Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:46
Static task
static1
Behavioral task
behavioral1
Sample
9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe
Resource
win10v2004-20241007-en
General
-
Target
9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe
-
Size
3.3MB
-
MD5
51fd84738d1d4ecd8382e0b692fcdd00
-
SHA1
8d09806ac628730d6c997e0ccc3e8c16dcba0fec
-
SHA256
9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1
-
SHA512
ea4dc919b0f48f43c330386d558d7bf1d557657b27d359f0722638d47ee8ab54bc67bba1b7c9afe7a87914308d17f644dc0cbecdd9b112a3295481b664a2c139
-
SSDEEP
98304:SCZ9i2QPOTCUqt3T7uUlHVTKpoMhXKTRsqU:SCZ3QmOrp71HAniaL
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4216 wmpscfgs.exe 3968 wmpscfgs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe 4216 wmpscfgs.exe 3968 wmpscfgs.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created \??\c:\program files (x86)\adobe\acrotray .exe 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe File created \??\c:\program files (x86)\adobe\acrotray.exe 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3164 4216 WerFault.exe 86 2284 3968 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpscfgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpscfgs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe 4216 wmpscfgs.exe 3968 wmpscfgs.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 452 wrote to memory of 4216 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe 86 PID 452 wrote to memory of 4216 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe 86 PID 452 wrote to memory of 4216 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe 86 PID 452 wrote to memory of 3968 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe 87 PID 452 wrote to memory of 3968 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe 87 PID 452 wrote to memory of 3968 452 9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe"C:\Users\Admin\AppData\Local\Temp\9a208ce9535e178e03f9afdaa5eb82f11e3db483cdad10f8ed209b172b1f9ca1N.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\users\admin\appdata\local\temp\wmpscfgs.exec:\users\admin\appdata\local\temp\\wmpscfgs.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 6723⤵
- Program crash
PID:3164
-
-
-
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exeC:\Program Files (x86)\Internet Explorer\wmpscfgs.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 6763⤵
- Program crash
PID:2284
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3968 -ip 39681⤵PID:1220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4216 -ip 42161⤵PID:4688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD5d1584ac9e9ae113486d1638be086b44e
SHA115261c6ae05e646642aaf01ff2ccda27ffb62c26
SHA256d02f31fb436c183ac8c664fc4973537ce559c75e80b33b42b8757b58155fca89
SHA512d3f5d171e5c1bdf4d74673ea2f55a5e7515d53a33e30f0facee10831429f4ebb35033423d1213a61a57d3c6049e3d160298664af7f6403fde209087902c7561a
-
Filesize
3.3MB
MD59d8d229e4429d2fdf97a158fae93e09d
SHA12fb04ca0c4e0434620640a59d8a3c36dceb017f2
SHA256b7cf1cc40af12aaf9e528833267d04c03b962bca7f44e94a3ec9504043a97550
SHA512b57e7c0b5123c33a88d0a2d3dea1f76109803d99cb2ad25025e157f7cc9b1920cf391656f5aa2f627e976d3df71b6b42cc5787765eb280879f3cf042e11dc534