48004a431e2f576ec828d954b2c8338ffd01bf0cc7cbfc16cf387dc3906cdb46

General

Target

Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader-v1.19.exe
Size

9.0MB
MD5

4abb9e3b64af8861782a9c19dcdb2bee
SHA1

d541a2c251efae73a88b08c260c0dff98cfbc75a
SHA256

39116e9b6746e5a34bdf84444ead68cc578c15ffd44e0abb6c83f507312b2397
SHA512

ccd8e0880a91c7b8f6fa9be03bf8d5167f389b5bff13521b0b5afd7fdd64bdf9d4c5c88c3cab2a01738f786218f5ac24676b354f8156a939fb5ae7220bad82d0
SSDEEP

196608:9DPRS/DV/I1jpjN8o6boJacnW4DUJWNSyRf/ZeoMlWG8Wiq:N54DVA1jv8o6botnW4DrrZ9c5

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader-v1.19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	TaskHostManagerService.exe

Executes dropped EXE 3 IoCs

pid	Process
5112	TaskHostManagerService.exe
448	Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader v1.19.exe
4500	Task Windows System.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Task Windows System = "C:\\ProgramData\\Task Windows System\\Task Windows System.exe"	TaskHostManagerService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2304	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3040	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4500	Task Windows System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	TaskHostManagerService.exe
Token: SeDebugPrivilege	4500	Task Windows System.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
448	Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader v1.19.exe
448	Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader v1.19.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 5112	5000	Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader-v1.19.exe	84
PID 5000 wrote to memory of 5112	5000	Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader-v1.19.exe	84
PID 5000 wrote to memory of 448	5000	Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader-v1.19.exe	85
PID 5000 wrote to memory of 448	5000	Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader-v1.19.exe	85
PID 5000 wrote to memory of 448	5000	Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader-v1.19.exe	85
PID 5112 wrote to memory of 3040	5112	TaskHostManagerService.exe	87
PID 5112 wrote to memory of 3040	5112	TaskHostManagerService.exe	87
PID 5112 wrote to memory of 4500	5112	TaskHostManagerService.exe	89
PID 5112 wrote to memory of 4500	5112	TaskHostManagerService.exe	89
PID 5112 wrote to memory of 3656	5112	TaskHostManagerService.exe	90
PID 5112 wrote to memory of 3656	5112	TaskHostManagerService.exe	90
PID 3656 wrote to memory of 2304	3656	cmd.exe	92
PID 3656 wrote to memory of 2304	3656	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader-v1.19.exe
"C:\Users\Admin\AppData\Local\Temp\Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader-v1.19.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\TaskHostManagerService.exe
  "C:\Users\Admin\AppData\Local\Temp\TaskHostManagerService.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Task Windows System /tr "C:\ProgramData\Task Windows System\Task Windows System.exe" /st 07:29 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3040
- - C:\ProgramData\Task Windows System\Task Windows System.exe
    "C:\ProgramData\Task Windows System\Task Windows System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB03.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\system32\timeout.exe
      timeout 7
      4⤵
      Delays execution with timeout.exe
      PID:2304
- C:\Users\Admin\AppData\Local\Temp\Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader v1.19.exe
  "C:\Users\Admin\AppData\Local\Temp\Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader v1.19.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TaskHostManagerService.exe

Filesize
1.9MB

MD5
221d77b41cc268bb06cb85cc8e6abcd4

SHA1
48994798f0326a33e4fdeafebff86a29a5dcb73e

SHA256
1c7d6a484ccaae18a6ae9e7e59e3f061a36cd4aeb25817ecb9d42fd424268c2f

SHA512
56b2f8b28cfb036b9cb48b07184bcba7b5e99cb2f606ea8e3453b4d577d89df0b5de43208354303e328ae6d9cc2d41378ae96e0f28b7fe52fbcaaed1c65df55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wordpress All in One Bruteforce [10 macros] v2.15 + Shell Uploader v1.19.exe

Filesize
7.0MB

MD5
fe4e80419d88476f62934d9e0a94a2f7

SHA1
80a41cded5587bc0ef8fac5c84deb035a1872818

SHA256
a8174eb9b99d70c5a20452735353f3db9cebaac21ee021baa498fa1cf3ad582c

SHA512
28f801fd02e6227e408c5ad8a0dd6cbeda11b1d26306e187d00f2f2be40539b3d639bf10645334e10bf97cf14829a414285370bc4cd27c4b6a24586d7ba9b8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB03.tmp.bat

Filesize
174B

MD5
61c3b45aa2fdfe69c4e1dbfd5448adde

SHA1
e7593e5515c7bb6dc2f26246a824a2b18054a778

SHA256
c86dbeb138d8bbb84182719de716de4b219690010fd8119d78f14eac1f947fce

SHA512
75613aea49114677271886511f529c9ecd652701b3b59da8a1548b23bc036670a3a9a05cda2c65c910ab21b6a0eb8d3ff10e27f1c84368bbce4308f887da249c

Download Submit
C:\Users\Admin\Desktop\StartResume.txt

Filesize
1.3MB

MD5
3c5fd8966c3b65843626238537fe4843

SHA1
96f03736932f4a5b26ee84b381064a117ad2e092

SHA256
1ca422ce75dd71aac98e30e0575a79501057345b56e9c1f26a1e0b0001a16f45

SHA512
be8124798684527c5e6048435e993b0d7ee822d58afabcaeffb18ba3bcf11c2fb5d3d17be8062c220604de8eaed128f55f46b2d9b89ac25a72afac0a2db7a437

Download Submit
memory/4500-65-0x000001D09B420000-0x000001D09B5C9000-memory.dmp

Filesize
1.7MB

Download
memory/5112-11-0x00007FFBE94E3000-0x00007FFBE94E5000-memory.dmp

Filesize
8KB

Download
memory/5112-15-0x0000023D1D5D0000-0x0000023D1D6B8000-memory.dmp

Filesize
928KB

Download
memory/5112-20-0x00007FFBE94E0000-0x00007FFBE9FA1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-36-0x00007FFBE94E0000-0x00007FFBE9FA1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads