7f2364197aaca32061568b0d7cd544de561fa8a1c2b1a108182e93339701255e

General

Target

1c1438af4015abbd2c0fd288b9fe9e2c.exe
Size

41KB
MD5

1c1438af4015abbd2c0fd288b9fe9e2c
SHA1

647bb162686f44f448e7c0892e63d5583f9612e7
SHA256

7f2364197aaca32061568b0d7cd544de561fa8a1c2b1a108182e93339701255e
SHA512

f0279b1b02e78652b38cae88aa65f1fd7b7c4c26363611323014bd56b1706bfe24725b668462288f6d5ae0b3f32e2dee387537f1961b3e6398ee899a5d646330
SSDEEP

768:dFDZ297K733ZL4OsPDsJOQICmcS7miUCbCB0ZOYirm3V1yoaChDl1F/oKaW7WXJo:oe18OyszIz7miUCbcYomLaoDHRJaW7

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	WmInit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\WmInit.exe = "C:\\Windows\\SysWOW64\\WmInit.exe:*:Enabled:Microsoft Windows Media"	WmInit.exe

Deletes itself 1 IoCs

pid	Process
2256	WmInit.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	WmInit.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	1c1438af4015abbd2c0fd288b9fe9e2c.exe
2132	1c1438af4015abbd2c0fd288b9fe9e2c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Media = "C:\\Windows\\SysWOW64\\WmInit.exe"	WmInit.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tmp	WmInit.exe
File opened for modification	C:\Windows\SysWOW64\tmp	1c1438af4015abbd2c0fd288b9fe9e2c.exe
File created	C:\Windows\SysWOW64\tmp	1c1438af4015abbd2c0fd288b9fe9e2c.exe
File created	C:\Windows\SysWOW64\WmInit.dat	1c1438af4015abbd2c0fd288b9fe9e2c.exe
File opened for modification	C:\Windows\SysWOW64\WmInit.exe	1c1438af4015abbd2c0fd288b9fe9e2c.exe
File created	C:\Windows\SysWOW64\WmInit.exe	1c1438af4015abbd2c0fd288b9fe9e2c.exe
File opened for modification	C:\Windows\SysWOW64\tmp	WmInit.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2256	2132	1c1438af4015abbd2c0fd288b9fe9e2c.exe	27
PID 2132 wrote to memory of 2256	2132	1c1438af4015abbd2c0fd288b9fe9e2c.exe	27
PID 2132 wrote to memory of 2256	2132	1c1438af4015abbd2c0fd288b9fe9e2c.exe	27
PID 2132 wrote to memory of 2256	2132	1c1438af4015abbd2c0fd288b9fe9e2c.exe	27

C:\Users\Admin\AppData\Local\Temp\1c1438af4015abbd2c0fd288b9fe9e2c.exe
"C:\Users\Admin\AppData\Local\Temp\1c1438af4015abbd2c0fd288b9fe9e2c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WmInit.exe
  "C:\Windows\system32\WmInit.exe" "C:\Users\Admin\AppData\Local\Temp\1c1438af4015abbd2c0fd288b9fe9e2c.exe"
  2⤵
  - Modifies firewall policy service
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WmInit.dat

Filesize
8B

MD5
575240f4c3aa4f0b45d4d3416921c66c

SHA1
c47dcb8f61c7e1c939b5bbb8d6a9f0ba24356bad

SHA256
04b420e53c17b946589990e2d2a96d9713c844f1c24852391be8b2f5e0a3ee9d

SHA512
48b6e8e00e061380bcad8145941689dfe484b0118c5121a2c1977466a187785290e477c0b467753c132032a6f53e053f192c491bc2f677174325713e0d7029fd

Download Submit
C:\Windows\SysWOW64\WmInit.exe

Filesize
327KB

MD5
8f60efcd71343d308e43d7398ff091bc

SHA1
63ddc8f23b358bacf0574eed5239c2cde1bf75cf

SHA256
c57e0f4c07a166d02bffc38c0fb678c6beb0e147243ad0869697e104bcdc7e27

SHA512
3cece0b8b6c65cf0dea021a315a70099e3c614336ae3cd88a4fb9d000e8bfd943f2c8bfa084fd7b77ae87b7075590a6353f9f75fdc3c653aae7d1a07a0448f78

Download Submit
C:\Windows\SysWOW64\WmInit.exe

Filesize
554KB

MD5
bbe64489524cf554784b26fe81d680ca

SHA1
98efb2dccacf2b0b796958d3bdfc2c84c200767d

SHA256
3e1647fc4390e0a534566d35bf6286644c8c6f1415481ca74246624c6410fef9

SHA512
3a52037f47e5ce38ecbf9fccc4edbcb5c1b55b0f74bcb0b52099840c108d9884c4cb1e471eb2cf6fea4b0ddda8fc575fcfbb488fe8801511c51e50a623030d4c

Download Submit
\Windows\SysWOW64\WmInit.exe

Filesize
1.0MB

MD5
5d8f8e02306247896c83da27eaddf281

SHA1
1d4922b9260265e765f86c7a155714a3cbfcfbd6

SHA256
644264de89e0adafd7ad0be40efbea24a8394bade8ceca6290327229492131c3

SHA512
00ac10229b9f3d6058a195a8bd295090c245f29f2289bee6a66a58b267f0d55f21a7a9c47da172fd235da02c78eac4d3a9f2fdcae6e75c40263503072b1ce49b

Download Submit
\Windows\SysWOW64\WmInit.exe

Filesize
524KB

MD5
8016b4ba3c11aa53691de7b63fa200f9

SHA1
3aa5e6da2e7257ff2c1bba152c4150945a466080

SHA256
0aa70663e0a1f0e3d82e08e82ba429f5b9b57238a35d89baea3bdc03ed6191cd

SHA512
c6c824141b5cb532a9dc6e5634c513002a83e778ba61db303fbfb352d9452891ca2c50bff01ca3073c9bf84917ece93c14b88ab4b3073d605f474f8f6816fd2a

Download Submit
memory/2132-2-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2132-11-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2132-1-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2256-12-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2256-14-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2256-16-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2256-18-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2256-20-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2256-22-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2256-23-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2256-25-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads