Analysis
-
max time kernel
99s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-05-2022 03:13
Static task
static1
Behavioral task
behavioral1
Sample
KWFLPC.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
KWFLPC.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20220414-en
General
-
Target
KWFLPC.exe
-
Size
423KB
-
MD5
1cd8a018b6af07d08c22bd6429014b0e
-
SHA1
1939f5b1f15389106b84cdfe51bf9f3ba6b3c473
-
SHA256
6410f220fdbd34dae565f5fba45e85107741c13d19a91b3126e735fbe0425606
-
SHA512
b61df7dd7c5ff11345c6a3d4aacc00578c983769481872d08a08459765953688b0d67a9ce7bc1dcdfeadc64e274581a8129689098e35f26ab32bbf208d76bdb5
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
migwiz.exepid process 1968 migwiz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 4 IoCs
Processes:
wusa.exedescription ioc process File created C:\Windows\system32\migwiz\$dpx$.tmp\1a4f651314d38a478e77d1210402df2c.tmp wusa.exe File opened for modification C:\Windows\system32\migwiz\cryptbase.dll wusa.exe File opened for modification C:\Windows\system32\migwiz\$dpx$.tmp\job.xml wusa.exe File opened for modification C:\Windows\system32\migwiz\$dpx$.tmp wusa.exe -
Drops file in Windows directory 3 IoCs
Processes:
wusa.exedescription ioc process File opened for modification C:\Windows\Logs\DPX\setupact.log wusa.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
Notepad.exepid process 1072 Notepad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
migwiz.exepid process 1968 migwiz.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
KWFLPC.execmd.exeWScript.exemigwiz.execmd.exedescription pid process target process PID 1052 wrote to memory of 912 1052 KWFLPC.exe cmd.exe PID 1052 wrote to memory of 912 1052 KWFLPC.exe cmd.exe PID 1052 wrote to memory of 912 1052 KWFLPC.exe cmd.exe PID 1052 wrote to memory of 912 1052 KWFLPC.exe cmd.exe PID 912 wrote to memory of 956 912 cmd.exe wusa.exe PID 912 wrote to memory of 956 912 cmd.exe wusa.exe PID 912 wrote to memory of 956 912 cmd.exe wusa.exe PID 1052 wrote to memory of 1056 1052 KWFLPC.exe WScript.exe PID 1052 wrote to memory of 1056 1052 KWFLPC.exe WScript.exe PID 1052 wrote to memory of 1056 1052 KWFLPC.exe WScript.exe PID 1052 wrote to memory of 1056 1052 KWFLPC.exe WScript.exe PID 1056 wrote to memory of 1968 1056 WScript.exe migwiz.exe PID 1056 wrote to memory of 1968 1056 WScript.exe migwiz.exe PID 1056 wrote to memory of 1968 1056 WScript.exe migwiz.exe PID 1968 wrote to memory of 1964 1968 migwiz.exe cmd.exe PID 1968 wrote to memory of 1964 1968 migwiz.exe cmd.exe PID 1968 wrote to memory of 1964 1968 migwiz.exe cmd.exe PID 1964 wrote to memory of 1764 1964 cmd.exe reg.exe PID 1964 wrote to memory of 1764 1964 cmd.exe reg.exe PID 1964 wrote to memory of 1764 1964 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KWFLPC.exe"C:\Users\Admin\AppData\Local\Temp\KWFLPC.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\3⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\migwiz\migwiz.exe"C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\888.vbs1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\64.cabFilesize
49KB
MD58cfa6b4acd035a2651291a2a4623b1c7
SHA143571537bf2ce9f8e8089fadcbf876eaf4cf3ae9
SHA2566e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9
SHA512e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685
-
C:\Users\Admin\AppData\Local\Temp\888.vbsFilesize
280B
MD58be57121a3ecae9c90cce4adf00f2454
SHA1aca585c1b6409bc2475f011a436b319e42b356d8
SHA25635d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e
SHA51285521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72
-
C:\Windows\System32\migwiz\CRYPTBASE.dllFilesize
106KB
MD51deeaa34fc153cffb989ab43aa2b0527
SHA17a58958483aa86d29cba8fc20566c770e1989953
SHA256c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a
SHA512abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86
-
\Windows\System32\migwiz\cryptbase.dllFilesize
106KB
MD51deeaa34fc153cffb989ab43aa2b0527
SHA17a58958483aa86d29cba8fc20566c770e1989953
SHA256c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a
SHA512abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86
-
memory/912-55-0x0000000000000000-mapping.dmp
-
memory/956-57-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmpFilesize
8KB
-
memory/956-56-0x0000000000000000-mapping.dmp
-
memory/1052-54-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1056-59-0x0000000000000000-mapping.dmp
-
memory/1764-69-0x0000000000000000-mapping.dmp
-
memory/1964-68-0x0000000000000000-mapping.dmp
-
memory/1968-62-0x0000000000000000-mapping.dmp
-
memory/1968-64-0x000007FEF5BB1000-0x000007FEF5BB3000-memory.dmpFilesize
8KB
-
memory/1968-65-0x000007FEF6361000-0x000007FEF6363000-memory.dmpFilesize
8KB