176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3

General

Target

176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
Size

122KB
MD5

a6ea5bc740f094aca5422d0214c5d776
SHA1

52e35d6d5d0f8c4517be19a3237d70e5e9d8ca50
SHA256

176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3
SHA512

18a5c13182f756424bb7bfd9f2164b370e19e27057dedb1f2c01311674f3b58842f59e6eeb8c864c7f415ec5dcbfab9edaf4a5d03e70e0cfb105f6c27f8c6214
SSDEEP

1536:NRJwgSiaqNsZp5JIYyicEAT6/A5d2aiQatQ6EF4CKwWOiN+nEwwTGwsjnG8Xrx:RKiaUIEYznAtWaibtQQOTLweG8Xrx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

WMPRWISE.EXEWMPRWISE.EXE

pid process

1820 WMPRWISE.EXE
660 WMPRWISE.EXE

pid	process
1820	WMPRWISE.EXE
660	WMPRWISE.EXE

Loads dropped DLL 4 IoCs

Processes:

176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exeWMPRWISE.EXE

pid	process
296	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
296	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
660	WMPRWISE.EXE
660	WMPRWISE.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firewall 2.9 = "C:\\Users\\Admin\\AppData\\Roaming\\WMPRWISE.EXE"	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

WMPRWISE.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\desktop.ini	WMPRWISE.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\desktop.ini	WMPRWISE.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exeWMPRWISE.EXE

description	pid	process	target process
PID 316 set thread context of 296	316	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
PID 1820 set thread context of 660	1820	WMPRWISE.EXE	WMPRWISE.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

WMPRWISE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\SavedLegacySettingsML = 313733393830373938	WMPRWISE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry	WMPRWISE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exeWMPRWISE.EXE

description	pid	process	target process
PID 316 wrote to memory of 296	316	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
PID 316 wrote to memory of 296	316	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
PID 316 wrote to memory of 296	316	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
PID 316 wrote to memory of 296	316	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
PID 316 wrote to memory of 296	316	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
PID 316 wrote to memory of 296	316	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
PID 316 wrote to memory of 296	316	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
PID 316 wrote to memory of 296	316	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
PID 316 wrote to memory of 296	316	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
PID 296 wrote to memory of 1820	296	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	WMPRWISE.EXE
PID 296 wrote to memory of 1820	296	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	WMPRWISE.EXE
PID 296 wrote to memory of 1820	296	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	WMPRWISE.EXE
PID 296 wrote to memory of 1820	296	176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe	WMPRWISE.EXE
PID 1820 wrote to memory of 660	1820	WMPRWISE.EXE	WMPRWISE.EXE
PID 1820 wrote to memory of 660	1820	WMPRWISE.EXE	WMPRWISE.EXE
PID 1820 wrote to memory of 660	1820	WMPRWISE.EXE	WMPRWISE.EXE
PID 1820 wrote to memory of 660	1820	WMPRWISE.EXE	WMPRWISE.EXE
PID 1820 wrote to memory of 660	1820	WMPRWISE.EXE	WMPRWISE.EXE
PID 1820 wrote to memory of 660	1820	WMPRWISE.EXE	WMPRWISE.EXE
PID 1820 wrote to memory of 660	1820	WMPRWISE.EXE	WMPRWISE.EXE
PID 1820 wrote to memory of 660	1820	WMPRWISE.EXE	WMPRWISE.EXE
PID 1820 wrote to memory of 660	1820	WMPRWISE.EXE	WMPRWISE.EXE

C:\Users\Admin\AppData\Local\Temp\176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
"C:\Users\Admin\AppData\Local\Temp\176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
  C:\Users\Admin\AppData\Local\Temp\176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Users\Admin\AppData\Roaming\WMPRWISE.EXE
    C:\Users\Admin\AppData\Roaming\WMPRWISE.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Users\Admin\AppData\Roaming\WMPRWISE.EXE
      C:\Users\Admin\AppData\Roaming\WMPRWISE.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops desktop.ini file(s)
      Modifies Internet Explorer settings
      PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WMPRWISE.EXE

