Analysis
-
max time kernel
127s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-05-2022 03:13
Static task
static1
Behavioral task
behavioral1
Sample
KWFLPC.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
KWFLPC.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20220414-en
General
-
Target
KWFLPC.exe
-
Size
423KB
-
MD5
1cd8a018b6af07d08c22bd6429014b0e
-
SHA1
1939f5b1f15389106b84cdfe51bf9f3ba6b3c473
-
SHA256
6410f220fdbd34dae565f5fba45e85107741c13d19a91b3126e735fbe0425606
-
SHA512
b61df7dd7c5ff11345c6a3d4aacc00578c983769481872d08a08459765953688b0d67a9ce7bc1dcdfeadc64e274581a8129689098e35f26ab32bbf208d76bdb5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
KWFLPC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation KWFLPC.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
KWFLPC.exedescription ioc process File opened (read-only) \??\w: KWFLPC.exe File opened (read-only) \??\l: KWFLPC.exe File opened (read-only) \??\q: KWFLPC.exe File opened (read-only) \??\j: KWFLPC.exe File opened (read-only) \??\p: KWFLPC.exe File opened (read-only) \??\s: KWFLPC.exe File opened (read-only) \??\a: KWFLPC.exe File opened (read-only) \??\b: KWFLPC.exe File opened (read-only) \??\i: KWFLPC.exe File opened (read-only) \??\o: KWFLPC.exe File opened (read-only) \??\t: KWFLPC.exe File opened (read-only) \??\u: KWFLPC.exe File opened (read-only) \??\z: KWFLPC.exe File opened (read-only) \??\g: KWFLPC.exe File opened (read-only) \??\h: KWFLPC.exe File opened (read-only) \??\k: KWFLPC.exe File opened (read-only) \??\m: KWFLPC.exe File opened (read-only) \??\n: KWFLPC.exe File opened (read-only) \??\r: KWFLPC.exe File opened (read-only) \??\v: KWFLPC.exe File opened (read-only) \??\x: KWFLPC.exe File opened (read-only) \??\e: KWFLPC.exe File opened (read-only) \??\f: KWFLPC.exe File opened (read-only) \??\y: KWFLPC.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
KWFLPC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" KWFLPC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 1 IoCs
Processes:
KWFLPC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop KWFLPC.exe -
Modifies registry class 1 IoCs
Processes:
KWFLPC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings KWFLPC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
KWFLPC.exepid process 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe 3416 KWFLPC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
KWFLPC.execmd.exedescription pid process target process PID 3416 wrote to memory of 3980 3416 KWFLPC.exe cmd.exe PID 3416 wrote to memory of 3980 3416 KWFLPC.exe cmd.exe PID 3980 wrote to memory of 3020 3980 cmd.exe wusa.exe PID 3980 wrote to memory of 3020 3980 cmd.exe wusa.exe PID 3416 wrote to memory of 4212 3416 KWFLPC.exe WScript.exe PID 3416 wrote to memory of 4212 3416 KWFLPC.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KWFLPC.exe"C:\Users\Admin\AppData\Local\Temp\KWFLPC.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\888.vbsFilesize
280B
MD58be57121a3ecae9c90cce4adf00f2454
SHA1aca585c1b6409bc2475f011a436b319e42b356d8
SHA25635d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e
SHA51285521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72
-
memory/3020-131-0x0000000000000000-mapping.dmp
-
memory/3980-130-0x0000000000000000-mapping.dmp
-
memory/4212-132-0x0000000000000000-mapping.dmp