Analysis
-
max time kernel
143s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2023 02:37
Static task
static1
Behavioral task
behavioral1
Sample
fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe
Resource
win7-20230220-en
General
-
Target
fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe
-
Size
1.2MB
-
MD5
066e5525cf478886d629c794ce35e416
-
SHA1
ed3288d83f7a6d3a88f9014a9e8d2705e84a6ae8
-
SHA256
fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1
-
SHA512
e8b5149d70a5c899ee7d5981a8ab50ae58d29620616a6407940871a62c9a356bb42b666e6820c21bf7d63383f46102f814b4c344278852e2c5314acce589e2be
-
SSDEEP
24576:FAOcZ1xr1CYXBqj7/swiKP2cct3K718voN8SWqoypcvdvj:vifBI7/tiKK3I1rhoIcvpj
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
Processes:
wmcAsset_172.20.125.138_Close.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" wmcAsset_172.20.125.138_Close.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" wmcAsset_172.20.125.138_Close.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List wmcAsset_172.20.125.138_Close.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts wmcAsset_172.20.125.138_Close.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\8150:TCP = "8150:TCP:*:Enabled:8150" wmcAsset_172.20.125.138_Close.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List wmcAsset_172.20.125.138_Close.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts wmcAsset_172.20.125.138_Close.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile wmcAsset_172.20.125.138_Close.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8150:TCP = "8150:TCP:*:Enabled:8150" wmcAsset_172.20.125.138_Close.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile wmcAsset_172.20.125.138_Close.exe -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 9 2464 cscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe -
Executes dropped EXE 2 IoCs
Processes:
WM7LiteGreenForce.exewmcAsset_172.20.125.138_Close.exepid process 5024 WM7LiteGreenForce.exe 1768 wmcAsset_172.20.125.138_Close.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wmcAsset_172.20.125.138_Close.exedescription ioc process File opened (read-only) \??\H: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\J: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\M: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\N: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\O: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\Q: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\T: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\F: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\D: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\E: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\G: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\K: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\R: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\X: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\Z: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\A: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\L: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\P: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\S: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\U: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\I: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\V: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\W: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\Y: wmcAsset_172.20.125.138_Close.exe File opened (read-only) \??\B: wmcAsset_172.20.125.138_Close.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
wmcAsset_172.20.125.138_Close.exedescription ioc process File opened for modification \??\PhysicalDrive0 wmcAsset_172.20.125.138_Close.exe -
Drops file in System32 directory 1 IoCs
Processes:
cscript.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 cscript.exe -
Drops file in Windows directory 4 IoCs
Processes:
wmcAsset_172.20.125.138_Close.exedescription ioc process File created C:\Windows\Debug\WM7\Client\wmcAsset_172.20.125.138_Close.exe\LogWriteTest.txt wmcAsset_172.20.125.138_Close.exe File opened for modification C:\Windows\Debug\WM7\Client\wmcAsset_172.20.125.138_Close.exe\20230325.log wmcAsset_172.20.125.138_Close.exe File created C:\Windows\Debug\WM7\Client\wmcAsset_172.20.125.138_Close.exe\20230325.log wmcAsset_172.20.125.138_Close.exe File created C:\Windows\Debug\WM7\SystemDisk.opt wmcAsset_172.20.125.138_Close.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmcAsset_172.20.125.138_Close.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 wmcAsset_172.20.125.138_Close.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service wmcAsset_172.20.125.138_Close.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName wmcAsset_172.20.125.138_Close.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmcAsset_172.20.125.138_Close.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmcAsset_172.20.125.138_Close.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmcAsset_172.20.125.138_Close.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmcAsset_172.20.125.138_Close.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmcAsset_172.20.125.138_Close.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
cscript.execscript.execscript.execscript.exeWM7LiteGreenForce.execscript.execscript.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" WM7LiteGreenForce.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" WM7LiteGreenForce.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" cscript.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
wmcAsset_172.20.125.138_Close.exepid process 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe 1768 wmcAsset_172.20.125.138_Close.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
wmcAsset_172.20.125.138_Close.exedescription pid process Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe Token: SeDebugPrivilege 1768 wmcAsset_172.20.125.138_Close.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exeWM7LiteGreenForce.exewmcAsset_172.20.125.138_Close.exedescription pid process target process PID 1524 wrote to memory of 4788 1524 fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe schtasks.exe PID 1524 wrote to memory of 4788 1524 fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe schtasks.exe PID 1524 wrote to memory of 4788 1524 fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe schtasks.exe PID 1524 wrote to memory of 4496 1524 fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe schtasks.exe PID 1524 wrote to memory of 4496 1524 fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe schtasks.exe PID 1524 wrote to memory of 4496 1524 fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe schtasks.exe PID 5024 wrote to memory of 1768 5024 WM7LiteGreenForce.exe wmcAsset_172.20.125.138_Close.exe PID 5024 wrote to memory of 1768 5024 WM7LiteGreenForce.exe wmcAsset_172.20.125.138_Close.exe PID 1768 wrote to memory of 2464 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 2464 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 4680 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 4680 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 924 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 924 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 4932 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 4932 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 2104 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 2104 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 4528 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 4528 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 2432 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 2432 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 3416 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 3416 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 2156 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe PID 1768 wrote to memory of 2156 1768 wmcAsset_172.20.125.138_Close.exe cscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe"C:\Users\Admin\AppData\Local\Temp\fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /XML C:\tools\WM7Asset\WM7Asset.xml /tn WM7Asset2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Run /TN "WM7Asset"2⤵
-
C:\tools\WM7Asset\WM7LiteGreenForce.exeC:\tools\WM7Asset\WM7LiteGreenForce.exe 172.20.125.138 -force1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\wmcAsset_172.20.125.138_Close.exe"C:\Users\Public\wmcAsset_172.20.125.138_Close.exe" -ap2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office15\ospp.vbs" /dstatus3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office15\ospp.vbs" /dstatus3⤵
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office15\ospp.vbs" /dstatus3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Info\PCInfo.optFilesize
36B
MD50dec587e6d6039f3811a5db17b1c98a4
SHA1d3f46c386fda9df5f3b92567e8f984a37bbb5648
SHA2561fdb944ea724ea6b2fa9dbcf2631d83e256f96c0e0cc2c6182f8271784f1a88c
SHA51202f7a05a9732f398266ba7bfccbb380016d2c931eeb3f93b678b0d0fff8b61afa5da82cbe646e5e5a4ada93d74362dfe633adf431a637d925ad1638e2a71c102
-
C:\Users\Public\wmcAsset_172.20.125.138_Close.exeFilesize
867KB
MD5478a196a8128a5e787886b0fdd138bf4
SHA16cf31a6f292e8ac2bbafb0f6c9d457cee1d85679
SHA256f7c1922e79edfe818e1b8edd46fb2c309bfc7a9b0dd4acbab2f3d0936af75570
SHA51205c5256eb2fdfbb133c7320531f445705aab875cb72633111411958acce667a0c393854d5bf0ba58f6bce39dd2d663f169d79311905257525cc9f67de363b154
-
C:\Users\Public\wmcAsset_172.20.125.138_Close.exeFilesize
867KB
MD5478a196a8128a5e787886b0fdd138bf4
SHA16cf31a6f292e8ac2bbafb0f6c9d457cee1d85679
SHA256f7c1922e79edfe818e1b8edd46fb2c309bfc7a9b0dd4acbab2f3d0936af75570
SHA51205c5256eb2fdfbb133c7320531f445705aab875cb72633111411958acce667a0c393854d5bf0ba58f6bce39dd2d663f169d79311905257525cc9f67de363b154
-
C:\Users\Public\wmcAsset_172.20.125.138_Close.exeFilesize
867KB
MD5478a196a8128a5e787886b0fdd138bf4
SHA16cf31a6f292e8ac2bbafb0f6c9d457cee1d85679
SHA256f7c1922e79edfe818e1b8edd46fb2c309bfc7a9b0dd4acbab2f3d0936af75570
SHA51205c5256eb2fdfbb133c7320531f445705aab875cb72633111411958acce667a0c393854d5bf0ba58f6bce39dd2d663f169d79311905257525cc9f67de363b154
-
C:\Windows\debug\WM7\Client\wmcAsset_172.20.125.138_Close.exe\20230325.logFilesize
5KB
MD5d7f2687f11866395a9032d9fcfc678cf
SHA1dd17d6bafa419d1a0742e55f6b6c249e67233323
SHA2565264706c24bcaf46aa5bae733aa559980e621e88cbfe76bf097e0df55cd7d9be
SHA512bc8341bb5683d127647768abcc0c2ad70b6cd0f2f6a5f6bacc5b550f3a6eb999d0a3b92c88bc4ff02de7df3172b61d4a2b4e3671d9827e313875a62ae621389c
-
C:\tools\WM7Asset\WM7Asset.xmlFilesize
3KB
MD558fdb5acb103ae00d17e143f2fd7f568
SHA1f0e1063fb2bbc55ec6981ef6ed609915d7568e7f
SHA25693a57f58c753c19030f9e7de60ef15ad4c45e2048719b96c45e7ffaa521e47e1
SHA512ba9e060710b2a91394eab37843b81483f6f045a7cd07ecc79515dd595cfaacf50afbe5f5d720fc0a191e1775128d1ac1e953c536e31741a8492a796598c49f59
-
C:\tools\WM7Asset\WM7LiteGreenForce.exeFilesize
1.1MB
MD5ca8ba1aa38bbc16b47ca0d3a2b3445d2
SHA13e8f42abf9307c10dfa02606c93ba6f9c596064a
SHA256cfaeb9e70f1a7ca847e669ff0525d8f8ae125c91fc3605ffd724821a6a7f73ca
SHA51267310e105a6188914acd05684b229d9a78f2bbacc03aa371cbc73171cddcd62171ec98b3ee6d088f4c7ee23fed897da98210b6017eaada31075c3fe0f5890a0e
-
C:\tools\WM7Asset\WM7LiteGreenForce.exeFilesize
1.1MB
MD5ca8ba1aa38bbc16b47ca0d3a2b3445d2
SHA13e8f42abf9307c10dfa02606c93ba6f9c596064a
SHA256cfaeb9e70f1a7ca847e669ff0525d8f8ae125c91fc3605ffd724821a6a7f73ca
SHA51267310e105a6188914acd05684b229d9a78f2bbacc03aa371cbc73171cddcd62171ec98b3ee6d088f4c7ee23fed897da98210b6017eaada31075c3fe0f5890a0e