6410b492f0cc3a79547c1e
SHA114995bc4eb36ba5169053fb1dba755cbba2bc386
SHA2569f99ed2c4a40cf80d40682cbc75553396be44fad5ad9c9c4013170d24cb279ba
SHA512ab8a2cf54d63c1553c532b299ab9dbae630660115e8dd51c28e1a50544bd42904e224fcee18026fe467f87c2ef8f58ecd50f31cf3cab3e0b9050a61552d9c335
-
Filesize
9KB
MD5ee0f561c8a6410b492f0cc3a79547c1e
SHA114995bc4eb36ba5169053fb1dba755cbba2bc386
SHA2569f99ed2c4a40cf80d40682cbc75553396be44fad5ad9c9c4013170d24cb279ba
SHA512ab8a2cf54d63c1553c532b299ab9dbae630660115e8dd51c28e1a50544bd42904e224fcee18026fe467f87c2ef8f58ecd50f31cf3cab3e0b9050a61552d9c335
-
Filesize
722KB
MD590ac06a2414f7e75aed6dcb016eb41b0
SHA18b2a95f7626309bdf010e90b7319f46ea6f96a4f
SHA256ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782
SHA5120b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4
-
Filesize
722KB
MD590ac06a2414f7e75aed6dcb016eb41b0
SHA18b2a95f7626309bdf010e90b7319f46ea6f96a4f
SHA256ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782
SHA5120b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4
-
Filesize
722KB
MD590ac06a2414f7e75aed6dcb016eb41b0
SHA18b2a95f7626309bdf010e90b7319f46ea6f96a4f
SHA256ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782
SHA5120b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4
-
Filesize
9KB
MD5ee0f561c8a6410b492f0cc3a79547c1e
SHA114995bc4eb36ba5169053fb1dba755cbba2bc386
SHA2569f99ed2c4a40cf80d40682cbc75553396be44fad5ad9c9c4013170d24cb279ba
SHA512ab8a2cf54d63c1553c532b299ab9dbae630660115e8dd51c28e1a50544bd42904e224fcee18026fe467f87c2ef8f58ecd50f31cf3cab3e0b9050a61552d9c335
-
Filesize
722KB
MD590ac06a2414f7e75aed6dcb016eb41b0
SHA18b2a95f7626309bdf010e90b7319f46ea6f96a4f
SHA256ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782
SHA5120b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4
-
Filesize
722KB
MD590ac06a2414f7e75aed6dcb016eb41b0
SHA18b2a95f7626309bdf010e90b7319f46ea6f96a4f
SHA256ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782
SHA5120b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4