Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
6d47b57641c1a77dfee5936f57acd3a5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6d47b57641c1a77dfee5936f57acd3a5.exe
Resource
win10v2004-20231215-en
General
-
Target
6d47b57641c1a77dfee5936f57acd3a5.exe
-
Size
192KB
-
MD5
6d47b57641c1a77dfee5936f57acd3a5
-
SHA1
0b18c34470f2bf4a842682d6ed4b8842e275b89f
-
SHA256
85057d4de7a020aa015e2ffec53288027ce475e3df426e462bb7beffbab91ca6
-
SHA512
d593236dcab8d2e38c20c05621f12374ec7033108778f687a46204630bf92ebccd320d8cab27cbb1dab8c281ff5b675f14500345289178a5f7bb2182d0d6d485
-
SSDEEP
3072:JpLBJINfkw8GlYsWJYmi1uUF0HprVtWKBMR7PlPB2:JZ812WOph/MRT58
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications wmpdb32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpdb32.exe = "C:\\Windows\\SysWOW64\\wmpdb32.exe:*:Enabled:Windows Database Service" wmpdb32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List wmpdb32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile wmpdb32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications wmpdb32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpdb32.exe = "C:\\Windows\\SysWOW64\\wmpdb32.exe:*:Enabled:Windows Database Service" wmpdb32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wmpdb32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile wmpdb32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 6d47b57641c1a77dfee5936f57acd3a5.exe -
Deletes itself 1 IoCs
pid Process 332 wmpdb32.exe -
Executes dropped EXE 2 IoCs
pid Process 1408 wmpdb32.exe 332 wmpdb32.exe -
resource yara_rule behavioral2/memory/3472-0-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3472-2-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3472-3-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3472-4-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/3472-38-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/332-45-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/332-46-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/332-47-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/332-48-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/332-49-0x0000000000400000-0x0000000000458000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Database Service = "C:\\Windows\\SysWOW64\\wmpdb32.exe" wmpdb32.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6d47b57641c1a77dfee5936f57acd3a5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 6d47b57641c1a77dfee5936f57acd3a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpdb32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\wmpdb32.exe 6d47b57641c1a77dfee5936f57acd3a5.exe File opened for modification C:\Windows\SysWOW64\ wmpdb32.exe File opened for modification C:\Windows\SysWOW64\ 6d47b57641c1a77dfee5936f57acd3a5.exe File opened for modification C:\Windows\SysWOW64\wmpdb32.exe 6d47b57641c1a77dfee5936f57acd3a5.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 876 set thread context of 3472 876 6d47b57641c1a77dfee5936f57acd3a5.exe 87 PID 1408 set thread context of 332 1408 wmpdb32.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6d47b57641c1a77dfee5936f57acd3a5.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3472 6d47b57641c1a77dfee5936f57acd3a5.exe 3472 6d47b57641c1a77dfee5936f57acd3a5.exe 3472 6d47b57641c1a77dfee5936f57acd3a5.exe 3472 6d47b57641c1a77dfee5936f57acd3a5.exe 332 wmpdb32.exe 332 wmpdb32.exe 332 wmpdb32.exe 332 wmpdb32.exe 332 wmpdb32.exe 332 wmpdb32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 332 wmpdb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 876 wrote to memory of 3472 876 6d47b57641c1a77dfee5936f57acd3a5.exe 87 PID 876 wrote to memory of 3472 876 6d47b57641c1a77dfee5936f57acd3a5.exe 87 PID 876 wrote to memory of 3472 876 6d47b57641c1a77dfee5936f57acd3a5.exe 87 PID 876 wrote to memory of 3472 876 6d47b57641c1a77dfee5936f57acd3a5.exe 87 PID 876 wrote to memory of 3472 876 6d47b57641c1a77dfee5936f57acd3a5.exe 87 PID 876 wrote to memory of 3472 876 6d47b57641c1a77dfee5936f57acd3a5.exe 87 PID 876 wrote to memory of 3472 876 6d47b57641c1a77dfee5936f57acd3a5.exe 87 PID 3472 wrote to memory of 1408 3472 6d47b57641c1a77dfee5936f57acd3a5.exe 97 PID 3472 wrote to memory of 1408 3472 6d47b57641c1a77dfee5936f57acd3a5.exe 97 PID 3472 wrote to memory of 1408 3472 6d47b57641c1a77dfee5936f57acd3a5.exe 97 PID 1408 wrote to memory of 332 1408 wmpdb32.exe 98 PID 1408 wrote to memory of 332 1408 wmpdb32.exe 98 PID 1408 wrote to memory of 332 1408 wmpdb32.exe 98 PID 1408 wrote to memory of 332 1408 wmpdb32.exe 98 PID 1408 wrote to memory of 332 1408 wmpdb32.exe 98 PID 1408 wrote to memory of 332 1408 wmpdb32.exe 98 PID 1408 wrote to memory of 332 1408 wmpdb32.exe 98 PID 332 wrote to memory of 604 332 wmpdb32.exe 3 PID 332 wrote to memory of 604 332 wmpdb32.exe 3 PID 332 wrote to memory of 604 332 wmpdb32.exe 3 PID 332 wrote to memory of 800 332 wmpdb32.exe 8 PID 332 wrote to memory of 796 332 wmpdb32.exe 9 PID 332 wrote to memory of 812 332 wmpdb32.exe 10 PID 332 wrote to memory of 920 332 wmpdb32.exe 11 PID 332 wrote to memory of 976 332 wmpdb32.exe 15 PID 332 wrote to memory of 408 332 wmpdb32.exe 12 PID 332 wrote to memory of 448 332 wmpdb32.exe 14 PID 332 wrote to memory of 732 332 wmpdb32.exe 13 PID 332 wrote to memory of 972 332 wmpdb32.exe 16 PID 332 wrote to memory of 1088 332 wmpdb32.exe 22 PID 332 wrote to memory of 1096 332 wmpdb32.exe 21 PID 332 wrote to memory of 1132 332 wmpdb32.exe 20 PID 332 wrote to memory of 1160 332 wmpdb32.exe 19 PID 332 wrote to memory of 1180 332 wmpdb32.exe 17 PID 332 wrote to memory of 1264 332 wmpdb32.exe 18 PID 332 wrote to memory of 1276 332 wmpdb32.exe 23 PID 332 wrote to memory of 1332 332 wmpdb32.exe 24 PID 332 wrote to memory of 1440 332 wmpdb32.exe 25 PID 332 wrote to memory of 1452 332 wmpdb32.exe 27 PID 332 wrote to memory of 1480 332 wmpdb32.exe 26 PID 332 wrote to memory of 1544 332 wmpdb32.exe 28 PID 332 wrote to memory of 1628 332 wmpdb32.exe 29 PID 332 wrote to memory of 1648 332 wmpdb32.exe 30 PID 332 wrote to memory of 1732 332 wmpdb32.exe 31 PID 332 wrote to memory of 1812 332 wmpdb32.exe 32 PID 332 wrote to memory of 1836 332 wmpdb32.exe 33 PID 332 wrote to memory of 1972 332 wmpdb32.exe 34 PID 332 wrote to memory of 1980 332 wmpdb32.exe 35 PID 332 wrote to memory of 1992 332 wmpdb32.exe 36 PID 332 wrote to memory of 1028 332 wmpdb32.exe 37 PID 332 wrote to memory of 1712 332 wmpdb32.exe 38 PID 332 wrote to memory of 2140 332 wmpdb32.exe 39 PID 332 wrote to memory of 2160 332 wmpdb32.exe 40 PID 332 wrote to memory of 2248 332 wmpdb32.exe 41 PID 332 wrote to memory of 2312 332 wmpdb32.exe 42 PID 332 wrote to memory of 2436 332 wmpdb32.exe 43 PID 332 wrote to memory of 2444 332 wmpdb32.exe 44 PID 332 wrote to memory of 2568 332 wmpdb32.exe 45 PID 332 wrote to memory of 2584 332 wmpdb32.exe 46 PID 332 wrote to memory of 2604 332 wmpdb32.exe 47 PID 332 wrote to memory of 2612 332 wmpdb32.exe 48 PID 332 wrote to memory of 2676 332 wmpdb32.exe 83 PID 332 wrote to memory of 2948 332 wmpdb32.exe 82 PID 332 wrote to memory of 3016 332 wmpdb32.exe 81
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:604
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:800
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:408
-
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3992
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe2⤵PID:1232
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:1196
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:696
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:4716
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:4680
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4252
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:4084
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3884
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3788
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:2948
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3620
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:1664
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:1588
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:4560
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵PID:732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:972
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1132
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2596
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1096
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1480
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3016
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1628
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1812
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1836
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1028
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2140
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2248
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2568
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:2336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2012
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2384
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:5044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\6d47b57641c1a77dfee5936f57acd3a5.exe"C:\Users\Admin\AppData\Local\Temp\6d47b57641c1a77dfee5936f57acd3a5.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\6d47b57641c1a77dfee5936f57acd3a5.exe"C:\Users\Admin\AppData\Local\Temp\6d47b57641c1a77dfee5936f57acd3a5.exe"3⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\wmpdb32.exe"C:\Windows\SysWOW64\wmpdb32.exe" C:\Users\Admin\AppData\Local\Temp\6D47B5~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\wmpdb32.exe"C:\Windows\SysWOW64\wmpdb32.exe" C:\Users\Admin\AppData\Local\Temp\6D47B5~1.EXE5⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3188
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:636
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD56d47b57641c1a77dfee5936f57acd3a5
SHA10b18c34470f2bf4a842682d6ed4b8842e275b89f
SHA25685057d4de7a020aa015e2ffec53288027ce475e3df426e462bb7beffbab91ca6
SHA512d593236dcab8d2e38c20c05621f12374ec7033108778f687a46204630bf92ebccd320d8cab27cbb1dab8c281ff5b675f14500345289178a5f7bb2182d0d6d485