e4cf09e194478fe72f53d9a2b54be8f1ff6a383fb6d5115a394cbc54f347aa2b

Analysis

max time kernel
218s
max time network
254s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf[]Զǹ+ʮ׼[޸]/wg.exe
Size

1.3MB
MD5

358247032990d89f08c3fbd925a87f54
SHA1

d4838436e51711f8842a5dcc69cde3e66bcf3ba4
SHA256

69a0277a2130b1138f413ae58d456c9fbe35a31408b52dbef005b0ea8940d8cc
SHA512

1eeb8219c8530ce74b87991e10786d8c2ac4d9498a689c2f08dca52184059bd84723f339a8358cf0c6b69203f150eeeaecc4978a58afc0f4ca71612d4dc1b7de
SSDEEP

24576:N9xo5J35xAmxSPErgL8GPJQw//ajmJ2tfWAwBg7qv3C4caJqDRPFxb5jr6jQS:N85JjAmx7rgwAJp//aiJ2tLR734ca8b6

Score

8^/10

vmprotect

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	wg.exe
File created	C:\WINDOWS\system32\drivers\etc\hosts	wg.exe

Executes dropped EXE 1 IoCs

pid	Process
4216	CF½ø½ø×Ô¶¯¿ªÇ¹0524.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral4/memory/4888-132-0x0000000000400000-0x0000000000836000-memory.dmp	vmprotect
behavioral4/memory/4888-136-0x0000000000400000-0x0000000000836000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4712	4216	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4888	wg.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4888	wg.exe
4888	wg.exe
4888	wg.exe
4888	wg.exe
4216	CF½ø½ø×Ô¶¯¿ªÇ¹0524.exe
4216	CF½ø½ø×Ô¶¯¿ªÇ¹0524.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4216	4888	wg.exe	84
PID 4888 wrote to memory of 4216	4888	wg.exe	84
PID 4888 wrote to memory of 4216	4888	wg.exe	84

C:\Users\Admin\AppData\Local\Temp\cf[]Զǹ+ʮ׼[޸]\wg.exe
"C:\Users\Admin\AppData\Local\Temp\cf[]Զǹ+ʮ׼[޸]\wg.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\CF½ø½ø×Ô¶¯¿ªÇ¹0524.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\CF½ø½ø×Ô¶¯¿ªÇ¹0524.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 692
    3⤵
    - Program crash
    PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4216 -ip 4216
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4216 -ip 4216
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\CF½ø½ø×Ô¶¯¿ªÇ¹0524.exe

Filesize
1.8MB

MD5
3115214ce7e8c35b199b3174ad3a0582

SHA1
fcde16c3dbcab08fbdf6b6c91e06d0e1133c1c17

SHA256
5e5af924f5c0950286449dfceefdfa5fd504563d41ddbbe4a0daba280d1e5af5

SHA512
b6c329082a08e449f4d7a344afe176180e9c2d4875e1e16314ca5b246faf10daa77046851272fd8e9459fb285841e0e10f31b51d0278b025c1d63124b3f8cf75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\CF½ø½ø×Ô¶¯¿ªÇ¹0524.exe

Filesize
1.8MB

MD5
3115214ce7e8c35b199b3174ad3a0582

SHA1
fcde16c3dbcab08fbdf6b6c91e06d0e1133c1c17

SHA256
5e5af924f5c0950286449dfceefdfa5fd504563d41ddbbe4a0daba280d1e5af5

SHA512
b6c329082a08e449f4d7a344afe176180e9c2d4875e1e16314ca5b246faf10daa77046851272fd8e9459fb285841e0e10f31b51d0278b025c1d63124b3f8cf75

Download Submit
memory/4888-132-0x0000000000400000-0x0000000000836000-memory.dmp

Filesize
4.2MB

Download
memory/4888-136-0x0000000000400000-0x0000000000836000-memory.dmp

Filesize
4.2MB

Download