Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2024 01:46
Behavioral task
behavioral1
Sample
MIS.exe
Resource
win7-20240708-en
General
-
Target
MIS.exe
-
Size
202KB
-
MD5
77a6bdfb5bbcb7946fe9b601afcc39e7
-
SHA1
f1d08b43eb1936922f4999b789f37b7124ec630c
-
SHA256
64ce422b18dfaf9ca531f509ed4d05a47433e9ff468de8cfda06fb3bc85f80a4
-
SHA512
ac02ce92fb3c820b6b1e58be26762a6ba976a6a69523898df942a794cb4abb1dbc667454bc0aea7e9c597ee1ce05e4e6fb6bdb9a6b226a512c0d92f0fa59b9ba
-
SSDEEP
3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIrccsD6RA5E3bKKiCf3e0kYrOd:QLV6Bta6dtJmakIM5Bcs8A5ELiUfoB
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MIS.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Subsystem = "C:\\Program Files (x86)\\WPA Subsystem\\wpass.exe" MIS.exe -
Processes:
MIS.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MIS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MIS.exedescription ioc Process File created C:\Program Files (x86)\WPA Subsystem\wpass.exe MIS.exe File opened for modification C:\Program Files (x86)\WPA Subsystem\wpass.exe MIS.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MIS.exeschtasks.exeschtasks.execmd.exetaskkill.exePING.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MIS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid Process 1692 cmd.exe 3908 PING.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 4164 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
MIS.exepid Process 3612 MIS.exe 3612 MIS.exe 3612 MIS.exe 3612 MIS.exe 3612 MIS.exe 3612 MIS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MIS.exepid Process 3612 MIS.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MIS.exetaskkill.exedescription pid Process Token: SeDebugPrivilege 3612 MIS.exe Token: SeDebugPrivilege 3612 MIS.exe Token: SeDebugPrivilege 4164 taskkill.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
MIS.execmd.exedescription pid Process procid_target PID 3612 wrote to memory of 880 3612 MIS.exe 89 PID 3612 wrote to memory of 880 3612 MIS.exe 89 PID 3612 wrote to memory of 880 3612 MIS.exe 89 PID 3612 wrote to memory of 4580 3612 MIS.exe 91 PID 3612 wrote to memory of 4580 3612 MIS.exe 91 PID 3612 wrote to memory of 4580 3612 MIS.exe 91 PID 3612 wrote to memory of 1692 3612 MIS.exe 93 PID 3612 wrote to memory of 1692 3612 MIS.exe 93 PID 3612 wrote to memory of 1692 3612 MIS.exe 93 PID 1692 wrote to memory of 4164 1692 cmd.exe 95 PID 1692 wrote to memory of 4164 1692 cmd.exe 95 PID 1692 wrote to memory of 4164 1692 cmd.exe 95 PID 1692 wrote to memory of 3908 1692 cmd.exe 96 PID 1692 wrote to memory of 3908 1692 cmd.exe 96 PID 1692 wrote to memory of 3908 1692 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\MIS.exe"C:\Users\Admin\AppData\Local\Temp\MIS.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /f /tn "WPA Subsystem"2⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /f /tn "WPA Subsystem Task"2⤵
- System Location Discovery: System Language Discovery
PID:4580
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /f /im "MIS.exe" & ping -n 1 -w 3000 1.1.1.1 & type nul > "C:\Users\Admin\AppData\Local\Temp\MIS.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\MIS.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "MIS.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 -w 3000 1.1.1.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3908
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1