Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 14:01
Static task
static1
Behavioral task
behavioral1
Sample
609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe
Resource
win10v2004-20231130-en
General
-
Target
609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe
-
Size
6.9MB
-
MD5
3358cb22a9bf87607cb5db3a8e175444
-
SHA1
c0e3009eb7785564419fea15a75f17f7e2197122
-
SHA256
609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83
-
SHA512
82fe94027da520454b0ad9a96d036a36e45b1a0b42734c706e22ff4169b2258c0d62eced0e1bcf6d1feded9ae75f1ae940f7bcc73a01b161af2b7c1f35180f99
-
SSDEEP
196608:wW0fKLtr95HARqIrmVY8S50UL8Kj8yTwHvWY3Nzj:wtO/hAPmVNyEWeNzj
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 4520 wmaconvert.exe 3060 wmaconvert.exe -
Loads dropped DLL 3 IoCs
pid Process 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 152.89.198.214 Destination IP 152.89.198.214 Destination IP 194.49.94.194 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 63 IoCs
description ioc Process File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-EB612.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-V98D2.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\uninstall\is-EBO6K.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-T83LJ.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-L2P0S.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-V35AD.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-LGMDA.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File opened for modification C:\Program Files (x86)\ConvertWMA\wmaconvert.exe 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\stuff\is-MJR0P.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-SNA3D.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-SHCR0.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File opened for modification C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-UEB6F.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-OS1EQ.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-8EGLP.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-T7008.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-V20PM.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-KHPHP.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-3SLJT.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-VHGU5.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-ETNKI.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-BOQ41.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-CVT78.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-DUUJE.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-6KLJF.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-V9PRU.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-NV78U.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-F309H.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-DCLLE.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-D01LJ.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-5AFGR.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-24SL9.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-3PSFO.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-F3OD8.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-7VR92.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-VPM5U.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-E6AAT.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-LAVSU.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\stuff\is-UJ0CK.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\stuff\is-9J75E.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-LFNE9.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-MUPTP.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-NR5OM.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-2JVSP.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-JLUH5.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-5O5SJ.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-ED68M.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-9LG1I.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-09Q3B.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-A5QGL.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-14I5L.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\is-ONUFP.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-4FETT.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-6DFM9.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-6E8QO.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\lessmsi\is-F61VF.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-Q5IGH.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-4SDG5.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-0A3DE.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-5VGFC.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\stuff\is-T50KR.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp File created C:\Program Files (x86)\ConvertWMA\bin\x86\is-B7U5S.tmp 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4828 wrote to memory of 5048 4828 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe 87 PID 4828 wrote to memory of 5048 4828 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe 87 PID 4828 wrote to memory of 5048 4828 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe 87 PID 5048 wrote to memory of 2156 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 91 PID 5048 wrote to memory of 2156 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 91 PID 5048 wrote to memory of 2156 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 91 PID 5048 wrote to memory of 4520 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 93 PID 5048 wrote to memory of 4520 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 93 PID 5048 wrote to memory of 4520 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 93 PID 5048 wrote to memory of 3088 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 96 PID 5048 wrote to memory of 3088 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 96 PID 5048 wrote to memory of 3088 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 96 PID 5048 wrote to memory of 3060 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 95 PID 5048 wrote to memory of 3060 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 95 PID 5048 wrote to memory of 3060 5048 609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp 95 PID 3088 wrote to memory of 1628 3088 net.exe 97 PID 3088 wrote to memory of 1628 3088 net.exe 97 PID 3088 wrote to memory of 1628 3088 net.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe"C:\Users\Admin\AppData\Local\Temp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\is-0PLAM.tmp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp"C:\Users\Admin\AppData\Local\Temp\is-0PLAM.tmp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp" /SL5="$80170,6973457,68096,C:\Users\Admin\AppData\Local\Temp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵PID:2156
-
-
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe"C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -i3⤵
- Executes dropped EXE
PID:4520
-
-
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe"C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -s3⤵
- Executes dropped EXE
PID:3060
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 113⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 114⤵PID:1628
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5904084c7faa6984b6fdf02634916429a
SHA188fdf77437f19b7c9d8da30e038930a972563826
SHA2564226d4568e9565f0e7fdde9ee26dea89e2af9b1889fbe6a5597b94847ee79e30
SHA51238c2240049f64e1d7d81cb5349bec7318daf1e55fbfe781158986a759687720618364ba003ed4deba90e12da0cef54d6aa828492c1b402dfc6cde1bf996752ee
-
Filesize
709KB
MD533eb0ae708e9ed21fd5736231565eb1f
SHA14e882db8a849b4ba818f74030e65918a6e9d6147
SHA2564fbcc94d5ee98474b12f06da6786cd73e356b10082cff17b6eea9544a922e9b1
SHA512bf42f293e83c0acad2eea73ac1e777b29946ab91a808cd0f708a546fff61592e47d962f7c5f8112eb400af62606a86599e443e120b7215079c6cda218e826a5d
-
Filesize
268KB
MD5e2f7c1c367cff0d22856b0dcd53652a9
SHA17090e2b20bd7c0f9a88af15b3f168fe39d1ba243
SHA2565ff0ecfedab42211eeb1f99ecc579edfce527a122c1d7cbc3b4783f820945ab6
SHA5122194872d4fae73e6c854761ddbcc4875e6374d8ea08b7025fa6d68836ca6cfe17d31cd1674873bf05f0ecb55d368349202e8bb92a7498dd682c0355066f868b9
-
C:\Users\Admin\AppData\Local\Temp\is-0PLAM.tmp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp
Filesize327KB
MD5386a9fa475ba699f3a7eb46ed8a53bcb
SHA1afcc76755e3fe8b949ab06b486d0714fb024c4d7
SHA256de5e93e13f5a620e29db0352833a98543100b7fd22aeb397ab79c26596265103
SHA5128869faf32e5a314debc5ae6790d8e589de1c21e15a9ddc6ea55b1d359ecb94f154dd90e23a2630b53c713c9eb9057a66e97ec25f9de444b201918364b3f1b1f1
-
C:\Users\Admin\AppData\Local\Temp\is-0PLAM.tmp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp
Filesize359KB
MD52056c108ad2c4c88365aff643a6126a1
SHA1aa29bee3f3c0bf3af4713e01caa3b65bb5e06ced
SHA2560c719c71f8b7283d02e614e9ab276c5c9ad04696173e23e7bce7f3dde5bf8367
SHA512a2570250b5b706e1cfce0b9c3e0a6da656bad9f00138803b2be8b442b45348075462c3a22e1953d0b3ea6795dbed7d5af8b84593b415505187aebfab15dfb85d
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
19KB
MD53adaa386b671c2df3bae5b39dc093008
SHA1067cf95fbdb922d81db58432c46930f86d23dded
SHA25671cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303