106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
Size

481KB
MD5

ddccc8bafccc484a5cdbda1af42b6424
SHA1

b9165f54c1556a40d045de86e717c00555ca3208
SHA256

106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd
SHA512

c4fda3ccc6139e83be19cf0156986a20ed613cf40407c92d0ec472ca4f3a2eda0f7439625193264d695b9e91aded534d6d0bb242fb66e06d095c8ed1121e5454
SSDEEP

6144:9splTJ5IH3JhAsPFMV10IRcXiklh25FfeLEaC/EHNGtMCzlpUXsNwHxNP7UD/A:MlTbwc10IZiY5leLE5uEqcNwxNP7yA

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

wz.exewz.exeiconAnimate.exeiconAnimate.exeiconTips.exe

pid process

2748 wz.exe
5084 wz.exe
1608 iconAnimate.exe
2324 iconAnimate.exe
3332 iconTips.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wz.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wz.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

wz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 wz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2748	wz.exe
5084	wz.exe
1608	iconAnimate.exe
2324	iconAnimate.exe
3332	iconTips.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wz.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	wz.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

wz.exe

pid	process
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe
5084	wz.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

iconAnimate.exeiconAnimate.exeiconTips.exe

description pid process

Token: SeDebugPrivilege 1608 iconAnimate.exe
Token: SeDebugPrivilege 2324 iconAnimate.exe
Token: SeDebugPrivilege 3332 iconTips.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wz.exe

pid process

2748 wz.exe
2748 wz.exe

description	pid	process
Token: SeDebugPrivilege	1608	iconAnimate.exe
Token: SeDebugPrivilege	2324	iconAnimate.exe
Token: SeDebugPrivilege	3332	iconTips.exe

pid	process
2748	wz.exe
2748	wz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exewz.exeiconAnimate.exeiconAnimate.exe

description	pid	process	target process
PID 2772 wrote to memory of 2748	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 2772 wrote to memory of 2748	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 2772 wrote to memory of 2748	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 2772 wrote to memory of 5084	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 2772 wrote to memory of 5084	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 2772 wrote to memory of 5084	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	wz.exe
PID 2748 wrote to memory of 1608	2748	wz.exe	iconAnimate.exe
PID 2748 wrote to memory of 1608	2748	wz.exe	iconAnimate.exe
PID 2748 wrote to memory of 1608	2748	wz.exe	iconAnimate.exe
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 1608 wrote to memory of 2456	1608	iconAnimate.exe	Explorer.EXE
PID 2772 wrote to memory of 2324	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconAnimate.exe
PID 2772 wrote to memory of 2324	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconAnimate.exe
PID 2772 wrote to memory of 2324	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconAnimate.exe
PID 2772 wrote to memory of 3332	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconTips.exe
PID 2772 wrote to memory of 3332	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconTips.exe
PID 2772 wrote to memory of 3332	2772	106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe	iconTips.exe
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE
PID 2324 wrote to memory of 2456	2324	iconAnimate.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe
"C:\Users\Admin\AppData\Local\Temp\106d9665769d80be6fd48f2743483ad69503e3f5df72cc0439eec117eac099dd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
"C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe" /autorun /setuprun
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
"C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
"C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe" /setupsucc
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
C:\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\37wan\wz\Lander.ini
Filesize
434B

MD5
fb599d151ff262106ff97eb64128ad7a

SHA1
56512057ddedcbd53efb33e235c669e88377be3a

SHA256
9f77cccbbe0b1611c14ad0b65c103d3a94aaa6a2c458561a6611d19ff60a1cfa

SHA512
2beab522f29e4b52ed473e10b8da97ded884b30fc1a22c848ee6047db0dba0199598b1dd9f252861fe3480a90c965afa874f123e410050ca53d3c99268158e41

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\Lander.ini
Filesize
434B

MD5
fb599d151ff262106ff97eb64128ad7a

SHA1
56512057ddedcbd53efb33e235c669e88377be3a

SHA256
9f77cccbbe0b1611c14ad0b65c103d3a94aaa6a2c458561a6611d19ff60a1cfa

SHA512
2beab522f29e4b52ed473e10b8da97ded884b30fc1a22c848ee6047db0dba0199598b1dd9f252861fe3480a90c965afa874f123e410050ca53d3c99268158e41

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\iconAnimate.exe
Filesize
235KB

MD5
5167194a71fff34bb8d770ceaca8a6f8

SHA1
fed6de7db7776638617b77c6b71203914eb53b0f

SHA256
8250ed63a3fdbc4c479906f0da0893c83ea7deb8d81a9fef79e7d3fe5a3e78d9

SHA512
4723bfd5c37280e98e0cd100b48ce2c427dcdc60dc9f6c375785f9a55d345638227612aaf8f5bfde303a6a1712486859bc2c79635aa73a15d3983fb497156bc8

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
Filesize
267KB

MD5
ea46e372c56e5196467f59156f5e8623

SHA1
ec86ba62ea412a14e676ccd62c85ae256c4713ba

SHA256
2efb0d881f2a919994c89e22e7b6114f6f9ec52efc6fd6e7d8bd3abfb2390e0f

SHA512
833baca0e66e5bfc3f7247fb32395a751684b1afeafef0786e81462db56630709b1317505d8e5a9313f20f31690f30fb212c51e8bb2f267ad981b8bfafa21c4c

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\iconTips.exe
Filesize
267KB

MD5
ea46e372c56e5196467f59156f5e8623

SHA1
ec86ba62ea412a14e676ccd62c85ae256c4713ba

SHA256
2efb0d881f2a919994c89e22e7b6114f6f9ec52efc6fd6e7d8bd3abfb2390e0f

SHA512
833baca0e66e5bfc3f7247fb32395a751684b1afeafef0786e81462db56630709b1317505d8e5a9313f20f31690f30fb212c51e8bb2f267ad981b8bfafa21c4c

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
C:\Users\Admin\AppData\Roaming\37wan\wz\wz.exe
Filesize
2.0MB

MD5
700c030a09ce92d03a187e2b0d4324e6

SHA1
0fd4a401e98b5f47c3bb5ef75e054eb24c81ff83

SHA256
88739dc040e7f717ebd06d2b992b39a8d3b42dddcdf6f82e2de0d369342fc122

SHA512
c10e9f2bffb5a89ccd213a75fe85c8b4145ff74b4e57eec043c375070f0d7f37f95ce7718ae03d24a75d49e0d5643551b2fdc6b65ea172810d17a798a6f175c6

Download Submit
memory/1608-140-0x0000000000000000-mapping.dmp

Download
memory/2324-142-0x0000000000000000-mapping.dmp

Download
memory/2748-132-0x0000000000000000-mapping.dmp

Download
memory/3332-144-0x0000000000000000-mapping.dmp

Download
memory/5084-133-0x0000000000000000-mapping.dmp

Download