Analysis

  • max time kernel
    143s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-03-2023 02:37

General

  • Target

    fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe

  • Size

    1.2MB

  • MD5

    066e5525cf478886d629c794ce35e416

  • SHA1

    ed3288d83f7a6d3a88f9014a9e8d2705e84a6ae8

  • SHA256

    fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1

  • SHA512

    e8b5149d70a5c899ee7d5981a8ab50ae58d29620616a6407940871a62c9a356bb42b666e6820c21bf7d63383f46102f814b4c344278852e2c5314acce589e2be

  • SSDEEP

    24576:FAOcZ1xr1CYXBqj7/swiKP2cct3K718voN8SWqoypcvdvj:vifBI7/tiKK3I1rhoIcvpj

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe
    "C:\Users\Admin\AppData\Local\Temp\fcd3b79189ae954788f278b34a1e1f206b7a4c72362a4b02c311541315bd6aa1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /XML C:\tools\WM7Asset\WM7Asset.xml /tn WM7Asset
      2⤵
      • Creates scheduled task(s)
      PID:4788
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Run /TN "WM7Asset"
      2⤵
        PID:4496
    • C:\tools\WM7Asset\WM7LiteGreenForce.exe
      C:\tools\WM7Asset\WM7LiteGreenForce.exe 172.20.125.138 -force
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Users\Public\wmcAsset_172.20.125.138_Close.exe
        "C:\Users\Public\wmcAsset_172.20.125.138_Close.exe" -ap
        2⤵
        • Modifies firewall policy service
        • Executes dropped EXE
        • Enumerates connected drives
        • Writes to the Master Boot Record (MBR)
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\System32\cscript.exe
          C:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
          3⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2464
        • C:\Windows\System32\cscript.exe
          C:\Windows\System32\cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
          3⤵
          • Modifies data under HKEY_USERS
          PID:4680
        • C:\Windows\System32\cscript.exe
          C:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office15\ospp.vbs" /dstatus
          3⤵
          • Modifies data under HKEY_USERS
          PID:924
        • C:\Windows\System32\cscript.exe
          C:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
          3⤵
          • Modifies data under HKEY_USERS
          PID:4932
        • C:\Windows\System32\cscript.exe
          C:\Windows\System32\cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
          3⤵
          • Modifies data under HKEY_USERS
          PID:2104
        • C:\Windows\System32\cscript.exe
          C:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office15\ospp.vbs" /dstatus
          3⤵
            PID:4528
          • C:\Windows\System32\cscript.exe
            C:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
            3⤵
            • Modifies data under HKEY_USERS
            PID:2432
          • C:\Windows\System32\cscript.exe
            C:\Windows\System32\cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
            3⤵
              PID:3416
            • C:\Windows\System32\cscript.exe
              C:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office15\ospp.vbs" /dstatus
              3⤵
                PID:2156

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Modify Existing Service

          1
          T1031

          Bootkit

          1
          T1067

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          5
          T1012

          System Information Discovery

          4
          T1082

          Peripheral Device Discovery

          2
          T1120

          Collection

          Data from Local System

          1
          T1005

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\Info\PCInfo.opt
            Filesize

            36B

            MD5

            0dec587e6d6039f3811a5db17b1c98a4

            SHA1

            d3f46c386fda9df5f3b92567e8f984a37bbb5648

            SHA256

            1fdb944ea724ea6b2fa9dbcf2631d83e256f96c0e0cc2c6182f8271784f1a88c

            SHA512

            02f7a05a9732f398266ba7bfccbb380016d2c931eeb3f93b678b0d0fff8b61afa5da82cbe646e5e5a4ada93d74362dfe633adf431a637d925ad1638e2a71c102

          • C:\Users\Public\wmcAsset_172.20.125.138_Close.exe
            Filesize

            867KB

            MD5

            478a196a8128a5e787886b0fdd138bf4

            SHA1

            6cf31a6f292e8ac2bbafb0f6c9d457cee1d85679

            SHA256

            f7c1922e79edfe818e1b8edd46fb2c309bfc7a9b0dd4acbab2f3d0936af75570

            SHA512

            05c5256eb2fdfbb133c7320531f445705aab875cb72633111411958acce667a0c393854d5bf0ba58f6bce39dd2d663f169d79311905257525cc9f67de363b154

          • C:\Users\Public\wmcAsset_172.20.125.138_Close.exe
            Filesize

            867KB

            MD5

            478a196a8128a5e787886b0fdd138bf4

            SHA1

            6cf31a6f292e8ac2bbafb0f6c9d457cee1d85679

            SHA256

            f7c1922e79edfe818e1b8edd46fb2c309bfc7a9b0dd4acbab2f3d0936af75570

            SHA512

            05c5256eb2fdfbb133c7320531f445705aab875cb72633111411958acce667a0c393854d5bf0ba58f6bce39dd2d663f169d79311905257525cc9f67de363b154

          • C:\Users\Public\wmcAsset_172.20.125.138_Close.exe
            Filesize

            867KB

            MD5

            478a196a8128a5e787886b0fdd138bf4

            SHA1

            6cf31a6f292e8ac2bbafb0f6c9d457cee1d85679

            SHA256

            f7c1922e79edfe818e1b8edd46fb2c309bfc7a9b0dd4acbab2f3d0936af75570

            SHA512

            05c5256eb2fdfbb133c7320531f445705aab875cb72633111411958acce667a0c393854d5bf0ba58f6bce39dd2d663f169d79311905257525cc9f67de363b154

          • C:\Windows\debug\WM7\Client\wmcAsset_172.20.125.138_Close.exe\20230325.log
            Filesize

            5KB

            MD5

            d7f2687f11866395a9032d9fcfc678cf

            SHA1

            dd17d6bafa419d1a0742e55f6b6c249e67233323

            SHA256

            5264706c24bcaf46aa5bae733aa559980e621e88cbfe76bf097e0df55cd7d9be

            SHA512

            bc8341bb5683d127647768abcc0c2ad70b6cd0f2f6a5f6bacc5b550f3a6eb999d0a3b92c88bc4ff02de7df3172b61d4a2b4e3671d9827e313875a62ae621389c

          • C:\tools\WM7Asset\WM7Asset.xml
            Filesize

            3KB

            MD5

            58fdb5acb103ae00d17e143f2fd7f568

            SHA1

            f0e1063fb2bbc55ec6981ef6ed609915d7568e7f

            SHA256

            93a57f58c753c19030f9e7de60ef15ad4c45e2048719b96c45e7ffaa521e47e1

            SHA512

            ba9e060710b2a91394eab37843b81483f6f045a7cd07ecc79515dd595cfaacf50afbe5f5d720fc0a191e1775128d1ac1e953c536e31741a8492a796598c49f59

          • C:\tools\WM7Asset\WM7LiteGreenForce.exe
            Filesize

            1.1MB

            MD5

            ca8ba1aa38bbc16b47ca0d3a2b3445d2

            SHA1

            3e8f42abf9307c10dfa02606c93ba6f9c596064a

            SHA256

            cfaeb9e70f1a7ca847e669ff0525d8f8ae125c91fc3605ffd724821a6a7f73ca

            SHA512

            67310e105a6188914acd05684b229d9a78f2bbacc03aa371cbc73171cddcd62171ec98b3ee6d088f4c7ee23fed897da98210b6017eaada31075c3fe0f5890a0e

          • C:\tools\WM7Asset\WM7LiteGreenForce.exe
            Filesize

            1.1MB

            MD5

            ca8ba1aa38bbc16b47ca0d3a2b3445d2

            SHA1

            3e8f42abf9307c10dfa02606c93ba6f9c596064a

            SHA256

            cfaeb9e70f1a7ca847e669ff0525d8f8ae125c91fc3605ffd724821a6a7f73ca

            SHA512

            67310e105a6188914acd05684b229d9a78f2bbacc03aa371cbc73171cddcd62171ec98b3ee6d088f4c7ee23fed897da98210b6017eaada31075c3fe0f5890a0e