f3e50a9655e56058c63e0a403297c7edbef3e85e82b55758407a8033c72c4c93

General

Target

68a0b0d4db32db7b27d9a37b46f270e0N.exe
Size

3.8MB
MD5

68a0b0d4db32db7b27d9a37b46f270e0
SHA1

377d7e0e7c840d58bb020ca57f9dde83e3bab3c6
SHA256

f3e50a9655e56058c63e0a403297c7edbef3e85e82b55758407a8033c72c4c93
SHA512

fcf45553d1948deeaf56c777fddbc0a3a95dd4ec583d536cd8a0d8f7b2e5ab658717e7e9ae002357658e56a67f66746d998287d956553b1802adb78764b8340f
SSDEEP

49152:cwVJ/qUQ5F5EexZD63Wb5wSSnebipRCoBRI17fMt6v77/lClNiuHL1jGgJ6OLCSI:3/257I6GnaipRT/md77AlDL1XsO8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3640	wmpscfgs.exe
4156	wmpscfgs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	68a0b0d4db32db7b27d9a37b46f270e0N.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe
3640	wmpscfgs.exe
3640	wmpscfgs.exe
4156	wmpscfgs.exe
4156	wmpscfgs.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	68a0b0d4db32db7b27d9a37b46f270e0N.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	68a0b0d4db32db7b27d9a37b46f270e0N.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	68a0b0d4db32db7b27d9a37b46f270e0N.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3664	4156	WerFault.exe	88
4940	3640	WerFault.exe	87
3248	3640	WerFault.exe	87
3668	4156	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe
1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe
3640	wmpscfgs.exe
4156	wmpscfgs.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 3640	1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe	87
PID 1076 wrote to memory of 3640	1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe	87
PID 1076 wrote to memory of 3640	1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe	87
PID 1076 wrote to memory of 4156	1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe	88
PID 1076 wrote to memory of 4156	1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe	88
PID 1076 wrote to memory of 4156	1076	68a0b0d4db32db7b27d9a37b46f270e0N.exe	88

C:\Users\Admin\AppData\Local\Temp\68a0b0d4db32db7b27d9a37b46f270e0N.exe
"C:\Users\Admin\AppData\Local\Temp\68a0b0d4db32db7b27d9a37b46f270e0N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:3640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 452
    3⤵
    - Program crash
    PID:4940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 452
    3⤵
    - Program crash
    PID:3248
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:4156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 452
    3⤵
    - Program crash
    PID:3664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 452
    3⤵
    - Program crash
    PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4156 -ip 4156
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3640 -ip 3640
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3640 -ip 3640
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4156 -ip 4156
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
3.8MB

MD5
fd4f2b4b646e64f7b451f3e9417f7171

SHA1
e80a35abe3872b5e104330bf2aaf9b2951510d00

SHA256
7b197f7e6ebe8ed395a799d3ec983ce4b6571a0e1e85268fc9975da200a8b14e

SHA512
d071162e1c8a3574afb40dc69a50f1f55924c76c876fdfaa6733b18f3230f8be36fd9588186f7ec022ec3a1cf1ffc89e3de6654691b33ea73d06d546fd061075

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
3.8MB

MD5
e99beb4ec6063b93b20e837f826c0ead

SHA1
65cae2ae0a0d925776a7e2b494cb3915bd44f014

SHA256
09a30201766865dba6413fa73c94c193ab008e0fee1413a867a5355b2b3258d1

SHA512
239abfe99bd16b2001b88cf4dfbffaab5af99a75a22793bad134c08c574becc0893f8e032c1fe8f70a6f55b7a9f88e12521897a45c2875f95d7b53eee9644f24

Download Submit
memory/1076-16-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1076-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1076-15-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1076-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1076-0-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/3640-13-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/3640-18-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3640-21-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/3640-22-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4156-19-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4156-24-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads