bb1f1816fb5064dcd339ef4ce1018b01324d79a850bf0775a43c1fe2c3ea1816

General

Target

bb1f18.exe
Size

1.1MB
MD5

449d5f628cd5ce61db9b3aca95476a58
SHA1

f83041dd54959fcfc56c6903f96e4859bc68f43e
SHA256

bb1f1816fb5064dcd339ef4ce1018b01324d79a850bf0775a43c1fe2c3ea1816
SHA512

0b71225387610bf26e9ef6e3ce37ebb5e518b2309b810b6bf08c6d87c305cf75caada1d6249eb1f7c4b82cf3d675413ac7e2f68bf842429b7b511eef552b1d03

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

WigetFL.exeLogger.exe

pid process

2016 WigetFL.exe
2040 Logger.exe
Loads dropped DLL 4 IoCs

Processes:

bb1f18.exe

pid process

1064 bb1f18.exe
1064 bb1f18.exe
1064 bb1f18.exe
1064 bb1f18.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2016	WigetFL.exe
2040	Logger.exe

pid	process
1064	bb1f18.exe
1064	bb1f18.exe
1064	bb1f18.exe
1064	bb1f18.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\1337\WigetFL.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\1337\WigetFL.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe	nsis_installer_2

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Logger.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Logger.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Logger.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

bb1f18.exe

description	pid	process	target process
PID 1064 wrote to memory of 2016	1064	bb1f18.exe	WigetFL.exe
PID 1064 wrote to memory of 2016	1064	bb1f18.exe	WigetFL.exe
PID 1064 wrote to memory of 2016	1064	bb1f18.exe	WigetFL.exe
PID 1064 wrote to memory of 2016	1064	bb1f18.exe	WigetFL.exe
PID 1064 wrote to memory of 2040	1064	bb1f18.exe	Logger.exe
PID 1064 wrote to memory of 2040	1064	bb1f18.exe	Logger.exe
PID 1064 wrote to memory of 2040	1064	bb1f18.exe	Logger.exe
PID 1064 wrote to memory of 2040	1064	bb1f18.exe	Logger.exe

C:\Users\Admin\AppData\Local\Temp\bb1f18.exe
"C:\Users\Admin\AppData\Local\Temp\bb1f18.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe
"C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe"
2⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Roaming\1337\Logger.exe
"C:\Users\Admin\AppData\Roaming\1337\Logger.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1337\Logger.exe
MD5
343f94b57cb857d6ac23080d13ed1536

SHA1
56b888836c50904eb24a16ea482ac63614f69887

SHA256
fe3c3dab43759b37ce8236614887bfbac1f2954a5733a1bd7ea4d22aadf39f65

SHA512
7604b693498ae9690f4513cf4403948c72e33b7d7cc94e9144e2ea9b7d2e7db888efbe13cd61d7e388215cb8e81f13446861a8b4d904507eebcc464cf9981b6f

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Logger.exe
MD5
343f94b57cb857d6ac23080d13ed1536

SHA1
56b888836c50904eb24a16ea482ac63614f69887

SHA256
fe3c3dab43759b37ce8236614887bfbac1f2954a5733a1bd7ea4d22aadf39f65

SHA512
7604b693498ae9690f4513cf4403948c72e33b7d7cc94e9144e2ea9b7d2e7db888efbe13cd61d7e388215cb8e81f13446861a8b4d904507eebcc464cf9981b6f

Download Submit
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe
MD5
14768b61437af5d83d3209e98963730b

SHA1
844b0322849f71997a3e91df223da7394bf2d4b3

SHA256
1b2d641d96f4739f46662ceb5d43c4527a278cb3231611d52afb91ffc318329f

SHA512
0e259da218a66086da603d28a01708201531559c781faccab78a598a155bb8c4651fd8cb46eb322347b441c7649b4a26e949e6c05a73ffcdb461d42f4a111f37

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3371.tmp\System.dll
MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Users\Admin\AppData\Roaming\1337\Logger.exe
MD5
343f94b57cb857d6ac23080d13ed1536

SHA1
56b888836c50904eb24a16ea482ac63614f69887

SHA256
fe3c3dab43759b37ce8236614887bfbac1f2954a5733a1bd7ea4d22aadf39f65

SHA512
7604b693498ae9690f4513cf4403948c72e33b7d7cc94e9144e2ea9b7d2e7db888efbe13cd61d7e388215cb8e81f13446861a8b4d904507eebcc464cf9981b6f

Download Submit
\Users\Admin\AppData\Roaming\1337\Logger.exe
MD5
343f94b57cb857d6ac23080d13ed1536

SHA1
56b888836c50904eb24a16ea482ac63614f69887

SHA256
fe3c3dab43759b37ce8236614887bfbac1f2954a5733a1bd7ea4d22aadf39f65

SHA512
7604b693498ae9690f4513cf4403948c72e33b7d7cc94e9144e2ea9b7d2e7db888efbe13cd61d7e388215cb8e81f13446861a8b4d904507eebcc464cf9981b6f

Download Submit
\Users\Admin\AppData\Roaming\1337\WigetFL.exe
MD5
14768b61437af5d83d3209e98963730b

SHA1
844b0322849f71997a3e91df223da7394bf2d4b3

SHA256
1b2d641d96f4739f46662ceb5d43c4527a278cb3231611d52afb91ffc318329f

SHA512
0e259da218a66086da603d28a01708201531559c781faccab78a598a155bb8c4651fd8cb46eb322347b441c7649b4a26e949e6c05a73ffcdb461d42f4a111f37

Download Submit
memory/1064-2-0x0000000076101000-0x0000000076103000-memory.dmp

Filesize
8KB

Download
memory/2016-5-0x0000000000000000-mapping.dmp

Download
memory/2040-9-0x0000000000000000-mapping.dmp

Download
memory/2040-14-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2040-13-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2040-15-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads