Analysis
-
max time kernel
186s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 17:07
Static task
static1
Behavioral task
behavioral1
Sample
b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
Resource
win10v2004-20221111-en
General
-
Target
b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
-
Size
288KB
-
MD5
52df055864a09f85eff8d58b60c9a650
-
SHA1
157810f9a7d5d270e04c534ac7999e201c4fdb55
-
SHA256
b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd
-
SHA512
ec5dbf7e69a6ca40d72544fb220fb1c63e7f294660de8c99f5c794d2a8f242734393127302884219ba5aa9d7020d3d56f96459d98f9144f6dbd9c79aaf9b1acb
-
SSDEEP
6144:kXTAUr1e9d4c+Q+lafeafT2Jt2tFQJSqCTaX/c9AC:oJ8XM9
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exemwpup.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mwpup.exe -
Executes dropped EXE 1 IoCs
Processes:
mwpup.exepid process 516 mwpup.exe -
Loads dropped DLL 2 IoCs
Processes:
b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exepid process 1420 b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe 1420 b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe -
Adds Run key to start application 2 TTPs 29 IoCs
Processes:
mwpup.exeb416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /c" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /e" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /a" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /u" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /h" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /k" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /v" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /n" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /o" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /t" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /p" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /q" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /w" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /x" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /l" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /b" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /r" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /s" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /y" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /z" mwpup.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /g" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /f" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /d" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /m" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /z" b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /i" mwpup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwpup = "C:\\Users\\Admin\\mwpup.exe /j" mwpup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exemwpup.exepid process 1420 b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe 516 mwpup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exemwpup.exepid process 1420 b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe 516 mwpup.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exedescription pid process target process PID 1420 wrote to memory of 516 1420 b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe mwpup.exe PID 1420 wrote to memory of 516 1420 b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe mwpup.exe PID 1420 wrote to memory of 516 1420 b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe mwpup.exe PID 1420 wrote to memory of 516 1420 b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe mwpup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe"C:\Users\Admin\AppData\Local\Temp\b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\mwpup.exe"C:\Users\Admin\mwpup.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\mwpup.exeFilesize
288KB
MD56671065a36870aa29ce4cbb787a77bd5
SHA12f20332650f2ae5f36d199e1ce1a51488b17f8c2
SHA256df095c8c7fc5cc6b4ba8835f83766ed281f7c7765582a0badd720174b0888317
SHA512996c6d6409cfecdab7822aaa1a9334ea6c107b25a4b0661fd0ef6f6dc6019298c1f0e1c725bb9d0adb0fb1dd0137affdfe0218ac06726a320cfaab8fc89c9f6f
-
C:\Users\Admin\mwpup.exeFilesize
288KB
MD56671065a36870aa29ce4cbb787a77bd5
SHA12f20332650f2ae5f36d199e1ce1a51488b17f8c2
SHA256df095c8c7fc5cc6b4ba8835f83766ed281f7c7765582a0badd720174b0888317
SHA512996c6d6409cfecdab7822aaa1a9334ea6c107b25a4b0661fd0ef6f6dc6019298c1f0e1c725bb9d0adb0fb1dd0137affdfe0218ac06726a320cfaab8fc89c9f6f
-
\Users\Admin\mwpup.exeFilesize
288KB
MD56671065a36870aa29ce4cbb787a77bd5
SHA12f20332650f2ae5f36d199e1ce1a51488b17f8c2
SHA256df095c8c7fc5cc6b4ba8835f83766ed281f7c7765582a0badd720174b0888317
SHA512996c6d6409cfecdab7822aaa1a9334ea6c107b25a4b0661fd0ef6f6dc6019298c1f0e1c725bb9d0adb0fb1dd0137affdfe0218ac06726a320cfaab8fc89c9f6f
-
\Users\Admin\mwpup.exeFilesize
288KB
MD56671065a36870aa29ce4cbb787a77bd5
SHA12f20332650f2ae5f36d199e1ce1a51488b17f8c2
SHA256df095c8c7fc5cc6b4ba8835f83766ed281f7c7765582a0badd720174b0888317
SHA512996c6d6409cfecdab7822aaa1a9334ea6c107b25a4b0661fd0ef6f6dc6019298c1f0e1c725bb9d0adb0fb1dd0137affdfe0218ac06726a320cfaab8fc89c9f6f
-
memory/516-59-0x0000000000000000-mapping.dmp
-
memory/1420-56-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB