Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 23:17
Static task
static1
Behavioral task
behavioral1
Sample
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe
Resource
win10v2004-20220901-en
General
-
Target
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe
-
Size
244KB
-
MD5
fe06eee14de5b3944f144eddbcc71a8e
-
SHA1
2011c57f270891aeb61f9d418a0d81ba1ec26878
-
SHA256
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d
-
SHA512
c6fe835f50681765278f345a3ea7a5d5d4450e2f5c8886171365e723e63ba4243717cd429dae925a258941cea5df84dbf974f55d23777f8e1dc9de2665a99a37
-
SSDEEP
6144:lWW89YOyGoEOdQfsd9JxGkKak8k+ybc87FCNdtfQ4ML23g:lWEvGNkfhGkKak8k+K
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
wmpcn64.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wmpcn64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpcn64.exe = "C:\\Windows\\SysWOW64\\wmpcn64.exe:*:Enabled:Windows Media Control" wmpcn64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List wmpcn64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpcn64.exe = "C:\\Windows\\SysWOW64\\wmpcn64.exe:*:Enabled:Windows Media Control" wmpcn64.exe -
Executes dropped EXE 2 IoCs
Processes:
wmpcn64.exewmpcn64.exepid process 992 wmpcn64.exe 1668 wmpcn64.exe -
Processes:
resource yara_rule behavioral1/memory/2032-55-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2032-57-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2032-58-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2032-60-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2032-64-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2032-65-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2032-66-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2032-67-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2032-72-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/1668-85-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/1668-86-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/1668-87-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/1668-88-0x0000000000400000-0x0000000000465000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
wmpcn64.exepid process 1668 wmpcn64.exe -
Loads dropped DLL 2 IoCs
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exepid process 2032 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe 2032 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wmpcn64.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wmpcn64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media Control = "C:\\Windows\\SysWOW64\\wmpcn64.exe" wmpcn64.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exewmpcn64.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcn64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpcn64.exe -
Drops file in System32 directory 5 IoCs
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exewmpcn64.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe File opened for modification C:\Windows\SysWOW64\wmpcn64.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe File created C:\Windows\SysWOW64\wmpcn64.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe File opened for modification C:\Windows\SysWOW64\ wmpcn64.exe File opened for modification C:\Windows\SysWOW64\wmpcn64.exe wmpcn64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exewmpcn64.exedescription pid process target process PID 1112 set thread context of 2032 1112 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 992 set thread context of 1668 992 wmpcn64.exe wmpcn64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exewmpcn64.exepid process 2032 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe 2032 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe 1668 wmpcn64.exe 1668 wmpcn64.exe 1668 wmpcn64.exe 1668 wmpcn64.exe 1668 wmpcn64.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exeafb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exewmpcn64.exewmpcn64.exedescription pid process target process PID 1112 wrote to memory of 2032 1112 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 1112 wrote to memory of 2032 1112 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 1112 wrote to memory of 2032 1112 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 1112 wrote to memory of 2032 1112 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 1112 wrote to memory of 2032 1112 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 1112 wrote to memory of 2032 1112 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 1112 wrote to memory of 2032 1112 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 1112 wrote to memory of 2032 1112 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 2032 wrote to memory of 992 2032 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe wmpcn64.exe PID 2032 wrote to memory of 992 2032 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe wmpcn64.exe PID 2032 wrote to memory of 992 2032 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe wmpcn64.exe PID 2032 wrote to memory of 992 2032 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe wmpcn64.exe PID 992 wrote to memory of 1668 992 wmpcn64.exe wmpcn64.exe PID 992 wrote to memory of 1668 992 wmpcn64.exe wmpcn64.exe PID 992 wrote to memory of 1668 992 wmpcn64.exe wmpcn64.exe PID 992 wrote to memory of 1668 992 wmpcn64.exe wmpcn64.exe PID 992 wrote to memory of 1668 992 wmpcn64.exe wmpcn64.exe PID 992 wrote to memory of 1668 992 wmpcn64.exe wmpcn64.exe PID 992 wrote to memory of 1668 992 wmpcn64.exe wmpcn64.exe PID 992 wrote to memory of 1668 992 wmpcn64.exe wmpcn64.exe PID 1668 wrote to memory of 1284 1668 wmpcn64.exe Explorer.EXE PID 1668 wrote to memory of 1284 1668 wmpcn64.exe Explorer.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe"C:\Users\Admin\AppData\Local\Temp\afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe"C:\Users\Admin\AppData\Local\Temp\afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcn64.exe"C:\Windows\SysWOW64\wmpcn64.exe" C:\Users\Admin\AppData\Local\Temp\AFB123~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcn64.exe"C:\Windows\SysWOW64\wmpcn64.exe" C:\Users\Admin\AppData\Local\Temp\AFB123~1.EXE4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wmpcn64.exeFilesize
244KB
MD5fe06eee14de5b3944f144eddbcc71a8e
SHA12011c57f270891aeb61f9d418a0d81ba1ec26878
SHA256afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d
SHA512c6fe835f50681765278f345a3ea7a5d5d4450e2f5c8886171365e723e63ba4243717cd429dae925a258941cea5df84dbf974f55d23777f8e1dc9de2665a99a37
-
C:\Windows\SysWOW64\wmpcn64.exeFilesize
244KB
MD5fe06eee14de5b3944f144eddbcc71a8e
SHA12011c57f270891aeb61f9d418a0d81ba1ec26878
SHA256afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d
SHA512c6fe835f50681765278f345a3ea7a5d5d4450e2f5c8886171365e723e63ba4243717cd429dae925a258941cea5df84dbf974f55d23777f8e1dc9de2665a99a37
-
C:\Windows\SysWOW64\wmpcn64.exeFilesize
244KB
MD5fe06eee14de5b3944f144eddbcc71a8e
SHA12011c57f270891aeb61f9d418a0d81ba1ec26878
SHA256afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d
SHA512c6fe835f50681765278f345a3ea7a5d5d4450e2f5c8886171365e723e63ba4243717cd429dae925a258941cea5df84dbf974f55d23777f8e1dc9de2665a99a37
-
\Windows\SysWOW64\wmpcn64.exeFilesize
244KB
MD5fe06eee14de5b3944f144eddbcc71a8e
SHA12011c57f270891aeb61f9d418a0d81ba1ec26878
SHA256afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d
SHA512c6fe835f50681765278f345a3ea7a5d5d4450e2f5c8886171365e723e63ba4243717cd429dae925a258941cea5df84dbf974f55d23777f8e1dc9de2665a99a37
-
\Windows\SysWOW64\wmpcn64.exeFilesize
244KB
MD5fe06eee14de5b3944f144eddbcc71a8e
SHA12011c57f270891aeb61f9d418a0d81ba1ec26878
SHA256afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d
SHA512c6fe835f50681765278f345a3ea7a5d5d4450e2f5c8886171365e723e63ba4243717cd429dae925a258941cea5df84dbf974f55d23777f8e1dc9de2665a99a37
-
memory/992-70-0x0000000000000000-mapping.dmp
-
memory/1284-89-0x0000000002A20000-0x0000000002A3E000-memory.dmpFilesize
120KB
-
memory/1668-81-0x000000000044F800-mapping.dmp
-
memory/1668-88-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/1668-87-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/1668-86-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/1668-85-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-66-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-60-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-58-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-72-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-57-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-54-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-55-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-67-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-61-0x000000000044F800-mapping.dmp
-
memory/2032-65-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-64-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2032-63-0x0000000076031000-0x0000000076033000-memory.dmpFilesize
8KB