abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 07:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe
Size

94KB
MD5

4c071304f8f42679cc37f30b9c887ce5
SHA1

9e47739be5761a9a43b576cf1db80fd83871483f
SHA256

abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7
SHA512

cec3d45473433b3055cd110c0b719a538913b3a52ec9ce747ccf0258a4a7266ab99b61a88c7b09938ff383baa8f6ec6c83441e04a4d347e2ece171bdd32e1469
SSDEEP

1536:+z8erPJC9O8ziPaArrK6LOhKvgEVPiGmBgZgqGIL/plNgWjzRcBRMxjxT3aud:CPJN8zY9XXOcgqQyWqj7NgWj2B+pxuud

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
240	wmcserv.exe
972	wmcserv.exe

Deletes itself 1 IoCs

pid	Process
240	wmcserv.exe

Loads dropped DLL 2 IoCs

pid	Process
964	abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe
964	abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	wmcserv.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmcserv.exe	abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe
File created	C:\Windows\SysWOW64\wmcserv.exe	abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
964	abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe
964	abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe
972	wmcserv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	wmcserv.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 240	964	abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe	28
PID 964 wrote to memory of 240	964	abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe	28
PID 964 wrote to memory of 240	964	abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe	28
PID 964 wrote to memory of 240	964	abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe	28

C:\Users\Admin\AppData\Local\Temp\abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe
"C:\Users\Admin\AppData\Local\Temp\abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\wmcserv.exe
  C:\Windows\system32\wmcserv.exe -d "C:\Users\Admin\AppData\Local\Temp\abd5c4b543388dc990ae10306414407786e717e861096dcfe3dbe24df29b32c7.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  PID:240

C:\Windows\SysWOW64\wmcserv.exe
C:\Windows\SysWOW64\wmcserv.exe -v
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Security Software Discovery

T1063

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmcserv.exe

Filesize
94KB

MD5
faf49c0cee0343f3da48b876d57a6531

SHA1
4261f6fa257f1fc6b4afc3a642de1d8458eef584

SHA256
90fb7f818419b7d4ac6e6a8e731638d54567abc3d22fe78d8420b09fb1db9323

SHA512
7ac306572c59d99f24b0ae2f623da88a3c5f7769edba8b3e71308725fdf4c8d41023e399a38beea5256d8fb82fe939f1e299bf28f717cd2e7407110acb341b1b

Download Submit
C:\Windows\SysWOW64\wmcserv.exe

Filesize
94KB

MD5
faf49c0cee0343f3da48b876d57a6531

SHA1
4261f6fa257f1fc6b4afc3a642de1d8458eef584

SHA256
90fb7f818419b7d4ac6e6a8e731638d54567abc3d22fe78d8420b09fb1db9323

SHA512
7ac306572c59d99f24b0ae2f623da88a3c5f7769edba8b3e71308725fdf4c8d41023e399a38beea5256d8fb82fe939f1e299bf28f717cd2e7407110acb341b1b

Download Submit
\Windows\SysWOW64\wmcserv.exe

Filesize
94KB

MD5
faf49c0cee0343f3da48b876d57a6531

SHA1
4261f6fa257f1fc6b4afc3a642de1d8458eef584

SHA256
90fb7f818419b7d4ac6e6a8e731638d54567abc3d22fe78d8420b09fb1db9323

SHA512
7ac306572c59d99f24b0ae2f623da88a3c5f7769edba8b3e71308725fdf4c8d41023e399a38beea5256d8fb82fe939f1e299bf28f717cd2e7407110acb341b1b

Download Submit
\Windows\SysWOW64\wmcserv.exe

Filesize
94KB

MD5
faf49c0cee0343f3da48b876d57a6531

SHA1
4261f6fa257f1fc6b4afc3a642de1d8458eef584

SHA256
90fb7f818419b7d4ac6e6a8e731638d54567abc3d22fe78d8420b09fb1db9323

SHA512
7ac306572c59d99f24b0ae2f623da88a3c5f7769edba8b3e71308725fdf4c8d41023e399a38beea5256d8fb82fe939f1e299bf28f717cd2e7407110acb341b1b

Download Submit