99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe
Size

42KB
MD5

45f9232507fb116f828bfe66eac8c3c8
SHA1

a9873f2cc5497841ef73f03ca9168f9add01bba8
SHA256

99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb
SHA512

32a5fb152849670783868624ecabf189c0f3ead8dfd4424c158dda0334c15b9014c1ac4dae826e23dfea133ecf4e52ecbcdf317860455bbe8e63b8e4444b66ac
SSDEEP

768:J5DZ2h94FnpQPn4NS5rZmqqtWiUCbYBHYoApq3Okn4s3dvud4Dsox:pp64Y8PtWiUCbefR4erD

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
276	WmInit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	WmInit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media = "C:\\Windows\\SysWOW64\\WmInit.exe"	WmInit.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tmp	WmInit.exe
File opened for modification	C:\Windows\SysWOW64\tmp	99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe
File created	C:\Windows\SysWOW64\tmp	99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe
File created	C:\Windows\SysWOW64\WmInit.dat	99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe
File opened for modification	C:\Windows\SysWOW64\WmInit.exe	99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe
File created	C:\Windows\SysWOW64\WmInit.exe	99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe
File opened for modification	C:\Windows\SysWOW64\tmp	WmInit.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 276	3032	99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe	87
PID 3032 wrote to memory of 276	3032	99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe	87
PID 3032 wrote to memory of 276	3032	99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe	87

C:\Users\Admin\AppData\Local\Temp\99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe
"C:\Users\Admin\AppData\Local\Temp\99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\WmInit.exe
  "C:\Windows\system32\WmInit.exe" "C:\Users\Admin\AppData\Local\Temp\99368cb88bf1cfdcf8a675219a90f67bea72448add4dd60fb2d8c7cc65da74bb.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WmInit.dat

Filesize
8B

MD5
b916500e1b8f816064ba92b28dd7efec

SHA1
842829f466cf4b49e2c711e7c2102ebcdaf46a7b

SHA256
4bf7a0aecc9137caf9081f1feb22fe1ba0e2e462f07e2085eca3c92535203a77

SHA512
2c7b50b442a7b53a2a56925f463cc3b2044ed3797dedd2b9fcd7e923bbb0dbb236781e145db214402e70bc54f1a46f13d0ac1e084af4bbd1fe0d705b599bae13

Download Submit
C:\Windows\SysWOW64\WmInit.exe

Filesize
33.4MB

MD5
09b5cb10a1ca63ba6f48008775c8ed3d

SHA1
f5f214fb2d28c94eaf02c8160dece0be21febee3

SHA256
0a0bbd5ae66fff689d71d95bebb7f2076890c1a258aa47790d836dadd5f69d7c

SHA512
4477002c977e30b37401c91a961087b0a9a0d507b0cba7ec1928db3d88659f4a6d8cb49ebe79a060a53c1eb7f273e0be994ce74f82166aa2f18ef41d8b923cce

Download Submit
C:\Windows\SysWOW64\WmInit.exe

Filesize
33.4MB

MD5
09b5cb10a1ca63ba6f48008775c8ed3d

SHA1
f5f214fb2d28c94eaf02c8160dece0be21febee3

SHA256
0a0bbd5ae66fff689d71d95bebb7f2076890c1a258aa47790d836dadd5f69d7c

SHA512
4477002c977e30b37401c91a961087b0a9a0d507b0cba7ec1928db3d88659f4a6d8cb49ebe79a060a53c1eb7f273e0be994ce74f82166aa2f18ef41d8b923cce

Download Submit
memory/276-138-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/276-140-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/3032-132-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/3032-133-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/3032-137-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download