Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 22:03
Static task
static1
Behavioral task
behavioral1
Sample
c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe
Resource
win10v2004-20221111-en
General
-
Target
c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe
-
Size
246KB
-
MD5
c7b5643e78e9a19c4a1750b751c9cd64
-
SHA1
cdeb396a11abecd9ea9f6432cff9b1a819009a75
-
SHA256
c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67
-
SHA512
81781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114
-
SSDEEP
3072:jhztMMCQizmb8f0xMABzez3XGbCsW9amzkJpr2cElHC7D5myTeRhvL4QK730381G:t0DmQGZBqHGuKC
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
wmpsa64.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List wmpsa64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpsa64.exe = "C:\\Windows\\SysWOW64\\wmpsa64.exe:*:Enabled:Windows Media Sharing" wmpsa64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wmpsa64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpsa64.exe = "C:\\Windows\\SysWOW64\\wmpsa64.exe:*:Enabled:Windows Media Sharing" wmpsa64.exe -
Executes dropped EXE 2 IoCs
Processes:
wmpsa64.exewmpsa64.exepid process 584 wmpsa64.exe 1912 wmpsa64.exe -
Processes:
resource yara_rule behavioral1/memory/864-55-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/864-57-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/864-58-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/864-60-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/864-63-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/864-65-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/864-66-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/864-67-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/864-68-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/864-73-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/1912-86-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/1912-87-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/1912-88-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/1912-89-0x0000000000400000-0x0000000000465000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
wmpsa64.exepid process 1912 wmpsa64.exe -
Loads dropped DLL 2 IoCs
Processes:
c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exepid process 864 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe 864 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wmpsa64.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wmpsa64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media Sharing = "C:\\Windows\\SysWOW64\\wmpsa64.exe" wmpsa64.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmpsa64.exec24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpsa64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpsa64.exe -
Drops file in System32 directory 5 IoCs
Processes:
c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exewmpsa64.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe File opened for modification C:\Windows\SysWOW64\wmpsa64.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe File created C:\Windows\SysWOW64\wmpsa64.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe File opened for modification C:\Windows\SysWOW64\ wmpsa64.exe File opened for modification C:\Windows\SysWOW64\wmpsa64.exe wmpsa64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exewmpsa64.exedescription pid process target process PID 1108 set thread context of 864 1108 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe PID 584 set thread context of 1912 584 wmpsa64.exe wmpsa64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exewmpsa64.exepid process 864 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe 864 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe 1912 wmpsa64.exe 1912 wmpsa64.exe 1912 wmpsa64.exe 1912 wmpsa64.exe 1912 wmpsa64.exe 1912 wmpsa64.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exec24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exewmpsa64.exewmpsa64.exedescription pid process target process PID 1108 wrote to memory of 864 1108 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe PID 1108 wrote to memory of 864 1108 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe PID 1108 wrote to memory of 864 1108 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe PID 1108 wrote to memory of 864 1108 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe PID 1108 wrote to memory of 864 1108 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe PID 1108 wrote to memory of 864 1108 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe PID 1108 wrote to memory of 864 1108 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe PID 1108 wrote to memory of 864 1108 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe PID 864 wrote to memory of 584 864 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe wmpsa64.exe PID 864 wrote to memory of 584 864 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe wmpsa64.exe PID 864 wrote to memory of 584 864 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe wmpsa64.exe PID 864 wrote to memory of 584 864 c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe wmpsa64.exe PID 584 wrote to memory of 1912 584 wmpsa64.exe wmpsa64.exe PID 584 wrote to memory of 1912 584 wmpsa64.exe wmpsa64.exe PID 584 wrote to memory of 1912 584 wmpsa64.exe wmpsa64.exe PID 584 wrote to memory of 1912 584 wmpsa64.exe wmpsa64.exe PID 584 wrote to memory of 1912 584 wmpsa64.exe wmpsa64.exe PID 584 wrote to memory of 1912 584 wmpsa64.exe wmpsa64.exe PID 584 wrote to memory of 1912 584 wmpsa64.exe wmpsa64.exe PID 584 wrote to memory of 1912 584 wmpsa64.exe wmpsa64.exe PID 1912 wrote to memory of 1268 1912 wmpsa64.exe Explorer.EXE PID 1912 wrote to memory of 1268 1912 wmpsa64.exe Explorer.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe"C:\Users\Admin\AppData\Local\Temp\c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe"C:\Users\Admin\AppData\Local\Temp\c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpsa64.exe"C:\Windows\SysWOW64\wmpsa64.exe" C:\Users\Admin\AppData\Local\Temp\C24444~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpsa64.exe"C:\Windows\SysWOW64\wmpsa64.exe" C:\Users\Admin\AppData\Local\Temp\C24444~1.EXE4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wmpsa64.exeFilesize
246KB
MD5c7b5643e78e9a19c4a1750b751c9cd64
SHA1cdeb396a11abecd9ea9f6432cff9b1a819009a75
SHA256c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67
SHA51281781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114
-
C:\Windows\SysWOW64\wmpsa64.exeFilesize
246KB
MD5c7b5643e78e9a19c4a1750b751c9cd64
SHA1cdeb396a11abecd9ea9f6432cff9b1a819009a75
SHA256c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67
SHA51281781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114
-
C:\Windows\SysWOW64\wmpsa64.exeFilesize
246KB
MD5c7b5643e78e9a19c4a1750b751c9cd64
SHA1cdeb396a11abecd9ea9f6432cff9b1a819009a75
SHA256c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67
SHA51281781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114
-
\Windows\SysWOW64\wmpsa64.exeFilesize
246KB
MD5c7b5643e78e9a19c4a1750b751c9cd64
SHA1cdeb396a11abecd9ea9f6432cff9b1a819009a75
SHA256c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67
SHA51281781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114
-
\Windows\SysWOW64\wmpsa64.exeFilesize
246KB
MD5c7b5643e78e9a19c4a1750b751c9cd64
SHA1cdeb396a11abecd9ea9f6432cff9b1a819009a75
SHA256c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67
SHA51281781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114
-
memory/584-71-0x0000000000000000-mapping.dmp
-
memory/864-63-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/864-58-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/864-65-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/864-66-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/864-67-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/864-68-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/864-54-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/864-60-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/864-61-0x000000000044F7C0-mapping.dmp
-
memory/864-64-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/864-73-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/864-57-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/864-55-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/1268-90-0x0000000002A80000-0x0000000002A9E000-memory.dmpFilesize
120KB
-
memory/1912-82-0x000000000044F7C0-mapping.dmp
-
memory/1912-86-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/1912-87-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/1912-88-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/1912-89-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB