f4111d30be32600233ad61440ff2f9a6484f3ba6c04fae4b522fc09ab0de3831

Analysis

max time kernel
1s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ce70cdeffbe184e4414b64b813fcaa.exe
Size

25.8MB
MD5

47ce70cdeffbe184e4414b64b813fcaa
SHA1

6daf2be501fb8ed05a8a5e8e5a351223c3a61c3e
SHA256

9097502ebdd5bb6c3f61d78148211feda2f25682be1ecd2f331c37c4a36cb501
SHA512

4f40036c816452794ad841fcb2deb1a5baf5bc584415f138b608f5f211a6088f7db2b6fb2a9e7e583457c314ea7d566f359c5dd0d779a89eb355a5df3877aa54
SSDEEP

393216:tSOWHAhJbjQno/A8w5y3COZfJrBIhUcT0FES0gjVhJ:t8D8w5GBkS0gPJ

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	47ce70cdeffbe184e4414b64b813fcaa.exe

Executes dropped EXE 1 IoCs

pid	Process
4872	mwps.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe"	47ce70cdeffbe184e4414b64b813fcaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47ce70cdeffbe184e4414b64b813fcaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwps.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4604	47ce70cdeffbe184e4414b64b813fcaa.exe
4604	47ce70cdeffbe184e4414b64b813fcaa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	47ce70cdeffbe184e4414b64b813fcaa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4872	4604	47ce70cdeffbe184e4414b64b813fcaa.exe	87
PID 4604 wrote to memory of 4872	4604	47ce70cdeffbe184e4414b64b813fcaa.exe	87
PID 4604 wrote to memory of 4872	4604	47ce70cdeffbe184e4414b64b813fcaa.exe	87

C:\Users\Admin\AppData\Local\Temp\47ce70cdeffbe184e4414b64b813fcaa.exe
"C:\Users\Admin\AppData\Local\Temp\47ce70cdeffbe184e4414b64b813fcaa.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\Documents\mwps\mwps.exe
  "C:\Users\Admin\Documents\mwps\mwps.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4872
- - C:\Users\Admin\Documents\wpas mngr.exe
    "C:\Users\Admin\Documents\wpas mngr.exe"
    3⤵
    PID:2464
- - C:\Users\Admin\Documents\proDM\pdm.exe
    "C:\Users\Admin\Documents\proDM\pdm.exe"
    3⤵
    PID:5408
- - C:\Users\Admin\Documents\comPM\cpm.exe
    "C:\Users\Admin\Documents\comPM\cpm.exe"
    3⤵
    PID:5964
- C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\47ce70cdeffbe184e4414b64b813fcaa.exe
  "C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\47ce70cdeffbe184e4414b64b813fcaa.exe"
  2⤵
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\47ce70cdeffbe184e4414b64b813fcaa.exe

Filesize
18.9MB

MD5
bb487ae86c73be3850fa988abcb170b4

SHA1
99bbeb26761e093105b38431991a0f1cec578180

SHA256
993409bae66f839802d78d7455b15ff5fb54d41e6085aaaa23db0634d318bf37

SHA512
f08ef146cc2807434c6084b9e272d6f17b6b311e67cfa92b808eb60dd7b2462974ea5ed53af7f94ac083db1d87b92a38bbe8b5c1f76c16999f9a35c9b7328e93

Download Submit
C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\47ce70cdeffbe184e4414b64b813fcaa.exe

Filesize
18.1MB

MD5
a421e38b0c8dd4639f16a6e4237818ae

SHA1
f90660a2f4b0670c44a5a74fe68e4f2c3c38c159

SHA256
4c836144590d8d7c452f9e4b22ffce43b0f5a14cb59185e8b6c3a3a468c5618c

SHA512
cb5b2b7cbccf24bdf2ddd89942244838bacbec0c4325fac8ffa99251dedad946419255a84127b1129466ef6be1936329bf317fe8f5965e3d93def6e5ae42cd40

Download Submit
C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\47ce70cdeffbe184e4414b64b813fcaa.exe

Filesize
17.6MB

MD5
954feab679aa5755374be942fd55ac55

SHA1
33bb65ccebbcf260ac36c465a4ab6862fdbebc43

SHA256
7b6589b79a1b342bd7daa3e9cfe581d71c7f6af74ce8e7de0a2aa59917fcd86a

SHA512
f76bf68eb7f60fdecab484c3c240aeb7a0819ef4e7ed86315d3be37d6b7a98ce03fc4f6248994f9f07f779da041e23b0d74833fa44577f747d099612f6666ccd

Download Submit
C:\Users\Admin\Documents\comPM\cpm.exe

Filesize
13KB

MD5
015b69d2468b0454a04cc80027a65224

SHA1
00eea83b7c91f8ea797e238827ccbc403c985f8b

SHA256
ea65623a9e39191c0157c2cf541c397fecad15477c962594ee91033df463bd26

SHA512
9f562242a04a5fe9f5b4fe8e1edd2bf1b171b75c834317a74c05621cad0605ca19ad2b3028ae60b72841b982b73fd972609f3c37879a50ba3cf69bf1838ea2b0

Download Submit
C:\Users\Admin\Documents\mwps\mwps.exe

Filesize
80KB

MD5
307956cbcc6322cef0760b8bd174e081

SHA1
4524c29dc44d0a6af35c3091ff63593558d8e0c1

SHA256
32695f53c395ddaea37e5200349c9ad57d65c62fbc652265940ca9168604f5a7

SHA512
d3b61b9c08321eb9330ef55717bae55188401c89aa9284bea09357639c741e272dc217375dfe4e4be0e37958052a0c697c9aa3e387ec803a1d8b325a56eb737f

Download Submit
C:\Users\Admin\Documents\proDM\pdm.exe

Filesize
14KB

MD5
e21b44a5ba5f2cf25a31600ed5678aa3

SHA1
d651ad21f565aae56c31fd5efeec2c99424eaf3f

SHA256
a9831f4c9dc19ebd13158fd50c8df20e91b7a2568a142e9598f5e87da87aacd4

SHA512
bec72a0183fa6987cdcc1f528cd719d25bcb68233b77d3f6a0e4be3eeff084dc78c2e2b727c96e3a32326db358c7dc5359fdc657aa02115bfd7220413c206383

Download Submit
C:\Users\Admin\Documents\wpas mngr.exe

Filesize
14KB

MD5
e03b00824eb87cdf8a4af0158b9f03b9

SHA1
39d5d69b3f4e265e44b414ff98323e7332d4984c

SHA256
482a1c183b8db36574a67afcaad6057386c594480ac6e9b6fd31af6d19356524

SHA512
cddecdeabee507dcfdb4846ffb14ab6a95930b97be6bf4630feff1378d2b1386ef6feaeda84bc2b8386e5fea7724c19d95ad3e4c47561dd5e64365e52346cfd1

Download Submit
memory/2464-69-0x000000001B6C0000-0x000000001B6C8000-memory.dmp

Filesize
32KB

Download
memory/2464-47-0x000000001C100000-0x000000001C19C000-memory.dmp

Filesize
624KB

Download
memory/2464-45-0x000000001BC30000-0x000000001C0FE000-memory.dmp

Filesize
4.8MB

Download
memory/4604-2-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4604-28-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4604-26-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4604-0-0x00000000754D2000-0x00000000754D3000-memory.dmp

Filesize
4KB

Download
memory/4604-1-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4872-72-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4872-14-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4872-15-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4872-70-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4872-29-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5036-76-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-79-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-74-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-75-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-71-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-77-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-78-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-73-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-80-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-81-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-82-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-83-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-84-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download
memory/5036-85-0x0000000000400000-0x0000000001DD1000-memory.dmp

Filesize
25.8MB

Download