a25164a9205a1919fdc85976f6838bd52de858692e885244518d20a5a880fae7

General

Target

b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
Size

6.4MB
MD5

58bacc0d97258aadf00f1c32beeac8a3
SHA1

b90c0b1b72fb573d74c9996b4b6a0cfc1699a066
SHA256

a25164a9205a1919fdc85976f6838bd52de858692e885244518d20a5a880fae7
SHA512

0644995ffa4f9f2965edba8b0ddc9e3d8d6a517046cc6e95c852e889e3d4d5219fb7270fd6f1ee202cf20a410cf23296377e46e5ffca4be7dba85cf9e0d8ec6d
SSDEEP

196608:YNvMhd5LqFOjkCTIMfjnm22IDsDEmufqDFe3S4HtiYzlDA:YNvMhfLqFOjkyfzmJIYa0Otpq

Score

6^/10

discovery persistence upx

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auto_Agent_WirelessMediaC3 = "C:\\Users\\Admin\\AppData\\Local\\WirelessMedia\\WirelessMediaAutoServiceC3.exe"	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	WirelessMediaMain.exe
File opened (read-only)	\??\M:	WirelessMediaMain.exe
File opened (read-only)	\??\T:	WirelessMediaMain.exe
File opened (read-only)	\??\V:	WirelessMediaMain.exe
File opened (read-only)	\??\W:	WirelessMediaMain.exe
File opened (read-only)	\??\E:	WirelessMediaMain.exe
File opened (read-only)	\??\R:	WirelessMediaMain.exe
File opened (read-only)	\??\Z:	WirelessMediaMain.exe
File opened (read-only)	\??\Q:	WirelessMediaMain.exe
File opened (read-only)	\??\J:	WirelessMediaMain.exe
File opened (read-only)	\??\K:	WirelessMediaMain.exe
File opened (read-only)	\??\U:	WirelessMediaMain.exe
File opened (read-only)	\??\I:	WirelessMediaMain.exe
File opened (read-only)	\??\H:	WirelessMediaMain.exe
File opened (read-only)	\??\N:	WirelessMediaMain.exe
File opened (read-only)	\??\O:	WirelessMediaMain.exe
File opened (read-only)	\??\P:	WirelessMediaMain.exe
File opened (read-only)	\??\S:	WirelessMediaMain.exe
File opened (read-only)	\??\X:	WirelessMediaMain.exe
File opened (read-only)	\??\Y:	WirelessMediaMain.exe
File opened (read-only)	\??\G:	WirelessMediaMain.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1072-0-0x0000000000B30000-0x00000000018FE000-memory.dmp	upx
behavioral1/memory/1072-32-0x0000000000B30000-0x00000000018FE000-memory.dmp	upx

Executes dropped EXE 2 IoCs

pid	Process
2804	WirelessMediaAutoServiceC3.exe
2732	WirelessMediaMain.exe

Loads dropped DLL 8 IoCs

pid	Process
1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WirelessMediaAutoServiceC3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WirelessMediaMain.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	WirelessMediaMain.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2732	WirelessMediaMain.exe
2732	WirelessMediaMain.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2732	WirelessMediaMain.exe
2732	WirelessMediaMain.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2732	WirelessMediaMain.exe
2732	WirelessMediaMain.exe
2732	WirelessMediaMain.exe
2732	WirelessMediaMain.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2804	1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	30
PID 1072 wrote to memory of 2804	1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	30
PID 1072 wrote to memory of 2804	1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	30
PID 1072 wrote to memory of 2804	1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	30
PID 1072 wrote to memory of 2732	1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	31
PID 1072 wrote to memory of 2732	1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	31
PID 1072 wrote to memory of 2732	1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	31
PID 1072 wrote to memory of 2732	1072	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	31

C:\Users\Admin\AppData\Local\Temp\b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
"C:\Users\Admin\AppData\Local\Temp\b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe"
1⤵
- Adds Run key to start application
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe
  "C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaMain.exe
  "C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaMain.exe"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe

Filesize
1.6MB

MD5
2c5a699f1baaddcd659e226586ce5eca

SHA1
60b54b1254d2e2b4c57c49b0a06945d13aec1b36

SHA256
ce1406795d923f43c9309904e5dcd9cbadf9d9f1f26413333b920713b01523f6

SHA512
de62caad872938a7add5e513b86b9b5e143272c711d8632c30ad8718a23115e2349e2ae94abdfd72196c30552a99852d34d54cb1e35b93e855a1d425bcbf1538

Download Submit
C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaMain.exe

Filesize
11.9MB

MD5
ddc8d3302600895ee667fa990770793e

SHA1
a95202ba7a2af7b375cbd73d88a7add665a005a0

SHA256
4139e95be8e6294a57f746112ca14553ab9913893cfefbfa95ac2f5ccbf40b9a

SHA512
24f64b50f1bed05d0c80e3d6bacc0c537a6e5d83fc4ec5c63cdbd69e0b286f680eb4b0b2e548d753ff2ec9f00bd48064e4cc69e8b31d06f94d3078f72fbff38d

Download Submit
memory/1072-0-0x0000000000B30000-0x00000000018FE000-memory.dmp

Filesize
13.8MB

Download
memory/1072-4-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1072-32-0x0000000000B30000-0x00000000018FE000-memory.dmp

Filesize
13.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads