Analysis
-
max time kernel
19s -
max time network
23s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-02-2021 17:48
Static task
static1
Behavioral task
behavioral1
Sample
bb1f18.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
bb1f18.exe
Resource
win10v20201028
General
-
Target
bb1f18.exe
-
Size
1.1MB
-
MD5
449d5f628cd5ce61db9b3aca95476a58
-
SHA1
f83041dd54959fcfc56c6903f96e4859bc68f43e
-
SHA256
bb1f1816fb5064dcd339ef4ce1018b01324d79a850bf0775a43c1fe2c3ea1816
-
SHA512
0b71225387610bf26e9ef6e3ce37ebb5e518b2309b810b6bf08c6d87c305cf75caada1d6249eb1f7c4b82cf3d675413ac7e2f68bf842429b7b511eef552b1d03
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
WigetFL.exeLogger.exepid process 2016 WigetFL.exe 2040 Logger.exe -
Loads dropped DLL 4 IoCs
Processes:
bb1f18.exepid process 1064 bb1f18.exe 1064 bb1f18.exe 1064 bb1f18.exe 1064 bb1f18.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\1337\WigetFL.exe nsis_installer_1 \Users\Admin\AppData\Roaming\1337\WigetFL.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe nsis_installer_2 -
Processes:
Logger.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Logger.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Logger.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bb1f18.exedescription pid process target process PID 1064 wrote to memory of 2016 1064 bb1f18.exe WigetFL.exe PID 1064 wrote to memory of 2016 1064 bb1f18.exe WigetFL.exe PID 1064 wrote to memory of 2016 1064 bb1f18.exe WigetFL.exe PID 1064 wrote to memory of 2016 1064 bb1f18.exe WigetFL.exe PID 1064 wrote to memory of 2040 1064 bb1f18.exe Logger.exe PID 1064 wrote to memory of 2040 1064 bb1f18.exe Logger.exe PID 1064 wrote to memory of 2040 1064 bb1f18.exe Logger.exe PID 1064 wrote to memory of 2040 1064 bb1f18.exe Logger.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb1f18.exe"C:\Users\Admin\AppData\Local\Temp\bb1f18.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe"C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1337\Logger.exe"C:\Users\Admin\AppData\Roaming\1337\Logger.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1337\Logger.exeMD5
343f94b57cb857d6ac23080d13ed1536
SHA156b888836c50904eb24a16ea482ac63614f69887
SHA256fe3c3dab43759b37ce8236614887bfbac1f2954a5733a1bd7ea4d22aadf39f65
SHA5127604b693498ae9690f4513cf4403948c72e33b7d7cc94e9144e2ea9b7d2e7db888efbe13cd61d7e388215cb8e81f13446861a8b4d904507eebcc464cf9981b6f
-
C:\Users\Admin\AppData\Roaming\1337\Logger.exeMD5
343f94b57cb857d6ac23080d13ed1536
SHA156b888836c50904eb24a16ea482ac63614f69887
SHA256fe3c3dab43759b37ce8236614887bfbac1f2954a5733a1bd7ea4d22aadf39f65
SHA5127604b693498ae9690f4513cf4403948c72e33b7d7cc94e9144e2ea9b7d2e7db888efbe13cd61d7e388215cb8e81f13446861a8b4d904507eebcc464cf9981b6f
-
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exeMD5
14768b61437af5d83d3209e98963730b
SHA1844b0322849f71997a3e91df223da7394bf2d4b3
SHA2561b2d641d96f4739f46662ceb5d43c4527a278cb3231611d52afb91ffc318329f
SHA5120e259da218a66086da603d28a01708201531559c781faccab78a598a155bb8c4651fd8cb46eb322347b441c7649b4a26e949e6c05a73ffcdb461d42f4a111f37
-
\Users\Admin\AppData\Local\Temp\nsx3371.tmp\System.dllMD5
2ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
\Users\Admin\AppData\Roaming\1337\Logger.exeMD5
343f94b57cb857d6ac23080d13ed1536
SHA156b888836c50904eb24a16ea482ac63614f69887
SHA256fe3c3dab43759b37ce8236614887bfbac1f2954a5733a1bd7ea4d22aadf39f65
SHA5127604b693498ae9690f4513cf4403948c72e33b7d7cc94e9144e2ea9b7d2e7db888efbe13cd61d7e388215cb8e81f13446861a8b4d904507eebcc464cf9981b6f
-
\Users\Admin\AppData\Roaming\1337\Logger.exeMD5
343f94b57cb857d6ac23080d13ed1536
SHA156b888836c50904eb24a16ea482ac63614f69887
SHA256fe3c3dab43759b37ce8236614887bfbac1f2954a5733a1bd7ea4d22aadf39f65
SHA5127604b693498ae9690f4513cf4403948c72e33b7d7cc94e9144e2ea9b7d2e7db888efbe13cd61d7e388215cb8e81f13446861a8b4d904507eebcc464cf9981b6f
-
\Users\Admin\AppData\Roaming\1337\WigetFL.exeMD5
14768b61437af5d83d3209e98963730b
SHA1844b0322849f71997a3e91df223da7394bf2d4b3
SHA2561b2d641d96f4739f46662ceb5d43c4527a278cb3231611d52afb91ffc318329f
SHA5120e259da218a66086da603d28a01708201531559c781faccab78a598a155bb8c4651fd8cb46eb322347b441c7649b4a26e949e6c05a73ffcdb461d42f4a111f37
-
memory/1064-2-0x0000000076101000-0x0000000076103000-memory.dmpFilesize
8KB
-
memory/2016-5-0x0000000000000000-mapping.dmp
-
memory/2040-9-0x0000000000000000-mapping.dmp
-
memory/2040-14-0x0000000000170000-0x0000000000172000-memory.dmpFilesize
8KB
-
memory/2040-13-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmpFilesize
9.6MB
-
memory/2040-15-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmpFilesize
9.6MB