261c71f78bb6c164c4bfb65e4621f74ee0723e1ba39cf6281aa2b133f62da5e5

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2022, 20:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

261c71f78bb6c164c4bfb65e4621f74ee0723e1ba39cf6281aa2b133f62da5e5.exe
Size

867KB
MD5

cfb7c0539dab1b742392fc2faf2663bd
SHA1

a3022a73527089d9687dd43d1c32b82ef1ce76e0
SHA256

261c71f78bb6c164c4bfb65e4621f74ee0723e1ba39cf6281aa2b133f62da5e5
SHA512

4157d25fb3097595760b1b91a8fbb8290227f314429b2a77e6242df413689f1512bf184796f23b5770b220304c8ac3380ad65a68687b268f13b8fcca770bd756
SSDEEP

12288:SV+mz3b38lrV6avz6jJnoKdN3HBCf4wzuNE36svt0/2CyPiAoia9qHj5mgOqnTCf:S8C386jvdhHBCAzuIBFd9K5fOJmHHHK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2460	ygejql.exe
2188	Wywz.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	261c71f78bb6c164c4bfb65e4621f74ee0723e1ba39cf6281aa2b133f62da5e5.exe

Loads dropped DLL 1 IoCs

pid	Process
2188	Wywz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Keyboard\Native Media Players	Wywz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Keyboard\Native Media Players\WMP	Wywz.exe
Key created	\REGISTRY\USER\.DEFAULT	Wywz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Wywz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Wywz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Keyboard	Wywz.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31DFC29E-B1E0-4e04-9578-8259D5601188}\ = "Eraser Shell Extension"	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31DFC29E-B1E0-4e04-9578-8259D5601188}\InProcServer32	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYWZextMenu	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYWZextMenu\CLSID	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WYWZext	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WYWZext	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31DFC29E-B1E0-4e04-9578-8259D5601188}\ProgID	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WYWZext	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\WYWZext	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\WYWZext\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wywz.exe\" -recycled -results"	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31DFC29E-B1E0-4e04-9578-8259D5601188}	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYWZextMenu\CLSID\ = "{31DFC29E-B1E0-4e04-9578-8259D5601188}"	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WYWZext\ = "{31DFC29E-B1E0-4e04-9578-8259D5601188}"	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WYWZext\ = "{31DFC29E-B1E0-4e04-9578-8259D5601188}"	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\WYWZext\ = "ÓÃ¡¼WYWZ¡½²Á³ý»ØÊÕÕ¾(&E)"	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\WYWZext\command	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WYWZext\ = "{31DFC29E-B1E0-4e04-9578-8259D5601188}"	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31DFC29E-B1E0-4e04-9578-8259D5601188}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Erasext.dll"	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31DFC29E-B1E0-4e04-9578-8259D5601188}\InProcServer32\ThreadingModel = "Apartment"	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31DFC29E-B1E0-4e04-9578-8259D5601188}\ProgID\ = "WYWZextMenu"	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYWZextMenu\ = "WYWZextMenu"	Wywz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\WYWZext	Wywz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\WYWZext\ = "{31DFC29E-B1E0-4e04-9578-8259D5601188}"	Wywz.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2188	Wywz.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe
2460	ygejql.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2188	Wywz.exe
2188	Wywz.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2460	764	261c71f78bb6c164c4bfb65e4621f74ee0723e1ba39cf6281aa2b133f62da5e5.exe	82
PID 764 wrote to memory of 2460	764	261c71f78bb6c164c4bfb65e4621f74ee0723e1ba39cf6281aa2b133f62da5e5.exe	82
PID 764 wrote to memory of 2460	764	261c71f78bb6c164c4bfb65e4621f74ee0723e1ba39cf6281aa2b133f62da5e5.exe	82
PID 2460 wrote to memory of 2188	2460	ygejql.exe	83
PID 2460 wrote to memory of 2188	2460	ygejql.exe	83
PID 2460 wrote to memory of 2188	2460	ygejql.exe	83

C:\Users\Admin\AppData\Local\Temp\261c71f78bb6c164c4bfb65e4621f74ee0723e1ba39cf6281aa2b133f62da5e5.exe
"C:\Users\Admin\AppData\Local\Temp\261c71f78bb6c164c4bfb65e4621f74ee0723e1ba39cf6281aa2b133f62da5e5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\ygejql.exe
  "C:\Users\Admin\AppData\Local\Temp\ygejql.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\Wywz.exe
    Wywz.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Config.def

Filesize
286B

MD5
83321f4f5464b1646d1e4a3585f44969

SHA1
4177fa9218b62d14a0341d1ae28ab413b509f4b8

SHA256
7e482396523ce45e98f4d583f899b41b98890d9e5f6fd54675c891a9fee4b9a2

SHA512
7b8e18ba5e0453cd35b90f0f4eedfe478e19008381f708c2b133dd4dab7cc2a716ec0b6dcaa3a8cd95f6852fe66a2671cf703f14bd9f503f42ebb34f0848e045

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERASER.dll

Filesize
440KB

MD5
0f98c73634abac303e6dc32eabcde855

SHA1
df0f198098383b052bc3242ce71d4f65647dbd11

SHA256
2fcc6a234b243feef02d83c32c63472069c0a5b25aaeb983e250e254408b9a09

SHA512
c3eef986cf1e7eab7cb04896d0bc5f89886e557a46c22a0cd79d0769005c422c6ba939a43722b16f7929032fb91f47b764471ed9f32e8b8886215d9aed10f42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eraser.dll

Filesize
440KB

MD5
0f98c73634abac303e6dc32eabcde855

SHA1
df0f198098383b052bc3242ce71d4f65647dbd11

SHA256
2fcc6a234b243feef02d83c32c63472069c0a5b25aaeb983e250e254408b9a09

SHA512
c3eef986cf1e7eab7cb04896d0bc5f89886e557a46c22a0cd79d0769005c422c6ba939a43722b16f7929032fb91f47b764471ed9f32e8b8886215d9aed10f42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Erasext.dll

Filesize
220KB

MD5
0fe38a0fe46fb49bad510fbbf12dc3ec

SHA1
ffca059e6b1b4a15366483c701ffd5109f931378

SHA256
a3651f3400486ce730d60ad56aa7eac6d0b2caa85ad1c16a8ad6ac3d02531e11

SHA512
86e1db99a7c0e095362f486f81071a8302907d0ea9022607694b2c9c0b1b7fc8ce98550e7b8a0017d409a41a6c6e3c1850ef71ce19b905608826e2970419962b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wywz.exe

Filesize
600KB

MD5
d60cda173a484ed3861f8b95efe43b6b

SHA1
f91daa272390f2d7cefdb4610d296b5c1d7aa99e

SHA256
b059e0c1fa26a84ac10a85b80282c37ae18fcd6f5bf3154f41b77cde8174e9fc

SHA512
6c8b23de80272d0025c98d83a875e17619d4acf4ab28d07afa42f6289087e300cd1a750cb79d01eaf10429d98aec525634f8120f5ab2cd3632456673da9ee880

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wywz.exe

Filesize
600KB

MD5
d60cda173a484ed3861f8b95efe43b6b

SHA1
f91daa272390f2d7cefdb4610d296b5c1d7aa99e

SHA256
b059e0c1fa26a84ac10a85b80282c37ae18fcd6f5bf3154f41b77cde8174e9fc

SHA512
6c8b23de80272d0025c98d83a875e17619d4acf4ab28d07afa42f6289087e300cd1a750cb79d01eaf10429d98aec525634f8120f5ab2cd3632456673da9ee880

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygejql.exe

Filesize
414KB

MD5
237612cfdadaec8be16d035ec6fd45ef

SHA1
eabdcd246f1ee20b16d526a1334dec28d57c5d5c

SHA256
b677c14ab77a68396f3c269f09a510865b59121a1f1d8598242de5a894eedd88

SHA512
94aeb356365e6727481ab0c9fef0a82d75f15843549bf741f8022580cf28a8ccdc28660bd43fea9cee6508253d250da330f1ae88b495f1ee47a75dd4d23701fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygejql.exe

Filesize
414KB

MD5
237612cfdadaec8be16d035ec6fd45ef

SHA1
eabdcd246f1ee20b16d526a1334dec28d57c5d5c

SHA256
b677c14ab77a68396f3c269f09a510865b59121a1f1d8598242de5a894eedd88

SHA512
94aeb356365e6727481ab0c9fef0a82d75f15843549bf741f8022580cf28a8ccdc28660bd43fea9cee6508253d250da330f1ae88b495f1ee47a75dd4d23701fb

Download Submit