daaaf8f57839df3645b9a65a3223483c5ff9b01840e179242158d1b8a948a801

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wmispe.exe
Size

684KB
MD5

69058bba0b0ce086c23d0b50fb712fd6
SHA1

73c45dcf072ebeac0f7e8ddce7a80ad5e9df9049
SHA256

c60d6122c82f694d05e4e54446ddbf980bed657c6131ba51e4c359dc56dec701
SHA512

2bd8a8520c185e94dfa98abfe2433e79599a150b0a97edc8b8f0f74d45ca6a524a14f3aa633a22c8989dfd008248f4739614b3caf623cbedf983f323ce80ccb1
SSDEEP

12288:Ly0mm/XdI/uQ/hUEBk/XXpy5MlE2Xxioxc46bgk76+esTCmpi:LVu/PDsXpy5pqio2bH2mpi

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

wmispe.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	wmispe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

setalc.exewmispe.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmispe.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wmispe.exe

pid	Process
1776	wmispe.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

wmispe.exe

pid	Process
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe
1776	wmispe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wmispe.exe

pid	Process
1776	wmispe.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wmispe.exe

description	pid	Process	procid_target
PID 1776 wrote to memory of 2728	1776	wmispe.exe	30
PID 1776 wrote to memory of 2728	1776	wmispe.exe	30
PID 1776 wrote to memory of 2728	1776	wmispe.exe	30
PID 1776 wrote to memory of 2728	1776	wmispe.exe	30

C:\Users\Admin\AppData\Local\Temp\wmispe.exe
"C:\Users\Admin\AppData\Local\Temp\wmispe.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\setalc.exe
  "C:\Users\Admin\AppData\Local\Temp\setalc.exe" /SETDATE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1776-0-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-1-0x0000000000A70000-0x0000000000AB2000-memory.dmp

Filesize
264KB

Download
memory/1776-9-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1776-34-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1776-33-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1776-32-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1776-31-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/1776-38-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1776-60-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1776-59-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1776-58-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1776-57-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/1776-56-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1776-55-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1776-54-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1776-35-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1776-53-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1776-52-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1776-51-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/1776-50-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1776-62-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/1776-61-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/1776-49-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1776-48-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1776-47-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1776-46-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-45-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1776-44-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1776-43-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1776-42-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1776-41-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1776-40-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1776-39-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1776-37-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1776-36-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/1776-30-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1776-29-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1776-28-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1776-27-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1776-26-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1776-25-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1776-63-0x0000000000A70000-0x0000000000AB2000-memory.dmp

Filesize
264KB

Download
memory/1776-24-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1776-81-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

Filesize
4KB

Download
memory/1776-83-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/1776-82-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/1776-80-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

Filesize
4KB

Download
memory/1776-79-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/1776-78-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/1776-77-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download
memory/1776-76-0x0000000003D90000-0x0000000003D91000-memory.dmp

Filesize
4KB

Download
memory/1776-75-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/1776-74-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/1776-73-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/1776-72-0x0000000003D50000-0x0000000003D51000-memory.dmp

Filesize
4KB

Download
memory/1776-71-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download
memory/1776-70-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/1776-69-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/1776-68-0x0000000003D10000-0x0000000003D11000-memory.dmp

Filesize
4KB

Download
memory/1776-67-0x0000000003D20000-0x0000000003D21000-memory.dmp

Filesize
4KB

Download
memory/1776-66-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/1776-65-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/1776-64-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/1776-23-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1776-22-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1776-21-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1776-20-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1776-19-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1776-18-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1776-17-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1776-16-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1776-15-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1776-14-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1776-13-0x0000000000B00000-0x0000000000B04000-memory.dmp

Filesize
16KB

Download
memory/1776-12-0x00000000022E0000-0x00000000022E2000-memory.dmp

Filesize
8KB

Download
memory/1776-11-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1776-10-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1776-8-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1776-7-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1776-6-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1776-5-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1776-4-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1776-3-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1776-2-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1776-87-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1776-89-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/1776-88-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/1776-86-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/1776-85-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/1776-84-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download
memory/1776-94-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/1776-93-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/1776-92-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/1776-91-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/1776-96-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1776-97-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/1776-99-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-100-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-101-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-102-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-103-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-104-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-107-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-108-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-109-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-110-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-111-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-112-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-113-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1776-115-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download