47ba30f21cb191390ccbd1eda0ffadf06a153401fb8c30450de3b8274ab631d6

Analysis

max time kernel
171s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4663d3377db0aac35daaa69048f37778.exe
Size

240KB
MD5

4663d3377db0aac35daaa69048f37778
SHA1

485956e49e4fa055c86543aa0c5dc2a6cfb8bfef
SHA256

47ba30f21cb191390ccbd1eda0ffadf06a153401fb8c30450de3b8274ab631d6
SHA512

c555c6d4dac833e4318b11be0533856820677f1092a79daf8c7c74f7779b4a87591dde3d90f20b87cde78cafda715cf4d733417b5e7fb69d89446b47ddb6dcb4
SSDEEP

6144:JUX3dwqsNweTAB0EqxF6snji81RUinKchhtrSf:sdQ5JDmf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4663d3377db0aac35daaa69048f37778.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wmwir.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	wmwir.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	4663d3377db0aac35daaa69048f37778.exe
2732	4663d3377db0aac35daaa69048f37778.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /o"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /e"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /x"	4663d3377db0aac35daaa69048f37778.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /l"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /m"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /d"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /v"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /z"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /f"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /q"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /p"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /y"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /x"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /r"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /k"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /h"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /i"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /b"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /w"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /c"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /n"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /t"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /j"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /s"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /a"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /u"	wmwir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwir = "C:\\Users\\Admin\\wmwir.exe /g"	wmwir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	4663d3377db0aac35daaa69048f37778.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe
2688	wmwir.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2732	4663d3377db0aac35daaa69048f37778.exe
2688	wmwir.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2688	2732	4663d3377db0aac35daaa69048f37778.exe	30
PID 2732 wrote to memory of 2688	2732	4663d3377db0aac35daaa69048f37778.exe	30
PID 2732 wrote to memory of 2688	2732	4663d3377db0aac35daaa69048f37778.exe	30
PID 2732 wrote to memory of 2688	2732	4663d3377db0aac35daaa69048f37778.exe	30

C:\Users\Admin\AppData\Local\Temp\4663d3377db0aac35daaa69048f37778.exe
"C:\Users\Admin\AppData\Local\Temp\4663d3377db0aac35daaa69048f37778.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\wmwir.exe
  "C:\Users\Admin\wmwir.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\wmwir.exe

Filesize
240KB

MD5
3420674014358bb3a0936a5a8fb59839

SHA1
1b3113d541630d8e96b4485e9cf3a8ccebf0de3d

SHA256
dc2bd6130f6e2f1a164893b48d8ca53a6f5bed55ad46ae018b1bffa1f94ee040

SHA512
1289552702ccfecacf4a3b0fd0e8b5f90a1b8ea70295a1585c3ec55095ee0a937d3c2cf2be5ce8ca832372fa0abfdb3caaea3fc6f12448ac6a2fd08c7ec5d792

Download Submit