bb1f1816fb5064dcd339ef4ce1018b01324d79a850bf0775a43c1fe2c3ea1816

Analysis

max time kernel
67s
max time network
127s
platform
windows10_x64
resource
win10v20201028
submitted
27-02-2021 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb1f18.exe
Size

1.1MB
MD5

449d5f628cd5ce61db9b3aca95476a58
SHA1

f83041dd54959fcfc56c6903f96e4859bc68f43e
SHA256

bb1f1816fb5064dcd339ef4ce1018b01324d79a850bf0775a43c1fe2c3ea1816
SHA512

0b71225387610bf26e9ef6e3ce37ebb5e518b2309b810b6bf08c6d87c305cf75caada1d6249eb1f7c4b82cf3d675413ac7e2f68bf842429b7b511eef552b1d03

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

WigetFL.exeLogger.exesetupQQ.exeasd.exeTHIS IS WIIIGET!.exeupdater.exe

pid process

2736 WigetFL.exe
2772 Logger.exe
3620 setupQQ.exe
4036 asd.exe
4048 THIS IS WIIIGET!.exe
2360 updater.exe
Loads dropped DLL 2 IoCs

Processes:

bb1f18.exeWigetFL.exe

pid process

1908 bb1f18.exe
2736 WigetFL.exe

pid	process
2736	WigetFL.exe
2772	Logger.exe
3620	setupQQ.exe
4036	asd.exe
4048	THIS IS WIIIGET!.exe
2360	updater.exe

pid	process
1908	bb1f18.exe
2736	WigetFL.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

THIS IS WIIIGET!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\THIS IS WIIIGET! = "C:\\Program Files (x86)\\Miped\\QWiget\\THIS IS WIIIGET!.exe"	THIS IS WIIIGET!.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 23 IoCs

Processes:

setupQQ.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_1_normal.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_2_hover.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_2_normal.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_3_normal.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_4_pressed.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\THIS IS WIIIGET!.exe	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_0_hover.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_0_pressed.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\lang\en-US.xml	setupQQ.exe
File created	C:\Program Files (x86)\Miped\QWiget\Uninstall.ini	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_1_pressed.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_3_hover.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_4_hover.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\Gadget.Xml	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_4_normal.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\lang\de-De.xml	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_2_pressed.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_3_pressed.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\TrayIcon.ico	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\Uninstall.exe	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_bg.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_0_normal.png	setupQQ.exe
File opened for modification	C:\Program Files (x86)\Miped\QWiget\images\gadget_button_1_hover.png	setupQQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Logger.exe

description pid process

Token: SeDebugPrivilege 2772 Logger.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

THIS IS WIIIGET!.exe

pid process

4048 THIS IS WIIIGET!.exe
4048 THIS IS WIIIGET!.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

THIS IS WIIIGET!.exe

pid process

4048 THIS IS WIIIGET!.exe
4048 THIS IS WIIIGET!.exe

description	pid	process
Token: SeDebugPrivilege	2772	Logger.exe

pid	process
4048	THIS IS WIIIGET!.exe
4048	THIS IS WIIIGET!.exe

pid	process
4048	THIS IS WIIIGET!.exe
4048	THIS IS WIIIGET!.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

bb1f18.exeWigetFL.exesetupQQ.exeasd.exe

description	pid	process	target process
PID 1908 wrote to memory of 2736	1908	bb1f18.exe	WigetFL.exe
PID 1908 wrote to memory of 2736	1908	bb1f18.exe	WigetFL.exe
PID 1908 wrote to memory of 2736	1908	bb1f18.exe	WigetFL.exe
PID 1908 wrote to memory of 2772	1908	bb1f18.exe	Logger.exe
PID 1908 wrote to memory of 2772	1908	bb1f18.exe	Logger.exe
PID 2736 wrote to memory of 3620	2736	WigetFL.exe	setupQQ.exe
PID 2736 wrote to memory of 3620	2736	WigetFL.exe	setupQQ.exe
PID 2736 wrote to memory of 3620	2736	WigetFL.exe	setupQQ.exe
PID 2736 wrote to memory of 4036	2736	WigetFL.exe	asd.exe
PID 2736 wrote to memory of 4036	2736	WigetFL.exe	asd.exe
PID 3620 wrote to memory of 4048	3620	setupQQ.exe	THIS IS WIIIGET!.exe
PID 3620 wrote to memory of 4048	3620	setupQQ.exe	THIS IS WIIIGET!.exe
PID 3620 wrote to memory of 4048	3620	setupQQ.exe	THIS IS WIIIGET!.exe
PID 4036 wrote to memory of 2360	4036	asd.exe	updater.exe
PID 4036 wrote to memory of 2360	4036	asd.exe	updater.exe

C:\Users\Admin\AppData\Local\Temp\bb1f18.exe
"C:\Users\Admin\AppData\Local\Temp\bb1f18.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe
"C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Roaming\1337\setupQQ.exe
"C:\Users\Admin\AppData\Roaming\1337\setupQQ.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3620

C:\Program Files (x86)\Miped\QWiget\THIS IS WIIIGET!.exe
"C:\Program Files (x86)\Miped\QWiget\THIS IS WIIIGET!.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4048

C:\Users\Admin\AppData\Roaming\1337\asd.exe
"C:\Users\Admin\AppData\Roaming\1337\asd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036

C:\ProgramData\updater.exe
C:\ProgramData\updater.exe
4⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\AppData\Roaming\1337\Logger.exe
"C:\Users\Admin\AppData\Roaming\1337\Logger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Miped\QWiget\Gadget.xml
MD5
2e40d9f0117cc21d427a8c3422159bd9

SHA1
8c15e602838e8bf2934ef6d2c5d21e954be80858

SHA256
c0fdb3de27a4df294eeb14a30b2cd22de4551a9234246fc6e65ec60d78e86acc

SHA512
8bbe24a404d53ac975df5331f82941fb2bb14701ec2db45c17b5514e985addf62339ad1119762621d8a931f50d2cc086bab2f905c16a38fbc428d9e807a1b804

Download Submit
C:\Program Files (x86)\Miped\QWiget\THIS IS WIIIGET!.exe
MD5
9eded9e961ceea51f9eef3c70a6e10bc

SHA1
a210f141a18fddc16835c0dce6e5c5c92f0891d6

SHA256
85505a60a4b5eab310e8d322cd98b69ad36eb9ff8b605bf3c10c13b404badb61

SHA512
4bdbfdebeb33fd46df874382bd4c0f0b0a966d88d04ded669361c240fa03d76fb2e24454c0f9d30c31ab4c541903e52d61c2f320fde9d730c1d233955a09f12b

Download Submit
C:\Program Files (x86)\Miped\QWiget\THIS IS WIIIGET!.exe
MD5
9eded9e961ceea51f9eef3c70a6e10bc

SHA1
a210f141a18fddc16835c0dce6e5c5c92f0891d6

SHA256
85505a60a4b5eab310e8d322cd98b69ad36eb9ff8b605bf3c10c13b404badb61

SHA512
4bdbfdebeb33fd46df874382bd4c0f0b0a966d88d04ded669361c240fa03d76fb2e24454c0f9d30c31ab4c541903e52d61c2f320fde9d730c1d233955a09f12b

Download Submit
C:\Program Files (x86)\Miped\QWiget\TrayIcon.ico
MD5
a97e2f7aa0751316186ab14b573daee2

SHA1
4d0a61871f1e38a801d47729e8adba10b3feae63

SHA256
ee78cb4fc69107f52bf00333b86703168f7a42603bfdae9b27b9ecdb39499f80

SHA512
64b6ab66f4f445fe81e5f80bb634dd9704a8b97bb68d44d2493c91b124463081d8db4c899e68e4d9c80bffc3d88a94a090c4b4cb603ada4528bdc2dc6445bd4c

Download Submit
C:\Program Files (x86)\Miped\QWiget\images\gadget_bg.png
MD5
e764e2593c89a30aff1505d7229c235c

SHA1
3fdd33ba9cb406dd63617fc66b2bb6a7b9c12fbb

SHA256
39231882d3aeb9ebe83ce5bf92f9c770ca710e9eb9ad7ec6fa606c0447a83b32

SHA512
ddd11baf9e7b619f78748514befb744f732350380134727a47a14eabc4f2132a5041f9918dae0340745087c2b622b9337d31371d3d930cc21a6e2b445dae92bd

Download Submit
C:\Program Files (x86)\Miped\QWiget\images\gadget_button_0_normal.png
MD5
35bde26a7c07d9b3a5f6c9838ffac9e3

SHA1
e1d4e6535074d8a21f5a62f1157f906675fd5e30

SHA256
7ed5c9d4d005d81f675f78a8b8e34258d34f2a4efd851a18171bf5fa7a5bdf24

SHA512
08927d7b134cdae722455f6f28c561fbe02fc5f5ded1c2982c58a058938ea6c88c994bbfa1f91f80574a0a1dfabcf27ad833738ff60853bebb4061d102646ac6

Download Submit
C:\Program Files (x86)\Miped\QWiget\images\gadget_button_1_normal.png
MD5
49bc029f1dfdb744ab839b14a1fd8ca8

SHA1
71ad4b227cdb60208bdee610c12e42ec677353cf

SHA256
f6268c0aa5fd360314e759095fb70aa59df4acb421825d4211faad30155f8819

SHA512
057f7602489035037bc231bd470948526d7d54dd2858b1a61cd3f08e0f1c1d9dc9b42b84965ea76f9b8bcfe76e28c8bd47529a1a31b9ddfc053ec41066573233

Download Submit
C:\Program Files (x86)\Miped\QWiget\images\gadget_button_2_normal.png
MD5
0ba2cf1ede9d369dad9aa589882dfd8d

SHA1
02a64918b1048ec2ef377018e22186331adfdd3f

SHA256
8828c15a39938667a6a5e58da160997a457c87d5b16f58ee9376851accafeb63

SHA512
cdfc4bb6838fba7d53f98b89af064f5248592a33b17909476544ea842ed3dce808639106cad7b0b6aebbfe1914036eace875f2fde57eeb2ee08fc6bbf8f338c8

Download Submit
C:\Program Files (x86)\Miped\QWiget\images\gadget_button_3_normal.png
MD5
61d91ceb27a633b26af19614b4609b1f

SHA1
ac2633b46719aaaeae1bbf3af27afc43da5bccb1

SHA256
3cd11f541f838133a4bf5ff0336ff053c3f4f7ebb74a25e4513375c8f6ec4b2a

SHA512
31e1a0eee7b26900ce346f9dba62f06bbdbc36857a625d9636623890caaa62f5a36b23932f5123370c3a9ad5f23facd3801ec1301083ef30d4dfc2f3bd8c3ac1

Download Submit
C:\Program Files (x86)\Miped\QWiget\images\gadget_button_4_normal.png
MD5
b64af874ae181c12587bca2481dac2b5

SHA1
97ee341c335b96d1e2b02a2abcbe86dbe26d79e6

SHA256
386136aaf0b90fda3e323a84c5eaf4d7f863706c90fbf52febcd41ba426b5b91

SHA512
4203dbb466c5c4d8d5263716e42ac9b4eba267d0b83b245d33ab993537a270be289bc3db7081e7763b076443530c34c6c1dba3b168d8c82cbd189271d3d29fa7

Download Submit
C:\Program Files (x86)\Miped\QWiget\lang\en-US.xml
MD5
4a98bc8687dad198f6fb1ba9a661533a

SHA1
c27fb382ab0514cf42db63ef5a856f235584b307

SHA256
891f01b475968a5e01b716fb452691ff946d134e070053e3a438a4932c2378ed

SHA512
c4286260df75d544840321e0527ec05645b55a0a47cd40f58de925da7d9b6223c52a562f7e126cf462a6ff1916b523d448ff021923c31ef621bf9970208573eb

Download Submit
C:\ProgramData\updater.exe
MD5
33344ec742000d9f380e1f8704bb6ecb

SHA1
6afc68d9a63aa2ed6dfb905575c831107ca5ea33

SHA256
41b7d85c552c0ce39a9bed932f098f383b06998333ce84cc23c05b5ade7aede7

SHA512
698ade3c99e84248a14cc963ea767f5b01e6098610a9f402f1a913bc0c2d2077236b28a11bef56a0246d31ee10a13918e5fcd79c473bb83769de61ce8ccec7b9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Logger.exe
MD5
343f94b57cb857d6ac23080d13ed1536

SHA1
56b888836c50904eb24a16ea482ac63614f69887

SHA256
fe3c3dab43759b37ce8236614887bfbac1f2954a5733a1bd7ea4d22aadf39f65

SHA512
7604b693498ae9690f4513cf4403948c72e33b7d7cc94e9144e2ea9b7d2e7db888efbe13cd61d7e388215cb8e81f13446861a8b4d904507eebcc464cf9981b6f

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Logger.exe
MD5
343f94b57cb857d6ac23080d13ed1536

SHA1
56b888836c50904eb24a16ea482ac63614f69887

SHA256
fe3c3dab43759b37ce8236614887bfbac1f2954a5733a1bd7ea4d22aadf39f65

SHA512
7604b693498ae9690f4513cf4403948c72e33b7d7cc94e9144e2ea9b7d2e7db888efbe13cd61d7e388215cb8e81f13446861a8b4d904507eebcc464cf9981b6f

Download Submit
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe
MD5
14768b61437af5d83d3209e98963730b

SHA1
844b0322849f71997a3e91df223da7394bf2d4b3

SHA256
1b2d641d96f4739f46662ceb5d43c4527a278cb3231611d52afb91ffc318329f

SHA512
0e259da218a66086da603d28a01708201531559c781faccab78a598a155bb8c4651fd8cb46eb322347b441c7649b4a26e949e6c05a73ffcdb461d42f4a111f37

Download Submit
C:\Users\Admin\AppData\Roaming\1337\WigetFL.exe
MD5
14768b61437af5d83d3209e98963730b

SHA1
844b0322849f71997a3e91df223da7394bf2d4b3

SHA256
1b2d641d96f4739f46662ceb5d43c4527a278cb3231611d52afb91ffc318329f

SHA512
0e259da218a66086da603d28a01708201531559c781faccab78a598a155bb8c4651fd8cb46eb322347b441c7649b4a26e949e6c05a73ffcdb461d42f4a111f37

Download Submit
C:\Users\Admin\AppData\Roaming\1337\asd.exe
MD5
33344ec742000d9f380e1f8704bb6ecb

SHA1
6afc68d9a63aa2ed6dfb905575c831107ca5ea33

SHA256
41b7d85c552c0ce39a9bed932f098f383b06998333ce84cc23c05b5ade7aede7

SHA512
698ade3c99e84248a14cc963ea767f5b01e6098610a9f402f1a913bc0c2d2077236b28a11bef56a0246d31ee10a13918e5fcd79c473bb83769de61ce8ccec7b9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\asd.exe
MD5
33344ec742000d9f380e1f8704bb6ecb

SHA1
6afc68d9a63aa2ed6dfb905575c831107ca5ea33

SHA256
41b7d85c552c0ce39a9bed932f098f383b06998333ce84cc23c05b5ade7aede7

SHA512
698ade3c99e84248a14cc963ea767f5b01e6098610a9f402f1a913bc0c2d2077236b28a11bef56a0246d31ee10a13918e5fcd79c473bb83769de61ce8ccec7b9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\setupQQ.exe
MD5
aa5f1cffddd5c0ac8e1ecca4bac343bb

SHA1
7509e305d0c6ad9f49a8f12977fc6d01729eac07

SHA256
fe35d5d08404cc39cd78b8d755781ad42900652ee0304e178d6256494b4e4eb3

SHA512
89641a8898153881b8c6d3315a6e26944f7e16b947a13743e57a3f0d0bacba15fb7ff5e0c4c97bdf70ed1857c2f2419c562f098b6c52dcf2b367f2c6a557ca55

Download Submit
C:\Users\Admin\AppData\Roaming\1337\setupQQ.exe
MD5
aa5f1cffddd5c0ac8e1ecca4bac343bb

SHA1
7509e305d0c6ad9f49a8f12977fc6d01729eac07

SHA256
fe35d5d08404cc39cd78b8d755781ad42900652ee0304e178d6256494b4e4eb3

SHA512
89641a8898153881b8c6d3315a6e26944f7e16b947a13743e57a3f0d0bacba15fb7ff5e0c4c97bdf70ed1857c2f2419c562f098b6c52dcf2b367f2c6a557ca55

Download Submit
\Users\Admin\AppData\Local\Temp\nsd357F.tmp\System.dll
MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3734.tmp\System.dll
MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
memory/2360-39-0x0000000000000000-mapping.dmp

Download
memory/2736-3-0x0000000000000000-mapping.dmp

Download
memory/2772-15-0x0000000001FF0000-0x0000000001FF2000-memory.dmp

Filesize
8KB

Download
memory/2772-10-0x00007FFCA1D10000-0x00007FFCA26B0000-memory.dmp

Filesize
9.6MB

Download
memory/2772-5-0x0000000000000000-mapping.dmp

Download
memory/3620-11-0x0000000000000000-mapping.dmp

Download
memory/4036-14-0x0000000000000000-mapping.dmp

Download
memory/4048-20-0x0000000072180000-0x000000007286E000-memory.dmp

Filesize
6.9MB

Download
memory/4048-31-0x000000000A560000-0x000000000A561000-memory.dmp

Filesize
4KB

Download
memory/4048-30-0x0000000009CE0000-0x0000000009CE1000-memory.dmp

Filesize
4KB

Download
memory/4048-26-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/4048-25-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/4048-24-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/4048-38-0x0000000005803000-0x0000000005805000-memory.dmp

Filesize
8KB

Download
memory/4048-21-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/4048-17-0x0000000000000000-mapping.dmp

Download