Analysis
-
max time kernel
179s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 16:39
Static task
static1
Behavioral task
behavioral1
Sample
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
Resource
win10v2004-20221111-en
General
-
Target
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe
-
Size
122KB
-
MD5
a6ea5bc740f094aca5422d0214c5d776
-
SHA1
52e35d6d5d0f8c4517be19a3237d70e5e9d8ca50
-
SHA256
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3
-
SHA512
18a5c13182f756424bb7bfd9f2164b370e19e27057dedb1f2c01311674f3b58842f59e6eeb8c864c7f415ec5dcbfab9edaf4a5d03e70e0cfb105f6c27f8c6214
-
SSDEEP
1536:NRJwgSiaqNsZp5JIYyicEAT6/A5d2aiQatQ6EF4CKwWOiN+nEwwTGwsjnG8Xrx:RKiaUIEYznAtWaibtQQOTLweG8Xrx
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
WMPRWISE.EXEWMPRWISE.EXEpid process 2572 WMPRWISE.EXE 4208 WMPRWISE.EXE -
Loads dropped DLL 2 IoCs
Processes:
WMPRWISE.EXEpid process 4208 WMPRWISE.EXE 4208 WMPRWISE.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Firewall 2.9 = "C:\\Users\\Admin\\AppData\\Roaming\\WMPRWISE.EXE" 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
WMPRWISE.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\desktop.ini WMPRWISE.EXE File created C:\Users\Admin\AppData\Roaming\desktop.ini WMPRWISE.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exeWMPRWISE.EXEdescription pid process target process PID 2300 set thread context of 2760 2300 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe PID 2572 set thread context of 4208 2572 WMPRWISE.EXE WMPRWISE.EXE -
Processes:
WMPRWISE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry WMPRWISE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\SavedLegacySettingsML = 343038383435363735 WMPRWISE.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exeWMPRWISE.EXEdescription pid process target process PID 2300 wrote to memory of 2760 2300 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe PID 2300 wrote to memory of 2760 2300 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe PID 2300 wrote to memory of 2760 2300 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe PID 2300 wrote to memory of 2760 2300 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe PID 2300 wrote to memory of 2760 2300 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe PID 2300 wrote to memory of 2760 2300 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe PID 2300 wrote to memory of 2760 2300 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe PID 2300 wrote to memory of 2760 2300 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe PID 2760 wrote to memory of 2572 2760 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe WMPRWISE.EXE PID 2760 wrote to memory of 2572 2760 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe WMPRWISE.EXE PID 2760 wrote to memory of 2572 2760 176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe WMPRWISE.EXE PID 2572 wrote to memory of 4208 2572 WMPRWISE.EXE WMPRWISE.EXE PID 2572 wrote to memory of 4208 2572 WMPRWISE.EXE WMPRWISE.EXE PID 2572 wrote to memory of 4208 2572 WMPRWISE.EXE WMPRWISE.EXE PID 2572 wrote to memory of 4208 2572 WMPRWISE.EXE WMPRWISE.EXE PID 2572 wrote to memory of 4208 2572 WMPRWISE.EXE WMPRWISE.EXE PID 2572 wrote to memory of 4208 2572 WMPRWISE.EXE WMPRWISE.EXE PID 2572 wrote to memory of 4208 2572 WMPRWISE.EXE WMPRWISE.EXE PID 2572 wrote to memory of 4208 2572 WMPRWISE.EXE WMPRWISE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe"C:\Users\Admin\AppData\Local\Temp\176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exeC:\Users\Admin\AppData\Local\Temp\176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Roaming\WMPRWISE.EXEC:\Users\Admin\AppData\Roaming\WMPRWISE.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Roaming\WMPRWISE.EXEC:\Users\Admin\AppData\Roaming\WMPRWISE.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
PID:4208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WMPRWISE.EXEFilesize
122KB
MD5a6ea5bc740f094aca5422d0214c5d776
SHA152e35d6d5d0f8c4517be19a3237d70e5e9d8ca50
SHA256176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3
SHA51218a5c13182f756424bb7bfd9f2164b370e19e27057dedb1f2c01311674f3b58842f59e6eeb8c864c7f415ec5dcbfab9edaf4a5d03e70e0cfb105f6c27f8c6214
-
C:\Users\Admin\AppData\Roaming\WMPRWISE.EXEFilesize
122KB
MD5a6ea5bc740f094aca5422d0214c5d776
SHA152e35d6d5d0f8c4517be19a3237d70e5e9d8ca50
SHA256176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3
SHA51218a5c13182f756424bb7bfd9f2164b370e19e27057dedb1f2c01311674f3b58842f59e6eeb8c864c7f415ec5dcbfab9edaf4a5d03e70e0cfb105f6c27f8c6214
-
C:\Users\Admin\AppData\Roaming\WMPRWISE.EXEFilesize
122KB
MD5a6ea5bc740f094aca5422d0214c5d776
SHA152e35d6d5d0f8c4517be19a3237d70e5e9d8ca50
SHA256176375ce002ff3872f0b2a993007c449ede75a703f23a1e9c7cdebd01c778fe3
SHA51218a5c13182f756424bb7bfd9f2164b370e19e27057dedb1f2c01311674f3b58842f59e6eeb8c864c7f415ec5dcbfab9edaf4a5d03e70e0cfb105f6c27f8c6214
-
C:\Users\Admin\AppData\Roaming\desktop.iniFilesize
9KB
MD54a27242b307c6a836993353035fafc16
SHA15fea7a41b8f9071848108015d8a952e6f944eea0
SHA25602fd93f64bda51e1e2991184cac13f077d509712e462c9e44be9cf8e22c06de1
SHA51235e9c87642b82df2bf0a9312bb0e9abfb98282db1e34032a4d0150d82c5e2f2e13150ddc896f1e954f02288a1e696a4306ee595b94b1e404c6ec17bac64c44be
-
C:\Users\Admin\AppData\Roaming\ntuser.datFilesize
54KB
MD57e8e966927e04a35aec644602b8a9e05
SHA1d201b0b41e8701818d60ddbf9f334332a512c4da
SHA25646f18d9fbf63f378d86962cbf24f5ce57ce257555acd4effdcc41c1e2f1adf5c
SHA512246777c79129a5076b71ca5d3f7e59b06d344f6b5e771892ae8ee68c0b5af9207cd1868b1336b49e6a84665309ad379a33ec6c8e72d7ce41de72153637921a51
-
memory/2572-136-0x0000000000000000-mapping.dmp
-
memory/2760-133-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2760-135-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2760-132-0x0000000000000000-mapping.dmp
-
memory/4208-139-0x0000000000000000-mapping.dmp
-
memory/4208-144-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4208-143-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4208-147-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB