b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd

General

Target

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
Size

288KB
MD5

52df055864a09f85eff8d58b60c9a650
SHA1

157810f9a7d5d270e04c534ac7999e201c4fdb55
SHA256

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd
SHA512

ec5dbf7e69a6ca40d72544fb220fb1c63e7f294660de8c99f5c794d2a8f242734393127302884219ba5aa9d7020d3d56f96459d98f9144f6dbd9c79aaf9b1acb
SSDEEP

6144:kXTAUr1e9d4c+Q+lafeafT2Jt2tFQJSqCTaX/c9AC:oJ8XM9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exemwpup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mwpup.exe

Executes dropped EXE 1 IoCs

Processes:

mwpup.exe

pid process

516 mwpup.exe

pid	process
516	mwpup.exe

Loads dropped DLL 2 IoCs

Processes:

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe

pid	process
1420	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
1420	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mwpup.exeb416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /c"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /e"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /a"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /u"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /h"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /k"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /v"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /n"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /o"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /t"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /p"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /q"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /w"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /x"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /l"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /b"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /r"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /s"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /y"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /z"	mwpup.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /g"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /f"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /d"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /m"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /z"	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /i"	mwpup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /j"	mwpup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exemwpup.exe

pid	process
1420	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe
516	mwpup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exemwpup.exe

pid process

1420 b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
516 mwpup.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe

description	pid	process	target process
PID 1420 wrote to memory of 516	1420	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe	mwpup.exe
PID 1420 wrote to memory of 516	1420	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe	mwpup.exe
PID 1420 wrote to memory of 516	1420	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe	mwpup.exe
PID 1420 wrote to memory of 516	1420	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe	mwpup.exe

C:\Users\Admin\AppData\Local\Temp\b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
"C:\Users\Admin\AppData\Local\Temp\b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\mwpup.exe
"C:\Users\Admin\mwpup.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\mwpup.exe
Filesize
288KB

MD5
6671065a36870aa29ce4cbb787a77bd5

SHA1
2f20332650f2ae5f36d199e1ce1a51488b17f8c2

SHA256
df095c8c7fc5cc6b4ba8835f83766ed281f7c7765582a0badd720174b0888317

SHA512
996c6d6409cfecdab7822aaa1a9334ea6c107b25a4b0661fd0ef6f6dc6019298c1f0e1c725bb9d0adb0fb1dd0137affdfe0218ac06726a320cfaab8fc89c9f6f

Download Submit
C:\Users\Admin\mwpup.exe
Filesize
288KB

MD5
6671065a36870aa29ce4cbb787a77bd5

SHA1
2f20332650f2ae5f36d199e1ce1a51488b17f8c2

SHA256
df095c8c7fc5cc6b4ba8835f83766ed281f7c7765582a0badd720174b0888317

SHA512
996c6d6409cfecdab7822aaa1a9334ea6c107b25a4b0661fd0ef6f6dc6019298c1f0e1c725bb9d0adb0fb1dd0137affdfe0218ac06726a320cfaab8fc89c9f6f

Download Submit
\Users\Admin\mwpup.exe
Filesize
288KB

MD5
6671065a36870aa29ce4cbb787a77bd5

SHA1
2f20332650f2ae5f36d199e1ce1a51488b17f8c2

SHA256
df095c8c7fc5cc6b4ba8835f83766ed281f7c7765582a0badd720174b0888317

SHA512
996c6d6409cfecdab7822aaa1a9334ea6c107b25a4b0661fd0ef6f6dc6019298c1f0e1c725bb9d0adb0fb1dd0137affdfe0218ac06726a320cfaab8fc89c9f6f

Download Submit
\Users\Admin\mwpup.exe
Filesize
288KB

MD5
6671065a36870aa29ce4cbb787a77bd5

SHA1
2f20332650f2ae5f36d199e1ce1a51488b17f8c2

SHA256
df095c8c7fc5cc6b4ba8835f83766ed281f7c7765582a0badd720174b0888317

SHA512
996c6d6409cfecdab7822aaa1a9334ea6c107b25a4b0661fd0ef6f6dc6019298c1f0e1c725bb9d0adb0fb1dd0137affdfe0218ac06726a320cfaab8fc89c9f6f

Download Submit
memory/516-59-0x0000000000000000-mapping.dmp

Download
memory/1420-56-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads