Analysis
-
max time kernel
176s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 15:24
Static task
static1
Behavioral task
behavioral1
Sample
ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
Resource
win10v2004-20220812-en
General
-
Target
ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
-
Size
722KB
-
MD5
90ac06a2414f7e75aed6dcb016eb41b0
-
SHA1
8b2a95f7626309bdf010e90b7319f46ea6f96a4f
-
SHA256
ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782
-
SHA512
0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4
-
SSDEEP
12288:wXqEOatU3laKYngXav2lhGicknX2ZChoJNrlcknBckn:wpt4laKvXavUcicShWpc2c
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4604 audiodgi.exe 5000 wmpmetwk.exe 3964 wmpmetwk.exe -
resource yara_rule behavioral2/memory/4216-135-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/4216-136-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/4216-137-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/4216-138-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/4216-139-0x0000000013140000-0x000000001320B000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmpmetwk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation audiodgi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft? Windows? Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\Credentials\\audiodgi.exe" audiodgi.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 900 set thread context of 4216 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 84 PID 5000 set thread context of 3964 5000 wmpmetwk.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmpmetwk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmpmetwk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmpmetwk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier wmpmetwk.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmpmetwk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exe:ZONE.identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 4604 audiodgi.exe 5000 wmpmetwk.exe 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeIncreaseQuotaPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeSecurityPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeTakeOwnershipPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeLoadDriverPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeSystemProfilePrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeSystemtimePrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeProfSingleProcessPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeIncBasePriorityPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeCreatePagefilePrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeBackupPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeRestorePrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeShutdownPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeDebugPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeSystemEnvironmentPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeChangeNotifyPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeRemoteShutdownPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeUndockPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeManageVolumePrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeImpersonatePrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeCreateGlobalPrivilege 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: 33 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: 34 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: 35 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: 36 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe Token: SeDebugPrivilege 4604 audiodgi.exe Token: SeDebugPrivilege 5000 wmpmetwk.exe Token: SeIncreaseQuotaPrivilege 3964 wmpmetwk.exe Token: SeSecurityPrivilege 3964 wmpmetwk.exe Token: SeTakeOwnershipPrivilege 3964 wmpmetwk.exe Token: SeLoadDriverPrivilege 3964 wmpmetwk.exe Token: SeSystemProfilePrivilege 3964 wmpmetwk.exe Token: SeSystemtimePrivilege 3964 wmpmetwk.exe Token: SeProfSingleProcessPrivilege 3964 wmpmetwk.exe Token: SeIncBasePriorityPrivilege 3964 wmpmetwk.exe Token: SeCreatePagefilePrivilege 3964 wmpmetwk.exe Token: SeBackupPrivilege 3964 wmpmetwk.exe Token: SeRestorePrivilege 3964 wmpmetwk.exe Token: SeShutdownPrivilege 3964 wmpmetwk.exe Token: SeDebugPrivilege 3964 wmpmetwk.exe Token: SeSystemEnvironmentPrivilege 3964 wmpmetwk.exe Token: SeChangeNotifyPrivilege 3964 wmpmetwk.exe Token: SeRemoteShutdownPrivilege 3964 wmpmetwk.exe Token: SeUndockPrivilege 3964 wmpmetwk.exe Token: SeManageVolumePrivilege 3964 wmpmetwk.exe Token: SeImpersonatePrivilege 3964 wmpmetwk.exe Token: SeCreateGlobalPrivilege 3964 wmpmetwk.exe Token: 33 3964 wmpmetwk.exe Token: 34 3964 wmpmetwk.exe Token: 35 3964 wmpmetwk.exe Token: 36 3964 wmpmetwk.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 900 wrote to memory of 4984 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 81 PID 900 wrote to memory of 4984 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 81 PID 900 wrote to memory of 4984 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 81 PID 900 wrote to memory of 4216 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 84 PID 900 wrote to memory of 4216 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 84 PID 900 wrote to memory of 4216 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 84 PID 900 wrote to memory of 4216 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 84 PID 900 wrote to memory of 4216 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 84 PID 900 wrote to memory of 4216 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 84 PID 900 wrote to memory of 4216 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 84 PID 900 wrote to memory of 4216 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 84 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 4216 wrote to memory of 2032 4216 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 86 PID 900 wrote to memory of 4604 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 87 PID 900 wrote to memory of 4604 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 87 PID 900 wrote to memory of 4604 900 ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe 87 PID 4604 wrote to memory of 5000 4604 audiodgi.exe 88 PID 4604 wrote to memory of 5000 4604 audiodgi.exe 88 PID 4604 wrote to memory of 5000 4604 audiodgi.exe 88 PID 5000 wrote to memory of 3964 5000 wmpmetwk.exe 89 PID 5000 wrote to memory of 3964 5000 wmpmetwk.exe 89 PID 5000 wrote to memory of 3964 5000 wmpmetwk.exe 89 PID 5000 wrote to memory of 3964 5000 wmpmetwk.exe 89 PID 5000 wrote to memory of 3964 5000 wmpmetwk.exe 89 PID 5000 wrote to memory of 3964 5000 wmpmetwk.exe 89 PID 5000 wrote to memory of 3964 5000 wmpmetwk.exe 89 PID 5000 wrote to memory of 3964 5000 wmpmetwk.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe"C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- NTFS ADS
PID:4984
-
-
C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exeed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe2⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵PID:2032
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exewmpmetwk.exe4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5ee0f561c8a6410b492f0cc3a79547c1e
SHA114995bc4eb36ba5169053fb1dba755cbba2bc386
SHA2569f99ed2c4a40cf80d40682cbc75553396be44fad5ad9c9c4013170d24cb279ba
SHA512ab8a2cf54d63c1553c532b299ab9dbae630660115e8dd51c28e1a50544bd42904e224fcee18026fe467f87c2ef8f58ecd50f31cf3cab3e0b9050a61552d9c335
-
Filesize
9KB
MD5ee0f561c8a6410b492f0cc3a79547c1e
SHA114995bc4eb36ba5169053fb1dba755cbba2bc386
SHA2569f99ed2c4a40cf80d40682cbc75553396be44fad5ad9c9c4013170d24cb279ba
SHA512ab8a2cf54d63c1553c532b299ab9dbae630660115e8dd51c28e1a50544bd42904e224fcee18026fe467f87c2ef8f58ecd50f31cf3cab3e0b9050a61552d9c335
-
Filesize
722KB
MD590ac06a2414f7e75aed6dcb016eb41b0
SHA18b2a95f7626309bdf010e90b7319f46ea6f96a4f
SHA256ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782
SHA5120b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4
-
Filesize
722KB
MD590ac06a2414f7e75aed6dcb016eb41b0
SHA18b2a95f7626309bdf010e90b7319f46ea6f96a4f
SHA256ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782
SHA5120b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4
-
Filesize
722KB
MD590ac06a2414f7e75aed6dcb016eb41b0
SHA18b2a95f7626309bdf010e90b7319f46ea6f96a4f
SHA256ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782
SHA5120b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4