8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe
Size

45KB
MD5

42f14fce9757cce55f82a37e0b12d461
SHA1

0bf6ebf4f1666f4b8212baf19d6b139ef97a5701
SHA256

8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656
SHA512

faa4d70721885f9a52002d42b7cf12c9e64a534b9e40bcfa7b829b9c14f30a1b98d095bd9502dce38bdd66871d99c1e6a809b870badc340f35eaf0060a98b4ad
SSDEEP

768:0NDZ2Y733ZL4OsPDsJODbfnH+bM0Mhrn/ig9uQrIJho5OB7:018OyskbP+o0AgQrIX7

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	WmInit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	WmInit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media = "C:\\Windows\\SysWOW64\\WmInit.exe"	WmInit.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tmp	WmInit.exe
File opened for modification	C:\Windows\SysWOW64\tmp	8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe
File created	C:\Windows\SysWOW64\tmp	8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe
File created	C:\Windows\SysWOW64\WmInit.dat	8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe
File opened for modification	C:\Windows\SysWOW64\WmInit.exe	8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe
File created	C:\Windows\SysWOW64\WmInit.exe	8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe
File opened for modification	C:\Windows\SysWOW64\tmp	WmInit.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2780	4712	8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe	81
PID 4712 wrote to memory of 2780	4712	8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe	81
PID 4712 wrote to memory of 2780	4712	8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe	81

C:\Users\Admin\AppData\Local\Temp\8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe
"C:\Users\Admin\AppData\Local\Temp\8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\WmInit.exe
  "C:\Windows\system32\WmInit.exe" "C:\Users\Admin\AppData\Local\Temp\8b1e310161b6696bbbb2ca4e3cf147fc75923f4196f6906a72bab89d34558656.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:2780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WmInit.dat

Filesize
8B

MD5
f6a32b51b97effe4104e13500cc8fb4c

SHA1
804bd9a3d705c285aa9165e2dc0d0c409004b880

SHA256
699ce7548c9bbf4ec1bd02ad3337ecdcf317b00c12a658f792f6a4b1017ed60c

SHA512
a86af6dda909e3fef20a2a883bbc8d645b94601635af2f33634e7762c9058ae81a585aba0a10f68255e68c5a10b82cdbf6b5a062a6c5c0da55345a2a9f88974f

Download Submit
C:\Windows\SysWOW64\WmInit.exe

Filesize
33.4MB

MD5
b1b52cb36cedf04ec59b9e033cba95a2

SHA1
6a823ae7a5f05cce19451ed9cd1f83c578d023f8

SHA256
c924ad7660526da936217f5ff6229da4d4ea559ec915ea635e7d4c242dc16f8b

SHA512
34282be2a74d336ac64614909cad959332d57d65c48588f6382ec6531ba00ee684c9c0090f1dd3291a6e2e0691910507c2d1ab329856c18fbfe67e2cee49219a

Download Submit
C:\Windows\SysWOW64\WmInit.exe

Filesize
33.4MB

MD5
b1b52cb36cedf04ec59b9e033cba95a2

SHA1
6a823ae7a5f05cce19451ed9cd1f83c578d023f8

SHA256
c924ad7660526da936217f5ff6229da4d4ea559ec915ea635e7d4c242dc16f8b

SHA512
34282be2a74d336ac64614909cad959332d57d65c48588f6382ec6531ba00ee684c9c0090f1dd3291a6e2e0691910507c2d1ab329856c18fbfe67e2cee49219a

Download Submit
memory/2780-139-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2780-140-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4712-132-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4712-133-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4712-137-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download