54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe
Size

280KB
MD5

167ddb2fd7090fd1643f3c53fe392bae
SHA1

47f563d2d5997cb29339a784b42bab6823e18eba
SHA256

54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae
SHA512

fe0f57d826cb916cc096a0920eb2db7716244029a43a37a1e3d55f2a2819c49e3e966cbae5beb3173f516fe7b3e5a39a24f9997d54c91f1fb2b556e918611153
SSDEEP

6144:RXSQ8BCMis1TMrRQwy7eIeCDbCm0ccEOkCybEaQRXr9HNdvOa:RXv8BCLocRZy7eIeybEaOkx2LIa

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\g9Hvg6.sys	wsmprovhost.exe

Executes dropped EXE 2 IoCs

pid	Process
4388	3f35eecc
3904	wsmprovhost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1484-0-0x00000000000E0000-0x000000000016E000-memory.dmp	upx
behavioral2/files/0x00080000000231c4-2.dat	upx
behavioral2/memory/4388-4-0x0000000000D40000-0x0000000000DCE000-memory.dmp	upx
behavioral2/files/0x00080000000231c4-3.dat	upx
behavioral2/memory/1484-15-0x00000000000E0000-0x000000000016E000-memory.dmp	upx
behavioral2/memory/4388-17-0x0000000000D40000-0x0000000000DCE000-memory.dmp	upx
behavioral2/memory/1484-31-0x00000000000E0000-0x000000000016E000-memory.dmp	upx
behavioral2/memory/4388-33-0x0000000000D40000-0x0000000000DCE000-memory.dmp	upx
behavioral2/memory/4388-39-0x0000000000D40000-0x0000000000DCE000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	3f35eecc
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	3f35eecc
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	3f35eecc
File created	C:\Windows\system32\ \Windows\System32\ugBviSFZ.sys	wsmprovhost.exe
File created	C:\Windows\SysWOW64\3f35eecc	54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	3f35eecc

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\zKn45jyZ.sys	wsmprovhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1280	timeout.exe
2444	timeout.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\Desktop\WindowMetrics\Shell Icon Size = "31"	wsmprovhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\Desktop\WindowMetrics\Shell Icon Size = "32"	wsmprovhost.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	3f35eecc
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	3f35eecc
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	3f35eecc
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	3f35eecc
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	3f35eecc
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	3f35eecc
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	3f35eecc
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	3f35eecc
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	3f35eecc

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4388	3f35eecc
4388	3f35eecc
4388	3f35eecc
4388	3f35eecc
4388	3f35eecc
4388	3f35eecc
4388	3f35eecc
4388	3f35eecc
4388	3f35eecc
4388	3f35eecc
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
4388	3f35eecc
4388	3f35eecc

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe
Token: SeTcbPrivilege	1484	54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe
Token: SeDebugPrivilege	4388	3f35eecc
Token: SeTcbPrivilege	4388	3f35eecc
Token: SeDebugPrivilege	4388	3f35eecc
Token: SeDebugPrivilege	3156	Explorer.EXE
Token: SeDebugPrivilege	3156	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1484	54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe
Token: SeDebugPrivilege	4388	3f35eecc
Token: SeDebugPrivilege	3904	wsmprovhost.exe
Token: SeDebugPrivilege	3904	wsmprovhost.exe
Token: SeDebugPrivilege	3904	wsmprovhost.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeIncBasePriorityPrivilege	4388	3f35eecc
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3156	Explorer.EXE
3156	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3156	4388	3f35eecc	41
PID 4388 wrote to memory of 3156	4388	3f35eecc	41
PID 4388 wrote to memory of 3156	4388	3f35eecc	41
PID 4388 wrote to memory of 3156	4388	3f35eecc	41
PID 4388 wrote to memory of 3156	4388	3f35eecc	41
PID 3156 wrote to memory of 3904	3156	Explorer.EXE	84
PID 3156 wrote to memory of 3904	3156	Explorer.EXE	84
PID 3156 wrote to memory of 3904	3156	Explorer.EXE	84
PID 3156 wrote to memory of 3904	3156	Explorer.EXE	84
PID 3156 wrote to memory of 3904	3156	Explorer.EXE	84
PID 3156 wrote to memory of 3904	3156	Explorer.EXE	84
PID 3156 wrote to memory of 3904	3156	Explorer.EXE	84
PID 4388 wrote to memory of 628	4388	3f35eecc	3
PID 4388 wrote to memory of 628	4388	3f35eecc	3
PID 4388 wrote to memory of 628	4388	3f35eecc	3
PID 4388 wrote to memory of 628	4388	3f35eecc	3
PID 4388 wrote to memory of 628	4388	3f35eecc	3
PID 1484 wrote to memory of 1256	1484	54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe	85
PID 1484 wrote to memory of 1256	1484	54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe	85
PID 1484 wrote to memory of 1256	1484	54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe	85
PID 1256 wrote to memory of 1280	1256	cmd.exe	87
PID 1256 wrote to memory of 1280	1256	cmd.exe	87
PID 1256 wrote to memory of 1280	1256	cmd.exe	87
PID 4388 wrote to memory of 4424	4388	3f35eecc	93
PID 4388 wrote to memory of 4424	4388	3f35eecc	93
PID 4388 wrote to memory of 4424	4388	3f35eecc	93
PID 4424 wrote to memory of 2444	4424	cmd.exe	95
PID 4424 wrote to memory of 2444	4424	cmd.exe	95
PID 4424 wrote to memory of 2444	4424	cmd.exe	95

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe
  "C:\Users\Admin\AppData\Local\Temp\54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\54dc4ce676f4f527453c3120ec85d82c9d1dafefb3a21056bc3b9fb4a50714ae.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1280
- C:\ProgramData\wsmprovhost.exe
  "C:\ProgramData\wsmprovhost.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  PID:3904

C:\Windows\Syswow64\3f35eecc
C:\Windows\Syswow64\3f35eecc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\3f35eecc"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wsmprovhost.exe

Filesize
45KB

MD5
fec31c1be115ba365d9c10a3f5816f58

SHA1
40d93028788ede9f982029518e995b966d0055a4

SHA256
f7938766e9bc8363c4a3ac7b1693446849815eca4e34a240f75c9760151a69b3

SHA512
dffd0a85e9050a544f385cc73695c41f333aa82d43e7761d3ce232ad16e352b709b47749a41120d03ec544aa4d71d83731bcdefd543d9285bb38be74965e874f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ico11ED.exe

Filesize
145KB

MD5
d2a1752df6431ac0b448cc8f25d0b3d4

SHA1
87afaeb38c8bec3278830a470f94ef39726fb26c

SHA256
9f4665e08fbfb72b2317bafa85b9ed9491f7df32dd9d818ca726d6d2ae2d4f35

SHA512
8411240eea9dd8b048da8a8023f87a2e3411ab67e8f2961ca5098b9df7ba27a5d2b31e339bb2d122a18880633dac569bbf3b6061619656a2582fe5fb16293688

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ico2065.tmp

Filesize
183KB

MD5
e00fb9f91bcbbccb56a2455456d2b70a

SHA1
9ad3517db35b63ac08185f395a34980eea5d0840

SHA256
07b1a5e314075499de803a074a431ac7376121412b190c1f2deae5976b55403f

SHA512
ea3c303976e0ad18a0071c8d16570153ad03f257cc3f5bc59ac3ca3d680a18e714f9711938aa0ebba45532fa4a2b43863f6d210a7ef67ce95d576dd5153cdd20

Download Submit
C:\Users\Admin\Desktop\Íæ´«ÆæÇëµãÎÒ.lnk

Filesize
1KB

MD5
3d1a4b75116cdba02ef84b595f0b78e5

SHA1
74a060da26a17e669ed8013a6db857f919ec75a9

SHA256
39817efb2a6603c1efaba20f4cb244121ea2addf078be05080b54a2334e6ef17

SHA512
ac85af7d3ba0b35b66c687a607b00bdabdf62d1be948e8d62514684a445662b3a21bf9163ba803f1ae6ceb6b63df6191270290c5f8f8f0b7509d2c9e4e76c8b9

Download Submit
C:\Windows\SysWOW64\3f35eecc

Filesize
280KB

MD5
cdb9d0ccc46da550c7d8b84dea88d926

SHA1
2a34f49a9a66a47aef4cadfbde42916a1c4e793d

SHA256
1a2a025a748a849b5df168989ec7d03c978d45535d6e23c26de2e306f0e342cf

SHA512
6078f7b0d08cc17c68ca6fbefb1f970276077507eb06d8a3accd79eae0b751480c723a0de6181e058da4ae7ceb6a1505a46eb9166c3a094f4eb1b6c370910ee0

Download Submit
C:\Windows\SysWOW64\3f35eecc

Filesize
280KB

MD5
cdb9d0ccc46da550c7d8b84dea88d926

SHA1
2a34f49a9a66a47aef4cadfbde42916a1c4e793d

SHA256
1a2a025a748a849b5df168989ec7d03c978d45535d6e23c26de2e306f0e342cf

SHA512
6078f7b0d08cc17c68ca6fbefb1f970276077507eb06d8a3accd79eae0b751480c723a0de6181e058da4ae7ceb6a1505a46eb9166c3a094f4eb1b6c370910ee0

Download Submit
memory/628-24-0x0000022871CF0000-0x0000022871D18000-memory.dmp

Filesize
160KB

Download
memory/628-22-0x0000022871CE0000-0x0000022871CE3000-memory.dmp

Filesize
12KB

Download
memory/1484-0-0x00000000000E0000-0x000000000016E000-memory.dmp

Filesize
568KB

Download
memory/1484-15-0x00000000000E0000-0x000000000016E000-memory.dmp

Filesize
568KB

Download
memory/1484-31-0x00000000000E0000-0x000000000016E000-memory.dmp

Filesize
568KB

Download
memory/3156-7-0x0000000000760000-0x0000000000763000-memory.dmp

Filesize
12KB

Download
memory/3156-8-0x00000000084D0000-0x00000000085C7000-memory.dmp

Filesize
988KB

Download
memory/3156-6-0x0000000000760000-0x0000000000763000-memory.dmp

Filesize
12KB

Download
memory/3156-32-0x00000000084D0000-0x00000000085C7000-memory.dmp

Filesize
988KB

Download
memory/3156-5-0x0000000000760000-0x0000000000763000-memory.dmp

Filesize
12KB

Download
memory/3904-13-0x0000014C8AB80000-0x0000014C8AB83000-memory.dmp

Filesize
12KB

Download
memory/3904-40-0x0000014C8C7D0000-0x0000014C8C7D1000-memory.dmp

Filesize
4KB

Download
memory/3904-19-0x0000014C8AEB0000-0x0000014C8AF7B000-memory.dmp

Filesize
812KB

Download
memory/3904-16-0x0000014C8AEB0000-0x0000014C8AF7B000-memory.dmp

Filesize
812KB

Download
memory/3904-56-0x0000014C8C7E0000-0x0000014C8C897000-memory.dmp

Filesize
732KB

Download
memory/3904-34-0x0000014C8AEB0000-0x0000014C8AF7B000-memory.dmp

Filesize
812KB

Download
memory/3904-37-0x00007FF808510000-0x00007FF808520000-memory.dmp

Filesize
64KB

Download
memory/3904-38-0x0000014C8C7B0000-0x0000014C8C7B1000-memory.dmp

Filesize
4KB

Download
memory/3904-18-0x00007FF808510000-0x00007FF808520000-memory.dmp

Filesize
64KB

Download
memory/3904-20-0x0000014C8AC10000-0x0000014C8AC11000-memory.dmp

Filesize
4KB

Download
memory/3904-41-0x0000014C8C7B0000-0x0000014C8C7B1000-memory.dmp

Filesize
4KB

Download
memory/3904-42-0x0000014C8C7D0000-0x0000014C8C7D1000-memory.dmp

Filesize
4KB

Download
memory/3904-43-0x0000014C8C7D0000-0x0000014C8C7D1000-memory.dmp

Filesize
4KB

Download
memory/3904-44-0x0000014C8C7E0000-0x0000014C8C897000-memory.dmp

Filesize
732KB

Download
memory/3904-45-0x0000014C8C7E0000-0x0000014C8C897000-memory.dmp

Filesize
732KB

Download
memory/3904-46-0x0000014C8C7D0000-0x0000014C8C7D1000-memory.dmp

Filesize
4KB

Download
memory/4388-39-0x0000000000D40000-0x0000000000DCE000-memory.dmp

Filesize
568KB

Download
memory/4388-17-0x0000000000D40000-0x0000000000DCE000-memory.dmp

Filesize
568KB

Download
memory/4388-4-0x0000000000D40000-0x0000000000DCE000-memory.dmp

Filesize
568KB

Download
memory/4388-33-0x0000000000D40000-0x0000000000DCE000-memory.dmp

Filesize
568KB

Download