Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 23:17
Static task
static1
Behavioral task
behavioral1
Sample
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe
Resource
win10v2004-20220901-en
General
-
Target
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe
-
Size
244KB
-
MD5
fe06eee14de5b3944f144eddbcc71a8e
-
SHA1
2011c57f270891aeb61f9d418a0d81ba1ec26878
-
SHA256
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d
-
SHA512
c6fe835f50681765278f345a3ea7a5d5d4450e2f5c8886171365e723e63ba4243717cd429dae925a258941cea5df84dbf974f55d23777f8e1dc9de2665a99a37
-
SSDEEP
6144:lWW89YOyGoEOdQfsd9JxGkKak8k+ybc87FCNdtfQ4ML23g:lWEvGNkfhGkKak8k+K
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
wmpcn64.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications wmpcn64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpcn64.exe = "C:\\Windows\\SysWOW64\\wmpcn64.exe:*:Enabled:Windows Media Control" wmpcn64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wmpcn64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile wmpcn64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications wmpcn64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpcn64.exe = "C:\\Windows\\SysWOW64\\wmpcn64.exe:*:Enabled:Windows Media Control" wmpcn64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List wmpcn64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile wmpcn64.exe -
Executes dropped EXE 2 IoCs
Processes:
wmpcn64.exewmpcn64.exepid process 3408 wmpcn64.exe 4108 wmpcn64.exe -
Processes:
resource yara_rule behavioral2/memory/4796-133-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/4796-135-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/4796-136-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/4796-137-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/4796-141-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/4108-146-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/4108-147-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/4108-148-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/4108-149-0x0000000000400000-0x0000000000465000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wmpcn64.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wmpcn64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media Control = "C:\\Windows\\SysWOW64\\wmpcn64.exe" wmpcn64.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exewmpcn64.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpcn64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpcn64.exe -
Drops file in System32 directory 5 IoCs
Processes:
wmpcn64.exeafb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wmpcn64.exe wmpcn64.exe File opened for modification C:\Windows\SysWOW64\ afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe File opened for modification C:\Windows\SysWOW64\wmpcn64.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe File created C:\Windows\SysWOW64\wmpcn64.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe File opened for modification C:\Windows\SysWOW64\ wmpcn64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exewmpcn64.exedescription pid process target process PID 4944 set thread context of 4796 4944 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 3408 set thread context of 4108 3408 wmpcn64.exe wmpcn64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exewmpcn64.exepid process 4796 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe 4796 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe 4796 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe 4796 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe 4108 wmpcn64.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exeafb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exewmpcn64.exewmpcn64.exedescription pid process target process PID 4944 wrote to memory of 4796 4944 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 4944 wrote to memory of 4796 4944 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 4944 wrote to memory of 4796 4944 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 4944 wrote to memory of 4796 4944 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 4944 wrote to memory of 4796 4944 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 4944 wrote to memory of 4796 4944 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 4944 wrote to memory of 4796 4944 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 4944 wrote to memory of 4796 4944 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe PID 4796 wrote to memory of 3408 4796 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe wmpcn64.exe PID 4796 wrote to memory of 3408 4796 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe wmpcn64.exe PID 4796 wrote to memory of 3408 4796 afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe wmpcn64.exe PID 3408 wrote to memory of 4108 3408 wmpcn64.exe wmpcn64.exe PID 3408 wrote to memory of 4108 3408 wmpcn64.exe wmpcn64.exe PID 3408 wrote to memory of 4108 3408 wmpcn64.exe wmpcn64.exe PID 3408 wrote to memory of 4108 3408 wmpcn64.exe wmpcn64.exe PID 3408 wrote to memory of 4108 3408 wmpcn64.exe wmpcn64.exe PID 3408 wrote to memory of 4108 3408 wmpcn64.exe wmpcn64.exe PID 3408 wrote to memory of 4108 3408 wmpcn64.exe wmpcn64.exe PID 3408 wrote to memory of 4108 3408 wmpcn64.exe wmpcn64.exe PID 4108 wrote to memory of 3048 4108 wmpcn64.exe Explorer.EXE PID 4108 wrote to memory of 3048 4108 wmpcn64.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe"C:\Users\Admin\AppData\Local\Temp\afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe"C:\Users\Admin\AppData\Local\Temp\afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d.exe"3⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcn64.exe"C:\Windows\SysWOW64\wmpcn64.exe" C:\Users\Admin\AppData\Local\Temp\AFB123~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpcn64.exe"C:\Windows\SysWOW64\wmpcn64.exe" C:\Users\Admin\AppData\Local\Temp\AFB123~1.EXE5⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wmpcn64.exeFilesize
244KB
MD5fe06eee14de5b3944f144eddbcc71a8e
SHA12011c57f270891aeb61f9d418a0d81ba1ec26878
SHA256afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d
SHA512c6fe835f50681765278f345a3ea7a5d5d4450e2f5c8886171365e723e63ba4243717cd429dae925a258941cea5df84dbf974f55d23777f8e1dc9de2665a99a37
-
C:\Windows\SysWOW64\wmpcn64.exeFilesize
244KB
MD5fe06eee14de5b3944f144eddbcc71a8e
SHA12011c57f270891aeb61f9d418a0d81ba1ec26878
SHA256afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d
SHA512c6fe835f50681765278f345a3ea7a5d5d4450e2f5c8886171365e723e63ba4243717cd429dae925a258941cea5df84dbf974f55d23777f8e1dc9de2665a99a37
-
C:\Windows\SysWOW64\wmpcn64.exeFilesize
244KB
MD5fe06eee14de5b3944f144eddbcc71a8e
SHA12011c57f270891aeb61f9d418a0d81ba1ec26878
SHA256afb1231f95d1c950356af88d21062a01e02110614d3d06e0f18cb665d080a04d
SHA512c6fe835f50681765278f345a3ea7a5d5d4450e2f5c8886171365e723e63ba4243717cd429dae925a258941cea5df84dbf974f55d23777f8e1dc9de2665a99a37
-
memory/3408-138-0x0000000000000000-mapping.dmp
-
memory/4108-142-0x0000000000000000-mapping.dmp
-
memory/4108-146-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4108-147-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4108-148-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4108-149-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4796-137-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4796-136-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4796-135-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4796-141-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/4796-132-0x0000000000000000-mapping.dmp
-
memory/4796-133-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB