3f531ce5eae08958610dbac073a881654f1efad802ca3d5a325a75355e460da0

Analysis

max time kernel
123s
max time network
126s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5509fe49ec28dc7abb5aae78a88b606e.exe
Size

2.6MB
MD5

1b2484bfb1a25d55d201207a15cf266b
SHA1

70119d1800e6d39cbe0e5160f8acc2bdb2e46c7d
SHA256

3f531ce5eae08958610dbac073a881654f1efad802ca3d5a325a75355e460da0
SHA512

49db1d4577617e61c1a583fb82858d47f1d36ff348bf2229a848c8fcf7b3ee6d0c151e723a4527b2b822e943d3a235e428324bf60c61fcde69900da850596a26

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

weifavauin.exeweifavauin.tmp

pid process

1716 weifavauin.exe
1684 weifavauin.tmp
Loads dropped DLL 6 IoCs

Processes:

cmd.exeweifavauin.exeweifavauin.tmp

pid process

1796 cmd.exe
1716 weifavauin.exe
1684 weifavauin.tmp
1684 weifavauin.tmp
1684 weifavauin.tmp
1684 weifavauin.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1716	weifavauin.exe
1684	weifavauin.tmp

pid	process
1796	cmd.exe
1716	weifavauin.exe
1684	weifavauin.tmp
1684	weifavauin.tmp
1684	weifavauin.tmp
1684	weifavauin.tmp

Drops file in Program Files directory 10 IoCs

Processes:

weifavauin.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\WIFIInspector\unins000.dat	weifavauin.tmp
File created	C:\Program Files (x86)\WIFIInspector\unins000.dat	weifavauin.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-DN5IO.tmp	weifavauin.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-O5435.tmp	weifavauin.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-P1M9D.tmp	weifavauin.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-N2KNU.tmp	weifavauin.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-JP6CS.tmp	weifavauin.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-RKC2E.tmp	weifavauin.tmp
File opened for modification	C:\Program Files (x86)\WIFIInspector\EGL.dll	weifavauin.tmp
File opened for modification	C:\Program Files (x86)\WIFIInspector\WIFIInspector.exe	weifavauin.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5509fe49ec28dc7abb5aae78a88b606e.exeweifavauin.tmp

pid process

1080 5509fe49ec28dc7abb5aae78a88b606e.exe
1080 5509fe49ec28dc7abb5aae78a88b606e.exe
1684 weifavauin.tmp
1684 weifavauin.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

weifavauin.tmp

pid process

1684 weifavauin.tmp

pid	process
1080	5509fe49ec28dc7abb5aae78a88b606e.exe
1080	5509fe49ec28dc7abb5aae78a88b606e.exe
1684	weifavauin.tmp
1684	weifavauin.tmp

pid	process
1684	weifavauin.tmp

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5509fe49ec28dc7abb5aae78a88b606e.execmd.exeweifavauin.exe

description	pid	process	target process
PID 1080 wrote to memory of 1796	1080	5509fe49ec28dc7abb5aae78a88b606e.exe	cmd.exe
PID 1080 wrote to memory of 1796	1080	5509fe49ec28dc7abb5aae78a88b606e.exe	cmd.exe
PID 1080 wrote to memory of 1796	1080	5509fe49ec28dc7abb5aae78a88b606e.exe	cmd.exe
PID 1080 wrote to memory of 1796	1080	5509fe49ec28dc7abb5aae78a88b606e.exe	cmd.exe
PID 1796 wrote to memory of 1716	1796	cmd.exe	weifavauin.exe
PID 1796 wrote to memory of 1716	1796	cmd.exe	weifavauin.exe
PID 1796 wrote to memory of 1716	1796	cmd.exe	weifavauin.exe
PID 1796 wrote to memory of 1716	1796	cmd.exe	weifavauin.exe
PID 1796 wrote to memory of 1716	1796	cmd.exe	weifavauin.exe
PID 1796 wrote to memory of 1716	1796	cmd.exe	weifavauin.exe
PID 1796 wrote to memory of 1716	1796	cmd.exe	weifavauin.exe
PID 1716 wrote to memory of 1684	1716	weifavauin.exe	weifavauin.tmp
PID 1716 wrote to memory of 1684	1716	weifavauin.exe	weifavauin.tmp
PID 1716 wrote to memory of 1684	1716	weifavauin.exe	weifavauin.tmp
PID 1716 wrote to memory of 1684	1716	weifavauin.exe	weifavauin.tmp
PID 1716 wrote to memory of 1684	1716	weifavauin.exe	weifavauin.tmp
PID 1716 wrote to memory of 1684	1716	weifavauin.exe	weifavauin.tmp
PID 1716 wrote to memory of 1684	1716	weifavauin.exe	weifavauin.tmp

C:\Users\Admin\AppData\Local\Temp\5509fe49ec28dc7abb5aae78a88b606e.exe
"C:\Users\Admin\AppData\Local\Temp\5509fe49ec28dc7abb5aae78a88b606e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\weifavauin.exe" /VERYSILENT
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\weifavauin.exe
"C:\Users\Admin\AppData\Local\Temp\weifavauin.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\is-0JIAJ.tmp\weifavauin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0JIAJ.tmp\weifavauin.tmp" /SL5="$7015A,90766,54272,C:\Users\Admin\AppData\Local\Temp\weifavauin.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0JIAJ.tmp\weifavauin.tmp
MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0JIAJ.tmp\weifavauin.tmp
MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
C:\Users\Admin\AppData\Local\Temp\weifavauin.exe
MD5
8f49472ed2ec6b48b3e17200e35a6cc2

SHA1
2cd6519d99614e7f6450d4e24fc9b5796dd78233

SHA256
7b9c5ed5f1c101fd42c207025ce61311bb8c6c49037a574a66352c3c21f7ba0d

SHA512
3fdda6ca38b83edc7bc77f3d6f63ae953b33ee38b870a5dbab72da2867767211352cb5d15076c073b9b8546b3844b3b180876537f78f2385d0160b3091bb57f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\weifavauin.exe
MD5
8f49472ed2ec6b48b3e17200e35a6cc2

SHA1
2cd6519d99614e7f6450d4e24fc9b5796dd78233

SHA256
7b9c5ed5f1c101fd42c207025ce61311bb8c6c49037a574a66352c3c21f7ba0d

SHA512
3fdda6ca38b83edc7bc77f3d6f63ae953b33ee38b870a5dbab72da2867767211352cb5d15076c073b9b8546b3844b3b180876537f78f2385d0160b3091bb57f9

Download Submit
\Program Files (x86)\WIFIInspector\WIFIInspector.exe
MD5
2c696683de59829065ae122599fc1fd2

SHA1
54927573be3ac1a4cf3fe6e9b33e6f67b304593c

SHA256
04fa3531613072eca2091bcd81a4e71b6a73ef212734a3a5ad6e4942b2bb8c5a

SHA512
0008550d6e14bb9887b087ff673e7298ba42976b7d4edbaa5ae43f6e0762c3f646f7a64b6a124a293a07a6e9ff34526763cf09bd7f078c18caebd237d2a923df

Download Submit
\Program Files (x86)\WIFIInspector\unins000.exe
MD5
d42e7c4ae7bfdb34e658e0c81df2401b

SHA1
624bcd5304f65e386d053a45f747f5ceae273d1a

SHA256
f0be063625e0eb3011de5ee7ced1feb7a3054f7583828e3cec1ea6a9f9412849

SHA512
860e4e2d2cf4de739dc472e57db6464253255d05d54e393776cf668b76849ba258681dffb9957fe32df50203fd8abd8b2569260d0ab1bf41ce95446ee432c784

Download Submit
\Users\Admin\AppData\Local\Temp\is-0JIAJ.tmp\weifavauin.tmp
MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
\Users\Admin\AppData\Local\Temp\is-LLUVU.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LLUVU.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\weifavauin.exe
MD5
8f49472ed2ec6b48b3e17200e35a6cc2

SHA1
2cd6519d99614e7f6450d4e24fc9b5796dd78233

SHA256
7b9c5ed5f1c101fd42c207025ce61311bb8c6c49037a574a66352c3c21f7ba0d

SHA512
3fdda6ca38b83edc7bc77f3d6f63ae953b33ee38b870a5dbab72da2867767211352cb5d15076c073b9b8546b3844b3b180876537f78f2385d0160b3091bb57f9

Download Submit
memory/1080-0-0x0000000010000000-0x0000000010274000-memory.dmp

Filesize
2.5MB

Download
memory/1684-8-0x0000000000000000-mapping.dmp

Download
memory/1716-5-0x0000000000000000-mapping.dmp

Download
memory/1716-4-0x0000000000000000-mapping.dmp

Download
memory/1796-1-0x0000000000000000-mapping.dmp

Download