Analysis
-
max time kernel
159s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 06:58
Static task
static1
Behavioral task
behavioral1
Sample
b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe
Resource
win10v2004-20221111-en
General
-
Target
b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe
-
Size
255KB
-
MD5
45f85a3e733cf2c004b43088103a63d5
-
SHA1
c225842823dace2bbd8e9cc1f43a7a18baa7f826
-
SHA256
b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15
-
SHA512
03a23c84db84b9a17a1806b20d8198e701a6d1287872aea9b7762ca0095e5baf66a5bd9eca7e2343ac3b92bcefedc33f511b8774b1b83417999c0c3453b57729
-
SSDEEP
3072:1/wQZtZRx5Jx0Lm2U3FEwAXDLXZAXT7xbRk2B:1dv3Umt6XDVAXJRf
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
wmpdr64.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List wmpdr64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile wmpdr64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications wmpdr64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpdr64.exe = "C:\\Windows\\SysWOW64\\wmpdr64.exe:*:Enabled:Windows Media Driver" wmpdr64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wmpdr64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile wmpdr64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications wmpdr64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpdr64.exe = "C:\\Windows\\SysWOW64\\wmpdr64.exe:*:Enabled:Windows Media Driver" wmpdr64.exe -
Executes dropped EXE 2 IoCs
Processes:
wmpdr64.exewmpdr64.exepid process 3116 wmpdr64.exe 4808 wmpdr64.exe -
Processes:
resource yara_rule behavioral2/memory/1456-133-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1456-135-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1456-136-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1456-137-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1456-138-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/1456-142-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/4808-149-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/memory/4808-150-0x0000000000400000-0x0000000000464000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wmpdr64.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wmpdr64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media Driver = "C:\\Windows\\SysWOW64\\wmpdr64.exe" wmpdr64.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exewmpdr64.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdr64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdr64.exe -
Drops file in System32 directory 5 IoCs
Processes:
wmpdr64.exeb47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ wmpdr64.exe File opened for modification C:\Windows\SysWOW64\wmpdr64.exe wmpdr64.exe File opened for modification C:\Windows\SysWOW64\ b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe File opened for modification C:\Windows\SysWOW64\wmpdr64.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe File created C:\Windows\SysWOW64\wmpdr64.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exewmpdr64.exedescription pid process target process PID 4680 set thread context of 1456 4680 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe PID 3116 set thread context of 4808 3116 wmpdr64.exe wmpdr64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exewmpdr64.exepid process 1456 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe 1456 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe 1456 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe 1456 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe 4808 wmpdr64.exe 4808 wmpdr64.exe 4808 wmpdr64.exe 4808 wmpdr64.exe 4808 wmpdr64.exe 4808 wmpdr64.exe 4808 wmpdr64.exe 4808 wmpdr64.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exeb47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exewmpdr64.exewmpdr64.exedescription pid process target process PID 4680 wrote to memory of 1456 4680 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe PID 4680 wrote to memory of 1456 4680 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe PID 4680 wrote to memory of 1456 4680 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe PID 4680 wrote to memory of 1456 4680 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe PID 4680 wrote to memory of 1456 4680 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe PID 4680 wrote to memory of 1456 4680 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe PID 4680 wrote to memory of 1456 4680 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe PID 4680 wrote to memory of 1456 4680 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe PID 1456 wrote to memory of 3116 1456 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe wmpdr64.exe PID 1456 wrote to memory of 3116 1456 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe wmpdr64.exe PID 1456 wrote to memory of 3116 1456 b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe wmpdr64.exe PID 3116 wrote to memory of 4808 3116 wmpdr64.exe wmpdr64.exe PID 3116 wrote to memory of 4808 3116 wmpdr64.exe wmpdr64.exe PID 3116 wrote to memory of 4808 3116 wmpdr64.exe wmpdr64.exe PID 3116 wrote to memory of 4808 3116 wmpdr64.exe wmpdr64.exe PID 3116 wrote to memory of 4808 3116 wmpdr64.exe wmpdr64.exe PID 3116 wrote to memory of 4808 3116 wmpdr64.exe wmpdr64.exe PID 3116 wrote to memory of 4808 3116 wmpdr64.exe wmpdr64.exe PID 3116 wrote to memory of 4808 3116 wmpdr64.exe wmpdr64.exe PID 4808 wrote to memory of 2628 4808 wmpdr64.exe Explorer.EXE PID 4808 wrote to memory of 2628 4808 wmpdr64.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe"C:\Users\Admin\AppData\Local\Temp\b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe"C:\Users\Admin\AppData\Local\Temp\b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15.exe"3⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdr64.exe"C:\Windows\SysWOW64\wmpdr64.exe" C:\Users\Admin\AppData\Local\Temp\B47E29~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wmpdr64.exe"C:\Windows\SysWOW64\wmpdr64.exe" C:\Users\Admin\AppData\Local\Temp\B47E29~1.EXE5⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wmpdr64.exeFilesize
255KB
MD545f85a3e733cf2c004b43088103a63d5
SHA1c225842823dace2bbd8e9cc1f43a7a18baa7f826
SHA256b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15
SHA51203a23c84db84b9a17a1806b20d8198e701a6d1287872aea9b7762ca0095e5baf66a5bd9eca7e2343ac3b92bcefedc33f511b8774b1b83417999c0c3453b57729
-
C:\Windows\SysWOW64\wmpdr64.exeFilesize
255KB
MD545f85a3e733cf2c004b43088103a63d5
SHA1c225842823dace2bbd8e9cc1f43a7a18baa7f826
SHA256b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15
SHA51203a23c84db84b9a17a1806b20d8198e701a6d1287872aea9b7762ca0095e5baf66a5bd9eca7e2343ac3b92bcefedc33f511b8774b1b83417999c0c3453b57729
-
C:\Windows\SysWOW64\wmpdr64.exeFilesize
255KB
MD545f85a3e733cf2c004b43088103a63d5
SHA1c225842823dace2bbd8e9cc1f43a7a18baa7f826
SHA256b47e29f6b76061bec34bfdc67d6ffafbb8b25c5a97c027e23bedb36b7d10ee15
SHA51203a23c84db84b9a17a1806b20d8198e701a6d1287872aea9b7762ca0095e5baf66a5bd9eca7e2343ac3b92bcefedc33f511b8774b1b83417999c0c3453b57729
-
memory/1456-142-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1456-137-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1456-138-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1456-136-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1456-135-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1456-132-0x0000000000000000-mapping.dmp
-
memory/1456-133-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3116-139-0x0000000000000000-mapping.dmp
-
memory/4808-143-0x0000000000000000-mapping.dmp
-
memory/4808-149-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4808-150-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB