Analysis
-
max time kernel
177s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
14/10/2023, 20:42
General
-
Target
wce-universal.exe
-
Size
456KB
-
MD5
be9387bf647993e501c5d78e49bd4ab5
-
SHA1
f0c52cea19c204f5cdbe952cc7cfc182e20d8d43
-
SHA256
c6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7
-
SHA512
81cf9c7eda4b5daa2478ed5e27f24c1af7b4193044992d39eeab394eaac9d8915dd5203ea3c28f886b72bbe917adf8eed6826ccc551a91efb158a5e5c657c65a
-
SSDEEP
6144:jtVhpoHvYAtHDyBTEmFcs3FWZgGbTMiz+KvichkRJpLeNcGM0jhfNf7jv3M:jtVhpowIyvGqKvbhkfpLeyG7h1Pv3M
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of UnmapMainImage 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\wce-universal.exe"C:\Users\Admin\AppData\Local\Temp\wce-universal.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2a6daa67-af67-452d-ade4-c5a0ac0cd0da.exe"C:\Users\Admin\AppData\Local\Temp\wce-universal.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\2a6daa67-af67-452d-ade4-c5a0ac0cd0da.exeC:\Users\Admin\AppData\Local\Temp\2a6daa67-af67-452d-ade4-c5a0ac0cd0da.exe -S1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 43b471efd0f1ad4cf534c65ac80bc01c KsjmoxWgoE6KPmoiZNC17g.0.1.0.0.01⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD5605560ca0624aabf9f53675257b9be21
SHA1f90d8e968424b8a62aa5f271f81af86e027b6b5c
SHA2567234c8f98b87593641bbdb594e34c94b9436986c4fb70e7da5bcecff147d14c3
SHA5125f633456fd507ce3017f8b612cfa28041a2afa537a3079d136f2e0b5661cd3e0a77575394de8d05cb6879dcd275ca23643a918a87d925ddd08ba70090103011c
-
Filesize
213KB
MD5605560ca0624aabf9f53675257b9be21
SHA1f90d8e968424b8a62aa5f271f81af86e027b6b5c
SHA2567234c8f98b87593641bbdb594e34c94b9436986c4fb70e7da5bcecff147d14c3
SHA5125f633456fd507ce3017f8b612cfa28041a2afa537a3079d136f2e0b5661cd3e0a77575394de8d05cb6879dcd275ca23643a918a87d925ddd08ba70090103011c
-
Filesize
42KB
MD5a024af6d8e29527a722cb5da2f8ece55
SHA1490984d6848982e37bf1b05a299fc1e52521102a
SHA256f3229244ccc349e3ec843eb6bad547c559fe52795393e949d45170086108237b
SHA5124f18cffba2d118cd6816c30cb50997744948ae585160dbdc649367d5050e17f95548e695dcc1fa0061c651d76dcf6cc0761ccd3dc4cfd6feb444fbe321bf40e1
-
Filesize
42KB
MD5a024af6d8e29527a722cb5da2f8ece55
SHA1490984d6848982e37bf1b05a299fc1e52521102a
SHA256f3229244ccc349e3ec843eb6bad547c559fe52795393e949d45170086108237b
SHA5124f18cffba2d118cd6816c30cb50997744948ae585160dbdc649367d5050e17f95548e695dcc1fa0061c651d76dcf6cc0761ccd3dc4cfd6feb444fbe321bf40e1
-
Filesize
42KB
MD5a024af6d8e29527a722cb5da2f8ece55
SHA1490984d6848982e37bf1b05a299fc1e52521102a
SHA256f3229244ccc349e3ec843eb6bad547c559fe52795393e949d45170086108237b
SHA5124f18cffba2d118cd6816c30cb50997744948ae585160dbdc649367d5050e17f95548e695dcc1fa0061c651d76dcf6cc0761ccd3dc4cfd6feb444fbe321bf40e1
-
Filesize
42KB
MD5a024af6d8e29527a722cb5da2f8ece55
SHA1490984d6848982e37bf1b05a299fc1e52521102a
SHA256f3229244ccc349e3ec843eb6bad547c559fe52795393e949d45170086108237b
SHA5124f18cffba2d118cd6816c30cb50997744948ae585160dbdc649367d5050e17f95548e695dcc1fa0061c651d76dcf6cc0761ccd3dc4cfd6feb444fbe321bf40e1
-
Filesize
42KB
MD5a024af6d8e29527a722cb5da2f8ece55
SHA1490984d6848982e37bf1b05a299fc1e52521102a
SHA256f3229244ccc349e3ec843eb6bad547c559fe52795393e949d45170086108237b
SHA5124f18cffba2d118cd6816c30cb50997744948ae585160dbdc649367d5050e17f95548e695dcc1fa0061c651d76dcf6cc0761ccd3dc4cfd6feb444fbe321bf40e1
-
Filesize
42KB
MD5a024af6d8e29527a722cb5da2f8ece55
SHA1490984d6848982e37bf1b05a299fc1e52521102a
SHA256f3229244ccc349e3ec843eb6bad547c559fe52795393e949d45170086108237b
SHA5124f18cffba2d118cd6816c30cb50997744948ae585160dbdc649367d5050e17f95548e695dcc1fa0061c651d76dcf6cc0761ccd3dc4cfd6feb444fbe321bf40e1
-
Filesize
42KB
MD5a024af6d8e29527a722cb5da2f8ece55
SHA1490984d6848982e37bf1b05a299fc1e52521102a
SHA256f3229244ccc349e3ec843eb6bad547c559fe52795393e949d45170086108237b
SHA5124f18cffba2d118cd6816c30cb50997744948ae585160dbdc649367d5050e17f95548e695dcc1fa0061c651d76dcf6cc0761ccd3dc4cfd6feb444fbe321bf40e1
-
Filesize
42KB
MD5a024af6d8e29527a722cb5da2f8ece55
SHA1490984d6848982e37bf1b05a299fc1e52521102a
SHA256f3229244ccc349e3ec843eb6bad547c559fe52795393e949d45170086108237b
SHA5124f18cffba2d118cd6816c30cb50997744948ae585160dbdc649367d5050e17f95548e695dcc1fa0061c651d76dcf6cc0761ccd3dc4cfd6feb444fbe321bf40e1
-
Filesize
8KB