b0352074c6f0556acf2215aa41e485085b1c7561f645f1d314a570acd31ccc1b

Analysis

max time kernel
143s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2014-12-22 #32/439dce6b40c39157a046563bcb5e3a6a.exe
Size

664KB
MD5

439dce6b40c39157a046563bcb5e3a6a
SHA1

bd05604e465336df74df40bef6b6fbc3b360573a
SHA256

d72393d84be2be8fd53c5172a88327f47dee3c5276ca2a193b403ccc90308236
SHA512

f37e5e5c535284537b1f819da586c3166bd0e2e85c962b361f8e8c96f05958092cd1c093899683ad8d18121727e30d60ddbfab302e281f8cf90e1d068bfceb3a
SSDEEP

12288:ZK2mhAMJ/cPl+zyeuW/xcznRZ6Ko1JL7ffM2HRmQmxx/w:Y2O/Gl+GVW5clMJL7ffdH0Q0/w

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Whatsapp spy tool.exewhatsapp.exewhatsapp.exe

pid process

4580 Whatsapp spy tool.exe
4964 whatsapp.exe
4820 whatsapp.exe

pid	process
4580	Whatsapp spy tool.exe
4964	whatsapp.exe
4820	whatsapp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

439dce6b40c39157a046563bcb5e3a6a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	439dce6b40c39157a046563bcb5e3a6a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

whatsapp.exe

description pid process target process

PID 4964 set thread context of 4820 4964 whatsapp.exe whatsapp.exe

description	pid	process	target process
PID 4964 set thread context of 4820	4964	whatsapp.exe	whatsapp.exe

Drops file in Program Files directory 5 IoCs

Processes:

439dce6b40c39157a046563bcb5e3a6a.exe

description	ioc	process
File created	C:\Program Files\__tmp_rar_sfx_access_check_240567421	439dce6b40c39157a046563bcb5e3a6a.exe
File created	C:\Program Files\whatsapp.exe	439dce6b40c39157a046563bcb5e3a6a.exe
File opened for modification	C:\Program Files\whatsapp.exe	439dce6b40c39157a046563bcb5e3a6a.exe
File created	C:\Program Files\Whatsapp spy tool.exe	439dce6b40c39157a046563bcb5e3a6a.exe
File opened for modification	C:\Program Files\Whatsapp spy tool.exe	439dce6b40c39157a046563bcb5e3a6a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3104 4820 WerFault.exe whatsapp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

whatsapp.exe

description pid process

Token: SeDebugPrivilege 4964 whatsapp.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

whatsapp.exe

pid process

4820 whatsapp.exe

pid	pid_target	process	target process
3104	4820	WerFault.exe	whatsapp.exe

description	pid	process
Token: SeDebugPrivilege	4964	whatsapp.exe

pid	process
4820	whatsapp.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

439dce6b40c39157a046563bcb5e3a6a.exewhatsapp.exe

description	pid	process	target process
PID 2004 wrote to memory of 4580	2004	439dce6b40c39157a046563bcb5e3a6a.exe	Whatsapp spy tool.exe
PID 2004 wrote to memory of 4580	2004	439dce6b40c39157a046563bcb5e3a6a.exe	Whatsapp spy tool.exe
PID 2004 wrote to memory of 4580	2004	439dce6b40c39157a046563bcb5e3a6a.exe	Whatsapp spy tool.exe
PID 2004 wrote to memory of 4964	2004	439dce6b40c39157a046563bcb5e3a6a.exe	whatsapp.exe
PID 2004 wrote to memory of 4964	2004	439dce6b40c39157a046563bcb5e3a6a.exe	whatsapp.exe
PID 2004 wrote to memory of 4964	2004	439dce6b40c39157a046563bcb5e3a6a.exe	whatsapp.exe
PID 4964 wrote to memory of 4820	4964	whatsapp.exe	whatsapp.exe
PID 4964 wrote to memory of 4820	4964	whatsapp.exe	whatsapp.exe
PID 4964 wrote to memory of 4820	4964	whatsapp.exe	whatsapp.exe
PID 4964 wrote to memory of 4820	4964	whatsapp.exe	whatsapp.exe
PID 4964 wrote to memory of 4820	4964	whatsapp.exe	whatsapp.exe
PID 4964 wrote to memory of 4820	4964	whatsapp.exe	whatsapp.exe
PID 4964 wrote to memory of 4820	4964	whatsapp.exe	whatsapp.exe
PID 4964 wrote to memory of 4820	4964	whatsapp.exe	whatsapp.exe
PID 4964 wrote to memory of 4820	4964	whatsapp.exe	whatsapp.exe

C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\439dce6b40c39157a046563bcb5e3a6a.exe
"C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\439dce6b40c39157a046563bcb5e3a6a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files\Whatsapp spy tool.exe
  "C:\Program Files\Whatsapp spy tool.exe"
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Program Files\whatsapp.exe
  "C:\Program Files\whatsapp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Program Files\whatsapp.exe
    "C:\Program Files\whatsapp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of UnmapMainImage
    PID:4820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 12
      4⤵
      Program crash
      PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4820 -ip 4820
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Whatsapp spy tool.exe

Filesize
398KB

MD5
84a8780b1647ca009326ebdfe99d464d

SHA1
1d1ecafd29e82d917967e910acca2e59c9a06e91

SHA256
84d248a74552ee81d5895b4de05ac6801b46eca6eaedbb46d3c41f2484cd2741

SHA512
4a7bf6ad1ab3ae9bcc1ecc6594c003e34f29c3e499d425c7ccd9ec531b5c8ffb87127d5d193d0a339fd62fff9903e40f3eea06f5bbc6368655620adfdc4dff1e

Download Submit
C:\Program Files\Whatsapp spy tool.exe

Filesize
398KB

MD5
84a8780b1647ca009326ebdfe99d464d

SHA1
1d1ecafd29e82d917967e910acca2e59c9a06e91

SHA256
84d248a74552ee81d5895b4de05ac6801b46eca6eaedbb46d3c41f2484cd2741

SHA512
4a7bf6ad1ab3ae9bcc1ecc6594c003e34f29c3e499d425c7ccd9ec531b5c8ffb87127d5d193d0a339fd62fff9903e40f3eea06f5bbc6368655620adfdc4dff1e

Download Submit
C:\Program Files\whatsapp.exe

Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
C:\Program Files\whatsapp.exe

Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
C:\Program Files\whatsapp.exe

Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
memory/4580-140-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/4580-138-0x0000000000D40000-0x0000000000DAA000-memory.dmp

Filesize
424KB

Download
memory/4580-139-0x0000000005780000-0x000000000581C000-memory.dmp

Filesize
624KB

Download
memory/4580-132-0x0000000000000000-mapping.dmp

Download
memory/4580-141-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/4580-147-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/4580-148-0x0000000005A40000-0x0000000005A96000-memory.dmp

Filesize
344KB

Download
memory/4820-143-0x0000000000000000-mapping.dmp

Download
memory/4820-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4964-142-0x0000000072A90000-0x0000000073041000-memory.dmp

Filesize
5.7MB

Download
memory/4964-135-0x0000000000000000-mapping.dmp

Download
memory/4964-146-0x0000000072A90000-0x0000000073041000-memory.dmp

Filesize
5.7MB

Download