Analysis
-
max time kernel
151s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 00:16
Static task
static1
Behavioral task
behavioral1
Sample
1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe
Resource
win10v2004-20221111-en
General
-
Target
1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe
-
Size
260KB
-
MD5
03adf1bb9cdf0d837f18c1dc12db0c52
-
SHA1
b61134f4402b622163b226e9559518d770747762
-
SHA256
1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c
-
SHA512
ff224b92542289c8182c2d4fdf65e81d449dd0be67245e331746d8c2c0dbc365480baf09212888b81b9168b197e49c2f03474a72e5be8b35150da71b2714be89
-
SSDEEP
3072:gsgZWWTiooHiUS41IGymUU5fkUehyB456J2Lw6BoiEx4PvsL2o5n33ygoe:rOToHiUBiGyuT236J2deiEx4PvRo53Fv
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.execwpif.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cwpif.exe -
Executes dropped EXE 1 IoCs
Processes:
cwpif.exepid process 2044 cwpif.exe -
Loads dropped DLL 2 IoCs
Processes:
1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exepid process 1416 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe 1416 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe -
Adds Run key to start application 2 TTPs 54 IoCs
Processes:
cwpif.exe1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /E" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /J" cwpif.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /N" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /R" cwpif.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /n" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /m" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /M" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /q" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /b" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /H" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /l" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /t" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /a" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /A" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /S" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /Y" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /g" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /w" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /k" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /f" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /P" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /p" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /z" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /O" 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /y" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /D" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /v" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /o" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /L" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /K" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /W" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /r" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /h" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /s" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /c" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /d" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /U" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /u" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /I" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /O" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /Q" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /C" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /B" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /V" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /i" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /T" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /j" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /X" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /G" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /x" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /Z" cwpif.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwpif = "C:\\Users\\Admin\\cwpif.exe /e" cwpif.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.execwpif.exepid process 1416 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe 2044 cwpif.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.execwpif.exepid process 1416 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe 2044 cwpif.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exedescription pid process target process PID 1416 wrote to memory of 2044 1416 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe cwpif.exe PID 1416 wrote to memory of 2044 1416 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe cwpif.exe PID 1416 wrote to memory of 2044 1416 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe cwpif.exe PID 1416 wrote to memory of 2044 1416 1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe cwpif.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe"C:\Users\Admin\AppData\Local\Temp\1da70ebedfd09c950b6ba8a5634fedd32a934df397d5c55679b0164e0f7aa99c.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\cwpif.exe"C:\Users\Admin\cwpif.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\cwpif.exeFilesize
260KB
MD55c8a0a4faa640c991bbdfa9166d356e5
SHA1405ad400ca4a6b85d95a7052db9441f70ace0a46
SHA256141f7fa6690abf3feb62b109bdfe84f5503226ed9584b68f6d50c59a4c49151e
SHA512e58c52a1b1b3e454175acb4851c89c63deb092d1ed9f4a83e7a6afd1202c5c29d89a1b7f2dee39c2f91a9c69b82744880601a5fe4d4525c4a08b80a6abc5bba9
-
C:\Users\Admin\cwpif.exeFilesize
260KB
MD55c8a0a4faa640c991bbdfa9166d356e5
SHA1405ad400ca4a6b85d95a7052db9441f70ace0a46
SHA256141f7fa6690abf3feb62b109bdfe84f5503226ed9584b68f6d50c59a4c49151e
SHA512e58c52a1b1b3e454175acb4851c89c63deb092d1ed9f4a83e7a6afd1202c5c29d89a1b7f2dee39c2f91a9c69b82744880601a5fe4d4525c4a08b80a6abc5bba9
-
\Users\Admin\cwpif.exeFilesize
260KB
MD55c8a0a4faa640c991bbdfa9166d356e5
SHA1405ad400ca4a6b85d95a7052db9441f70ace0a46
SHA256141f7fa6690abf3feb62b109bdfe84f5503226ed9584b68f6d50c59a4c49151e
SHA512e58c52a1b1b3e454175acb4851c89c63deb092d1ed9f4a83e7a6afd1202c5c29d89a1b7f2dee39c2f91a9c69b82744880601a5fe4d4525c4a08b80a6abc5bba9
-
\Users\Admin\cwpif.exeFilesize
260KB
MD55c8a0a4faa640c991bbdfa9166d356e5
SHA1405ad400ca4a6b85d95a7052db9441f70ace0a46
SHA256141f7fa6690abf3feb62b109bdfe84f5503226ed9584b68f6d50c59a4c49151e
SHA512e58c52a1b1b3e454175acb4851c89c63deb092d1ed9f4a83e7a6afd1202c5c29d89a1b7f2dee39c2f91a9c69b82744880601a5fe4d4525c4a08b80a6abc5bba9
-
memory/1416-56-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1416-57-0x0000000074DC1000-0x0000000074DC3000-memory.dmpFilesize
8KB
-
memory/1416-65-0x0000000002CB0000-0x0000000002CF2000-memory.dmpFilesize
264KB
-
memory/1416-66-0x0000000002CB0000-0x0000000002CF2000-memory.dmpFilesize
264KB
-
memory/1416-69-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2044-60-0x0000000000000000-mapping.dmp
-
memory/2044-67-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2044-70-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB