55edcf08f8521a9cddde8570baaac0ab8ef6e640e96c834db0e5c12f5b9c68fe

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f35d502490f7522150c06d1bd7ca12e2.exe
Size

8.6MB
MD5

f35d502490f7522150c06d1bd7ca12e2
SHA1

5ff707c5084b287ae08886bc857d4a2b4ffd8793
SHA256

af9968865c5173cb2b5af909bb34088bf51496c10ef91e26c054bde235bb519f
SHA512

8fe5536968d1ad453a58644052a27731e3d1dc4c57553c68c4ad310d459276dd8d1c4e5a15b7d262d864ed0675cab0ba6ef6b2081fa3653cb4c6062df1b6bc4f
SSDEEP

196608:t3/F4FE9vSMWU3wmIAYJVY5yJo20px+w71m:t3/F4F1mIfVY422Mx+V

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mwps.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	pdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cpm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wpas mngr.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	f35d502490f7522150c06d1bd7ca12e2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	f35d502490f7522150c06d1bd7ca12e2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	mwps.exe

Executes dropped EXE 6 IoCs

pid	Process
4764	mwps.exe
2652	f35d502490f7522150c06d1bd7ca12e2.exe
1304	f35d502490f7522150c06d1bd7ca12e2.exe
3016	wpas mngr.exe
2732	pdm.exe
4472	cpm.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe"	pdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe"	f35d502490f7522150c06d1bd7ca12e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpasmngr = "C:\\Users\\Admin\\Documents\\wpas mngr.exe"	wpas mngr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe"	wpas mngr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpasmngr = "C:\\Users\\Admin\\Documents\\wpas mngr.exe"	pdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpasmngr = "C:\\Users\\Admin\\Documents\\wpas mngr.exe"	cpm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe"	cpm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe"	mwps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f35d502490f7522150c06d1bd7ca12e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f35d502490f7522150c06d1bd7ca12e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f35d502490f7522150c06d1bd7ca12e2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	f35d502490f7522150c06d1bd7ca12e2.exe
2224	f35d502490f7522150c06d1bd7ca12e2.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe
4764	mwps.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4764	mwps.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	f35d502490f7522150c06d1bd7ca12e2.exe
Token: SeDebugPrivilege	4764	mwps.exe
Token: SeDebugPrivilege	2732	pdm.exe
Token: SeDebugPrivilege	3016	wpas mngr.exe
Token: SeDebugPrivilege	4472	cpm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4764	mwps.exe
4764	mwps.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 4764	2224	f35d502490f7522150c06d1bd7ca12e2.exe	89
PID 2224 wrote to memory of 4764	2224	f35d502490f7522150c06d1bd7ca12e2.exe	89
PID 2224 wrote to memory of 4764	2224	f35d502490f7522150c06d1bd7ca12e2.exe	89
PID 2224 wrote to memory of 2652	2224	f35d502490f7522150c06d1bd7ca12e2.exe	90
PID 2224 wrote to memory of 2652	2224	f35d502490f7522150c06d1bd7ca12e2.exe	90
PID 2224 wrote to memory of 2652	2224	f35d502490f7522150c06d1bd7ca12e2.exe	90
PID 2652 wrote to memory of 1304	2652	f35d502490f7522150c06d1bd7ca12e2.exe	106
PID 2652 wrote to memory of 1304	2652	f35d502490f7522150c06d1bd7ca12e2.exe	106
PID 2652 wrote to memory of 1304	2652	f35d502490f7522150c06d1bd7ca12e2.exe	106
PID 4764 wrote to memory of 3016	4764	mwps.exe	94
PID 4764 wrote to memory of 3016	4764	mwps.exe	94
PID 4764 wrote to memory of 2732	4764	mwps.exe	95
PID 4764 wrote to memory of 2732	4764	mwps.exe	95
PID 4764 wrote to memory of 4472	4764	mwps.exe	96
PID 4764 wrote to memory of 4472	4764	mwps.exe	96

C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe
"C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\Documents\mwps\mwps.exe
  "C:\Users\Admin\Documents\mwps\mwps.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\Documents\wpas mngr.exe
    "C:\Users\Admin\Documents\wpas mngr.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Users\Admin\Documents\proDM\pdm.exe
    "C:\Users\Admin\Documents\proDM\pdm.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Users\Admin\Documents\comPM\cpm.exe
    "C:\Users\Admin\Documents\comPM\cpm.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
- C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe
  "C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\eset\bts.session\ac5ffe71-247f-4294-8c82-fa72beef95ab\f35d502490f7522150c06d1bd7ca12e2.exe
    "C:\Users\Admin\AppData\Local\Temp\eset\bts.session\ac5ffe71-247f-4294-8c82-fa72beef95ab\f35d502490f7522150c06d1bd7ca12e2.exe" --bts-container 2652 "C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1304

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eset\bts.session\ac5ffe71-247f-4294-8c82-fa72beef95ab\f35d502490f7522150c06d1bd7ca12e2.exe

Filesize
2.1MB

MD5
6e6fddaa8ecd3f759230a703dfce6d27

SHA1
2ef696bc30d0ba48aa2af5c94787d056557fe21b

SHA256
3bc0f49207c2589667d540a9ee638daed3f350a4e943de22f135590484fd41e6

SHA512
cfb112e71e0f1841607f4a73b1bbf4c38170736ecdbde3138927d71f6f584d07f95dfe4b0f066e936af968abcbb9f88eef2db48a0a4b800a6cbb63188c643fca

Download Submit
C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe

Filesize
8.6MB

MD5
e6873bdbb73ff60a4468f6e204cdbaee

SHA1
cb42c4061adfb90257beff9eff4929503e0c1fc5

SHA256
c74123c90df3ded1f9d091b278cf68ce798bb3c7d99b34a46ac0bdff29374045

SHA512
5cefe838d1da8c97b5664efc0c49e9e1652700bd16eb3fc1467bc54c05b2f124393d692df11034373fe496df060125baafdafc237f26be4f13e447f2c7e6cd45

Download Submit
C:\Users\Admin\Documents\comPM\cpm.exe

Filesize
13KB

MD5
015b69d2468b0454a04cc80027a65224

SHA1
00eea83b7c91f8ea797e238827ccbc403c985f8b

SHA256
ea65623a9e39191c0157c2cf541c397fecad15477c962594ee91033df463bd26

SHA512
9f562242a04a5fe9f5b4fe8e1edd2bf1b171b75c834317a74c05621cad0605ca19ad2b3028ae60b72841b982b73fd972609f3c37879a50ba3cf69bf1838ea2b0

Download Submit
C:\Users\Admin\Documents\mwps\mwps.exe

Filesize
80KB

MD5
307956cbcc6322cef0760b8bd174e081

SHA1
4524c29dc44d0a6af35c3091ff63593558d8e0c1

SHA256
32695f53c395ddaea37e5200349c9ad57d65c62fbc652265940ca9168604f5a7

SHA512
d3b61b9c08321eb9330ef55717bae55188401c89aa9284bea09357639c741e272dc217375dfe4e4be0e37958052a0c697c9aa3e387ec803a1d8b325a56eb737f

Download Submit
C:\Users\Admin\Documents\proDM\pdm.exe

Filesize
14KB

MD5
e21b44a5ba5f2cf25a31600ed5678aa3

SHA1
d651ad21f565aae56c31fd5efeec2c99424eaf3f

SHA256
a9831f4c9dc19ebd13158fd50c8df20e91b7a2568a142e9598f5e87da87aacd4

SHA512
bec72a0183fa6987cdcc1f528cd719d25bcb68233b77d3f6a0e4be3eeff084dc78c2e2b727c96e3a32326db358c7dc5359fdc657aa02115bfd7220413c206383

Download Submit
C:\Users\Admin\Documents\wpas mngr.exe

Filesize
14KB

MD5
e03b00824eb87cdf8a4af0158b9f03b9

SHA1
39d5d69b3f4e265e44b414ff98323e7332d4984c

SHA256
482a1c183b8db36574a67afcaad6057386c594480ac6e9b6fd31af6d19356524

SHA512
cddecdeabee507dcfdb4846ffb14ab6a95930b97be6bf4630feff1378d2b1386ef6feaeda84bc2b8386e5fea7724c19d95ad3e4c47561dd5e64365e52346cfd1

Download Submit
memory/2224-30-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/2224-0-0x0000000075302000-0x0000000075303000-memory.dmp

Filesize
4KB

Download
memory/2224-29-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/2224-2-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/2224-1-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3016-75-0x000000001C8F0000-0x000000001C98C000-memory.dmp

Filesize
624KB

Download
memory/3016-61-0x000000001C420000-0x000000001C8EE000-memory.dmp

Filesize
4.8MB

Download
memory/3016-85-0x000000001BF00000-0x000000001BF08000-memory.dmp

Filesize
32KB

Download
memory/4764-24-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4764-18-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4764-17-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4764-86-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4764-87-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download