6410f220fdbd34dae565f5fba45e85107741c13d19a91b3126e735fbe0425606

General

Target

KWFLPC.exe
Size

423KB
MD5

1cd8a018b6af07d08c22bd6429014b0e
SHA1

1939f5b1f15389106b84cdfe51bf9f3ba6b3c473
SHA256

6410f220fdbd34dae565f5fba45e85107741c13d19a91b3126e735fbe0425606
SHA512

b61df7dd7c5ff11345c6a3d4aacc00578c983769481872d08a08459765953688b0d67a9ce7bc1dcdfeadc64e274581a8129689098e35f26ab32bbf208d76bdb5

Score

7^/10

ransomware spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

KWFLPC.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation KWFLPC.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	KWFLPC.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

KWFLPC.exe

description	ioc	process
File opened (read-only)	\??\w:	KWFLPC.exe
File opened (read-only)	\??\l:	KWFLPC.exe
File opened (read-only)	\??\q:	KWFLPC.exe
File opened (read-only)	\??\j:	KWFLPC.exe
File opened (read-only)	\??\p:	KWFLPC.exe
File opened (read-only)	\??\s:	KWFLPC.exe
File opened (read-only)	\??\a:	KWFLPC.exe
File opened (read-only)	\??\b:	KWFLPC.exe
File opened (read-only)	\??\i:	KWFLPC.exe
File opened (read-only)	\??\o:	KWFLPC.exe
File opened (read-only)	\??\t:	KWFLPC.exe
File opened (read-only)	\??\u:	KWFLPC.exe
File opened (read-only)	\??\z:	KWFLPC.exe
File opened (read-only)	\??\g:	KWFLPC.exe
File opened (read-only)	\??\h:	KWFLPC.exe
File opened (read-only)	\??\k:	KWFLPC.exe
File opened (read-only)	\??\m:	KWFLPC.exe
File opened (read-only)	\??\n:	KWFLPC.exe
File opened (read-only)	\??\r:	KWFLPC.exe
File opened (read-only)	\??\v:	KWFLPC.exe
File opened (read-only)	\??\x:	KWFLPC.exe
File opened (read-only)	\??\e:	KWFLPC.exe
File opened (read-only)	\??\f:	KWFLPC.exe
File opened (read-only)	\??\y:	KWFLPC.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

KWFLPC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"	KWFLPC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Control Panel 1 IoCs
evasion

Processes:

KWFLPC.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop KWFLPC.exe
Modifies registry class 1 IoCs

Processes:

KWFLPC.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings KWFLPC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop	KWFLPC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	KWFLPC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

KWFLPC.exe

pid	process
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe
3416	KWFLPC.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

KWFLPC.execmd.exe

description	pid	process	target process
PID 3416 wrote to memory of 3980	3416	KWFLPC.exe	cmd.exe
PID 3416 wrote to memory of 3980	3416	KWFLPC.exe	cmd.exe
PID 3980 wrote to memory of 3020	3980	cmd.exe	wusa.exe
PID 3980 wrote to memory of 3020	3980	cmd.exe	wusa.exe
PID 3416 wrote to memory of 4212	3416	KWFLPC.exe	WScript.exe
PID 3416 wrote to memory of 4212	3416	KWFLPC.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\KWFLPC.exe
"C:\Users\Admin\AppData\Local\Temp\KWFLPC.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\system32\wusa.exe
wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
3⤵
PID:3020

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
2⤵
PID:4212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\888.vbs
Filesize
280B

MD5
8be57121a3ecae9c90cce4adf00f2454

SHA1
aca585c1b6409bc2475f011a436b319e42b356d8

SHA256
35d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e

SHA512
85521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72

Download Submit
memory/3020-131-0x0000000000000000-mapping.dmp

Download
memory/3980-130-0x0000000000000000-mapping.dmp

Download
memory/4212-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads