f4111d30be32600233ad61440ff2f9a6484f3ba6c04fae4b522fc09ab0de3831

Analysis

max time kernel
3s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ce70cdeffbe184e4414b64b813fcaa.exe
Size

25.8MB
MD5

47ce70cdeffbe184e4414b64b813fcaa
SHA1

6daf2be501fb8ed05a8a5e8e5a351223c3a61c3e
SHA256

9097502ebdd5bb6c3f61d78148211feda2f25682be1ecd2f331c37c4a36cb501
SHA512

4f40036c816452794ad841fcb2deb1a5baf5bc584415f138b608f5f211a6088f7db2b6fb2a9e7e583457c314ea7d566f359c5dd0d779a89eb355a5df3877aa54
SSDEEP

393216:tSOWHAhJbjQno/A8w5y3COZfJrBIhUcT0FES0gjVhJ:t8D8w5GBkS0gPJ

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mwps.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	mwps.exe
2224	47ce70cdeffbe184e4414b64b813fcaa.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	47ce70cdeffbe184e4414b64b813fcaa.exe
2228	47ce70cdeffbe184e4414b64b813fcaa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe"	mwps.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe"	47ce70cdeffbe184e4414b64b813fcaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47ce70cdeffbe184e4414b64b813fcaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47ce70cdeffbe184e4414b64b813fcaa.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2228	47ce70cdeffbe184e4414b64b813fcaa.exe
2228	47ce70cdeffbe184e4414b64b813fcaa.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe
2792	mwps.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	47ce70cdeffbe184e4414b64b813fcaa.exe
Token: SeDebugPrivilege	2792	mwps.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2792	mwps.exe
2792	mwps.exe
2224	47ce70cdeffbe184e4414b64b813fcaa.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2792	2228	47ce70cdeffbe184e4414b64b813fcaa.exe	30
PID 2228 wrote to memory of 2792	2228	47ce70cdeffbe184e4414b64b813fcaa.exe	30
PID 2228 wrote to memory of 2792	2228	47ce70cdeffbe184e4414b64b813fcaa.exe	30
PID 2228 wrote to memory of 2792	2228	47ce70cdeffbe184e4414b64b813fcaa.exe	30
PID 2228 wrote to memory of 2224	2228	47ce70cdeffbe184e4414b64b813fcaa.exe	31
PID 2228 wrote to memory of 2224	2228	47ce70cdeffbe184e4414b64b813fcaa.exe	31
PID 2228 wrote to memory of 2224	2228	47ce70cdeffbe184e4414b64b813fcaa.exe	31
PID 2228 wrote to memory of 2224	2228	47ce70cdeffbe184e4414b64b813fcaa.exe	31

C:\Users\Admin\AppData\Local\Temp\47ce70cdeffbe184e4414b64b813fcaa.exe
"C:\Users\Admin\AppData\Local\Temp\47ce70cdeffbe184e4414b64b813fcaa.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\Documents\mwps\mwps.exe
  "C:\Users\Admin\Documents\mwps\mwps.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2792
- - C:\Users\Admin\Documents\wpas mngr.exe
    "C:\Users\Admin\Documents\wpas mngr.exe"
    3⤵
    PID:2540
- - C:\Users\Admin\Documents\proDM\pdm.exe
    "C:\Users\Admin\Documents\proDM\pdm.exe"
    3⤵
    PID:2984
- - C:\Users\Admin\Documents\comPM\cpm.exe
    "C:\Users\Admin\Documents\comPM\cpm.exe"
    3⤵
    PID:2144
- C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\47ce70cdeffbe184e4414b64b813fcaa.exe
  "C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\47ce70cdeffbe184e4414b64b813fcaa.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\47ce70cdeffbe184e4414b64b813fcaa.exe

Filesize
25.7MB

MD5
de31d1e4807f49a2dbb0cbadba7eee27

SHA1
500bcc106ca339fda40676e143ce1e184cbaca6e

SHA256
e9570cf399b08ca6d930d292f54cb6a46b2f98c69610079417c41fff051740fd

SHA512
679e0de439b13e506ab2654b2000447be92eb2c18a736634f258d19bfd4e823410ad8d04cfe3193fc390f76794802b4eb4a4ecbcf785895649caa20efab50821

Download Submit
C:\Users\Admin\Documents\comPM\cpm.exe

Filesize
13KB

MD5
015b69d2468b0454a04cc80027a65224

SHA1
00eea83b7c91f8ea797e238827ccbc403c985f8b

SHA256
ea65623a9e39191c0157c2cf541c397fecad15477c962594ee91033df463bd26

SHA512
9f562242a04a5fe9f5b4fe8e1edd2bf1b171b75c834317a74c05621cad0605ca19ad2b3028ae60b72841b982b73fd972609f3c37879a50ba3cf69bf1838ea2b0

Download Submit
C:\Users\Admin\Documents\mwps\mwps.exe

Filesize
80KB

MD5
307956cbcc6322cef0760b8bd174e081

SHA1
4524c29dc44d0a6af35c3091ff63593558d8e0c1

SHA256
32695f53c395ddaea37e5200349c9ad57d65c62fbc652265940ca9168604f5a7

SHA512
d3b61b9c08321eb9330ef55717bae55188401c89aa9284bea09357639c741e272dc217375dfe4e4be0e37958052a0c697c9aa3e387ec803a1d8b325a56eb737f

Download Submit
C:\Users\Admin\Documents\proDM\pdm.exe

Filesize
14KB

MD5
e21b44a5ba5f2cf25a31600ed5678aa3

SHA1
d651ad21f565aae56c31fd5efeec2c99424eaf3f

SHA256
a9831f4c9dc19ebd13158fd50c8df20e91b7a2568a142e9598f5e87da87aacd4

SHA512
bec72a0183fa6987cdcc1f528cd719d25bcb68233b77d3f6a0e4be3eeff084dc78c2e2b727c96e3a32326db358c7dc5359fdc657aa02115bfd7220413c206383

Download Submit
C:\Users\Admin\Documents\wpas mngr.exe

Filesize
14KB

MD5
e03b00824eb87cdf8a4af0158b9f03b9

SHA1
39d5d69b3f4e265e44b414ff98323e7332d4984c

SHA256
482a1c183b8db36574a67afcaad6057386c594480ac6e9b6fd31af6d19356524

SHA512
cddecdeabee507dcfdb4846ffb14ab6a95930b97be6bf4630feff1378d2b1386ef6feaeda84bc2b8386e5fea7724c19d95ad3e4c47561dd5e64365e52346cfd1

Download Submit
memory/2224-51-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-53-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-58-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-57-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-56-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-55-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-54-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-49-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-52-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-44-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-50-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-46-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-47-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2224-48-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/2228-2-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2228-0-0x0000000074051000-0x0000000074052000-memory.dmp

Filesize
4KB

Download
memory/2228-1-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2228-19-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-45-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-43-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-11-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-10-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-20-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-12-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download