Filesize
122KB

MD5
a6ea5bc740f094aca5422d0214c5d776

SHA1
52e35d6d5d0f8c4517be19a3237d70e5e9d8ca50

SHA256
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3

SHA512
18a5c13182f756424bb7bfd9f2164b370e19e27057dedb1f2c01311674f3b58842f59e6eeb8c864c7f415ec5dcbfab9edaf4a5d03e70e0cfb105f6c27f8c6214

Download Submit
C:\Users\Admin\AppData\Roaming\WMPRWISE.EXE

Filesize
122KB

MD5
a6ea5bc740f094aca5422d0214c5d776

SHA1
52e35d6d5d0f8c4517be19a3237d70e5e9d8ca50

SHA256
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3

SHA512
18a5c13182f756424bb7bfd9f2164b370e19e27057dedb1f2c01311674f3b58842f59e6eeb8c864c7f415ec5dcbfab9edaf4a5d03e70e0cfb105f6c27f8c6214

Download Submit
C:\Users\Admin\AppData\Roaming\WMPRWISE.EXE

Filesize
122KB

MD5
a6ea5bc740f094aca5422d0214c5d776

SHA1
52e35d6d5d0f8c4517be19a3237d70e5e9d8ca50

SHA256
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3

SHA512
18a5c13182f756424bb7bfd9f2164b370e19e27057dedb1f2c01311674f3b58842f59e6eeb8c864c7f415ec5dcbfab9edaf4a5d03e70e0cfb105f6c27f8c6214

Download Submit
\Users\Admin\AppData\Roaming\WMPRWISE.EXE

Filesize
122KB

MD5
a6ea5bc740f094aca5422d0214c5d776

SHA1
52e35d6d5d0f8c4517be19a3237d70e5e9d8ca50

SHA256
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3

SHA512
18a5c13182f756424bb7bfd9f2164b370e19e27057dedb1f2c01311674f3b58842f59e6eeb8c864c7f415ec5dcbfab9edaf4a5d03e70e0cfb105f6c27f8c6214

Download Submit
\Users\Admin\AppData\Roaming\WMPRWISE.EXE

Filesize
122KB

MD5
a6ea5bc740f094aca5422d0214c5d776

SHA1
52e35d6d5d0f8c4517be19a3237d70e5e9d8ca50

SHA256
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3

SHA512
18a5c13182f756424bb7bfd9f2164b370e19e27057dedb1f2c01311674f3b58842f59e6eeb8c864c7f415ec5dcbfab9edaf4a5d03e70e0cfb105f6c27f8c6214

Download Submit
\Users\Admin\AppData\Roaming\desktop.ini

Filesize
9KB

MD5
4a27242b307c6a836993353035fafc16

SHA1
5fea7a41b8f9071848108015d8a952e6f944eea0

SHA256
02fd93f64bda51e1e2991184cac13f077d509712e462c9e44be9cf8e22c06de1

SHA512
35e9c87642b82df2bf0a9312bb0e9abfb98282db1e34032a4d0150d82c5e2f2e13150ddc896f1e954f02288a1e696a4306ee595b94b1e404c6ec17bac64c44be

Download Submit
\Users\Admin\AppData\Roaming\ntuser.dat

Filesize
54KB

MD5
7e8e966927e04a35aec644602b8a9e05

SHA1
d201b0b41e8701818d60ddbf9f334332a512c4da

SHA256
46f18d9fbf63f378d86962cbf24f5ce57ce257555acd4effdcc41c1e2f1adf5c

SHA512
246777c79129a5076b71ca5d3f7e59b06d344f6b5e771892ae8ee68c0b5af9207cd1868b1336b49e6a84665309ad379a33ec6c8e72d7ce41de72153637921a51

Download Submit
memory/296-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/296-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/296-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/296-61-0x00000000004094EF-mapping.dmp

Download
memory/296-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/296-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/296-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-76-0x00000000004094EF-mapping.dmp

Download
memory/660-80-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-79-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/660-83-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1820-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads