e4080d9b288566a81d2e7c9c0d22311d02bb4e5f65f720b93b797f39186cd3cb

General

Target

06e6c6ef2f9e63c876441a6d32e2e100N.exe
Size

4.4MB
MD5

06e6c6ef2f9e63c876441a6d32e2e100
SHA1

3e83a36c8ccc6e27d8caffe1a5328079908947f5
SHA256

e4080d9b288566a81d2e7c9c0d22311d02bb4e5f65f720b93b797f39186cd3cb
SHA512

581625df1f7b4aebc4ab2649c0f4e7ae3c3c8485c141bd2d1fdf15661283d0320c52ba5e50167bbdf520533e54c04474078b8fbb0795ecd75299a649ff402546
SSDEEP

49152:cwVJ/qUQ5F5EexZD63Wb5wSSnebipRCoBRI17fMt6v77/lClNiuHL1jGgJ6OLCSh:3/257I6GnaipRT/md77AlDL1XsOXAyLt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1940	wmpscfgs.exe
2796	wmpscfgs.exe
3692	msedge.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	06e6c6ef2f9e63c876441a6d32e2e100N.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe
4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe
1940	wmpscfgs.exe
2796	wmpscfgs.exe
1940	wmpscfgs.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft\edge\application\msedge.exe	06e6c6ef2f9e63c876441a6d32e2e100N.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	06e6c6ef2f9e63c876441a6d32e2e100N.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	06e6c6ef2f9e63c876441a6d32e2e100N.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	06e6c6ef2f9e63c876441a6d32e2e100N.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3864	2796	WerFault.exe	98
1120	1940	WerFault.exe	97
3284	2796	WerFault.exe	98
4148	1940	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06e6c6ef2f9e63c876441a6d32e2e100N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe
4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe
1940	wmpscfgs.exe
2796	wmpscfgs.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 1940	4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe	97
PID 4580 wrote to memory of 1940	4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe	97
PID 4580 wrote to memory of 1940	4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe	97
PID 4580 wrote to memory of 2796	4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe	98
PID 4580 wrote to memory of 2796	4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe	98
PID 4580 wrote to memory of 2796	4580	06e6c6ef2f9e63c876441a6d32e2e100N.exe	98

C:\Users\Admin\AppData\Local\Temp\06e6c6ef2f9e63c876441a6d32e2e100N.exe
"C:\Users\Admin\AppData\Local\Temp\06e6c6ef2f9e63c876441a6d32e2e100N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 460
    3⤵
    - Program crash
    PID:1120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 460
    3⤵
    - Program crash
    PID:4148
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 624
    3⤵
    - Program crash
    PID:3864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 624
    3⤵
    - Program crash
    PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=1440 /prefetch:8
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2796 -ip 2796
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1940 -ip 1940
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2796 -ip 2796
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1940 -ip 1940
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
4.4MB

MD5
9e0eec1ff4535312dc5b876197286d46

SHA1
3f7f72a2b4b5ce5200e010ecf763037b85bf9bfd

SHA256
9adf34c30e7ea2c9bbd7a871857bf527e8158d5e2c5a70d05a16d4c87ce6ebb2

SHA512
c3e160aacef533174ddf5297fa5e8693f36bc10ec9e839936d891e5da16f3171026f5114e72bb9e3efd6e03600a8be961d9ea5bb143d34efcd041f49a3e0283f

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4.4MB

MD5
e4c2aff191ff4965245271f984113001

SHA1
730776266e7b93f14859dad18380d3d5d084a0a9

SHA256
b1cb86c8257c971439c88fc2133561930f06f0d67508b583503fac1da012e3d5

SHA512
cfef3b9c6ad47da3ac88c4cd476bf0396a97460cd662364604e0f42102257dd9adff9bb92e8783498c90469a0b5b4fbf2669420bd31fec49af4f2d738c884d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
4.4MB

MD5
085e89014766e2f3628f3f5861ea057e

SHA1
cb5fe21762c3e09e23f48bf7c4fc09a0ce220211

SHA256
0d76fd5468135df4e9b92a939048624e9e35b7c5d4724bebbf21088feee25448

SHA512
72243df06fde2b3783dfebe9bbaf6429bc60ba03597c7cd32eada99800744b195b41404a17da62d665a1650d78e5b8671096766ca8e79d3056d04fd78aaac707

Download Submit
memory/1940-16-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1940-26-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1940-25-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1940-19-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2796-20-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2796-23-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2796-24-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4580-17-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4580-0-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/4580-14-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/4580-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4580-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads