f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe
Size

55KB
MD5

619abc48626c8d9be0ac0faea915df55
SHA1

7becaddaad71f15f42d812c01c2fa379f48d4f72
SHA256

f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679
SHA512

827d8bb9d0f5870622c8633f3ef696da94fa81eebeec0ee5cdd460adc21efc830a37452134b51e571ebdea38a752dbbe9da47933c1fd25fb89c02db97a03663e
SSDEEP

768:8HHNUNvlrKEFjv4/crI8zhh75OmsQ/J6wM2o2aaeqMDLMbqah8jMJsi2lcPqAGQo:8HmlBj+c1zbvTJkqMD47h8W2lDA5RGI8

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wmitpfs\Parameters\ServiceDll = "%windir%\\system32\\wmitpfs.dll"	f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0008000000005c51-54.dat	vmprotect
behavioral1/files/0x0008000000005c51-56.dat	vmprotect
behavioral1/memory/1720-59-0x0000000071000000-0x0000000071014000-memory.dmp	vmprotect

Deletes itself 1 IoCs

pid	Process
520	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1720	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmitpfs.dll	f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1708	f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe
1720	svchost.exe
1720	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1236	1720	svchost.exe	18
PID 1708 wrote to memory of 520	1708	f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe	28
PID 1708 wrote to memory of 520	1708	f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe	28
PID 1708 wrote to memory of 520	1708	f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe	28
PID 1708 wrote to memory of 520	1708	f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe
  "C:\Users\Admin\AppData\Local\Temp\f23ca141dc85aa30e52addeee0c57439756abd0c87c1b9aced5f050975a16679.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7088607.bat" "
    3⤵
    - Deletes itself
    PID:520

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k wmitpfs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7088607.bat

Filesize
239B

MD5
fc4d9f0878308724101f55e5cafe7a3b

SHA1
0f8529a83ec24bab8f39d05ca3bfa80e783d5155

SHA256
870e9273776e214249466c544a9fcae34d9879fe840e43e582194c088403ae76

SHA512
c4fc1e497dd093ad75f5fbb828142ddbfcfed64cf43967bd9bdf2ac40498ecb8717511269bffb28763eafd112a32a26a959394fdb7461cd600e01d7d0a2d6ae7

Download Submit
\??\c:\windows\SysWOW64\wmitpfs.dll

Filesize
59KB

MD5
050650ce6d6def57f5541056b60ed578

SHA1
5131d4a0378e27b5be2966cc7d6a1bbe848bd199

SHA256
310d53ed3988c8d7a334bb243d2c186c71723db44a05831734c05eec176dfef4

SHA512
264c886fe997dd3555665a424430c0f19f196e5d50f8e7b9d58a6b411106eb5ce7605822ce432d5341ca99724e08a03d43b8f1ac53ce72fa9f409c5012b3ae98

Download Submit
\Windows\SysWOW64\wmitpfs.dll

Filesize
59KB

MD5
050650ce6d6def57f5541056b60ed578

SHA1
5131d4a0378e27b5be2966cc7d6a1bbe848bd199

SHA256
310d53ed3988c8d7a334bb243d2c186c71723db44a05831734c05eec176dfef4

SHA512
264c886fe997dd3555665a424430c0f19f196e5d50f8e7b9d58a6b411106eb5ce7605822ce432d5341ca99724e08a03d43b8f1ac53ce72fa9f409c5012b3ae98

Download Submit
memory/520-57-0x0000000000000000-mapping.dmp

Download
memory/1708-55-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1720-59-0x0000000071000000-0x0000000071014000-memory.dmp

Filesize
80KB

Download