b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50

Analysis

max time kernel
189s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe
Size

42KB
MD5

13c81f6a94a02a7ed7db0d10f7a36b43
SHA1

9c4702cb88a682e27180857801a82adbc034e9d9
SHA256

b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50
SHA512

f5580f580bb6a7ccb9fb720fbaf0f610119f5c1c5d24827084b5b06ce0917aa994da5c79551a4f5748070f381b6a940875de30d7815ffb67d293dc6c48e6ddd7
SSDEEP

768:CNDZ2P194FnpQPn4NSTp5CVqqtWiUCbYBHYRcpoq0mca2Tdv2AjJox:0p64wAVPtWiUCbXFEzwj

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3136	WmInit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	WmInit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media = "C:\\Windows\\SysWOW64\\WmInit.exe"	WmInit.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tmp	WmInit.exe
File opened for modification	C:\Windows\SysWOW64\tmp	b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe
File created	C:\Windows\SysWOW64\tmp	b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe
File created	C:\Windows\SysWOW64\WmInit.dat	b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe
File opened for modification	C:\Windows\SysWOW64\WmInit.exe	b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe
File created	C:\Windows\SysWOW64\WmInit.exe	b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe
File opened for modification	C:\Windows\SysWOW64\tmp	WmInit.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 3136	4112	b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe	86
PID 4112 wrote to memory of 3136	4112	b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe	86
PID 4112 wrote to memory of 3136	4112	b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe	86

C:\Users\Admin\AppData\Local\Temp\b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe
"C:\Users\Admin\AppData\Local\Temp\b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\SysWOW64\WmInit.exe
  "C:\Windows\system32\WmInit.exe" "C:\Users\Admin\AppData\Local\Temp\b14f7ab4407668280e27187531161736715f8e6292906a858a34ab2a2719ff50.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WmInit.dat

Filesize
8B

MD5
2b133f9be580d0fe5c22cb5fa462aba3

SHA1
02ed2584f716cb49d881ea3c52e7f19d14f56087

SHA256
4b393e7ef2e0b4d41a7fd1f9628a38b539931b13f3916c216cacbf5d120f46bf

SHA512
2b7614666fc7eb9d6e3d5ab95458aae350956c468d388cca0bdfd71474f46831c05166d3b7598750c750680b2f3db187511ebd4f2af21b158e7357763ea69bee

Download Submit
C:\Windows\SysWOW64\WmInit.exe

Filesize
33.4MB

MD5
bbb6e0c298f5e241ba8f09971b37c628

SHA1
c16b9dfc2883601e29e0cd6342ba3400390f9d5b

SHA256
d72e6fcc3df0e6c0699ecca6aafe175b15e919f788f648d1718b5bcf5c28a04f

SHA512
b0b73ae7a7da0dafdcc92602911c8ea9ef3e8a92e4a4f0bef555e9851dae20f319f07e4369ac6e86fd9d53974c533f1210bb1d57f1d17eb762aeebf093cddaa8

Download Submit
C:\Windows\SysWOW64\WmInit.exe

Filesize
33.4MB

MD5
bbb6e0c298f5e241ba8f09971b37c628

SHA1
c16b9dfc2883601e29e0cd6342ba3400390f9d5b

SHA256
d72e6fcc3df0e6c0699ecca6aafe175b15e919f788f648d1718b5bcf5c28a04f

SHA512
b0b73ae7a7da0dafdcc92602911c8ea9ef3e8a92e4a4f0bef555e9851dae20f319f07e4369ac6e86fd9d53974c533f1210bb1d57f1d17eb762aeebf093cddaa8

Download Submit
memory/3136-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3136-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4112-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4112-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4112-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download