f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b

Analysis

max time kernel
193s
max time network
199s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe
Size

346KB
MD5

eeeda99977b129a5e2d40542564df03e
SHA1

d957db740670ec5222955e01de3b6afdfd8e4615
SHA256

f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b
SHA512

939461ada93524493ae96be29ee483d0180da8e7fce11e9055e85257c6c260603721743985a3bc803825c965fabe35db6cb296844a98ecf08ec54b683ed180c3
SSDEEP

6144:iyfgDv5drb/TeVCm/Twf5q0KvNxyo+b6hNe+rgB86CnkUUGwA:TgNxbk3QEvNxyo1tgy6CJ

Score

8^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1496	setup.exe
1320	Wiseman.exe
1580	Iiful.exe

Deletes itself 1 IoCs

pid	Process
1368	cmd.exe

Loads dropped DLL 7 IoCs

pid	Process
2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe
2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe
1496	setup.exe
1496	setup.exe
1496	setup.exe
1320	Wiseman.exe
1320	Wiseman.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	Wiseman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wiseman = "C:\\nth\\Wiseman.exe"	Wiseman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFM0N = "c:\\9TQ4M471TTMDL9V2\\Iiful.exe"	Iiful.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	Iiful.exe
File opened (read-only)	\??\b:	Iiful.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	Iiful.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Iiful.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Iiful.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
604	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1580	Iiful.exe
1580	Iiful.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	setup.exe
Token: SeDebugPrivilege	1496	setup.exe
Token: SeDebugPrivilege	1496	setup.exe
Token: SeDebugPrivilege	1580	Iiful.exe
Token: SeDebugPrivilege	1580	Iiful.exe
Token: SeDebugPrivilege	1580	Iiful.exe
Token: SeDebugPrivilege	1580	Iiful.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1496	setup.exe
1320	Wiseman.exe
1580	Iiful.exe
1320	Wiseman.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1496	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	28
PID 2040 wrote to memory of 1496	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	28
PID 2040 wrote to memory of 1496	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	28
PID 2040 wrote to memory of 1496	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	28
PID 2040 wrote to memory of 1496	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	28
PID 2040 wrote to memory of 1496	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	28
PID 2040 wrote to memory of 1496	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	28
PID 2040 wrote to memory of 1320	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	29
PID 2040 wrote to memory of 1320	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	29
PID 2040 wrote to memory of 1320	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	29
PID 2040 wrote to memory of 1320	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	29
PID 2040 wrote to memory of 1320	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	29
PID 2040 wrote to memory of 1320	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	29
PID 2040 wrote to memory of 1320	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	29
PID 2040 wrote to memory of 1368	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	30
PID 2040 wrote to memory of 1368	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	30
PID 2040 wrote to memory of 1368	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	30
PID 2040 wrote to memory of 1368	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	30
PID 2040 wrote to memory of 1368	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	30
PID 2040 wrote to memory of 1368	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	30
PID 2040 wrote to memory of 1368	2040	f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe	30
PID 1368 wrote to memory of 604	1368	cmd.exe	32
PID 1368 wrote to memory of 604	1368	cmd.exe	32
PID 1368 wrote to memory of 604	1368	cmd.exe	32
PID 1368 wrote to memory of 604	1368	cmd.exe	32
PID 1368 wrote to memory of 604	1368	cmd.exe	32
PID 1368 wrote to memory of 604	1368	cmd.exe	32
PID 1368 wrote to memory of 604	1368	cmd.exe	32
PID 1496 wrote to memory of 1580	1496	setup.exe	33
PID 1496 wrote to memory of 1580	1496	setup.exe	33
PID 1496 wrote to memory of 1580	1496	setup.exe	33
PID 1496 wrote to memory of 1580	1496	setup.exe	33
PID 1496 wrote to memory of 1580	1496	setup.exe	33
PID 1496 wrote to memory of 1580	1496	setup.exe	33
PID 1496 wrote to memory of 1580	1496	setup.exe	33

C:\Users\Admin\AppData\Local\Temp\f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe
"C:\Users\Admin\AppData\Local\Temp\f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\nth\setup.exe
  "C:\nth\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1496
- - \??\c:\9TQ4M471TTMDL9V2\Iiful.exe
    c:\9TQ4M471TTMDL9V2\Iiful.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1580
- C:\nth\Wiseman.exe
  "C:\nth\Wiseman.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:1320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping -n 5 127.0.0.1&&del "C:\Users\Admin\AppData\Local\Temp\f83998fc434ea4af8c6c1ac4d34057d9eb4879f6343e4d2c0bdd59d1a876e44b.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9TQ4M471TTMDL9V2\Iiful.exe

Filesize
39KB

MD5
93f2abed8dea90e7849a8bf157abd9c3

SHA1
975a77bd562964323dcc7913eaf87b7c45ac9a71

SHA256
861f8cda5dbf0ee736e25777095061c14a4c46a4ce36455a44dd8932fce039be

SHA512
2d709ecf7b0f5babe47fc9a168dde00bcee3974de3176c12ed6c55ee50e868574bc7a26b47da2d36feb2e7a8b96754c792fe9af3a10a202bc626f53b5844b8a1

Download Submit
C:\nth\Config.ini

Filesize
104KB

MD5
e8912106b826233dfecf83d4487a997b

SHA1
2f0c799f93539c0a91f56a50f2655e7d2c9cc95c

SHA256
a27cb95a0a09aad9fe880d33a9e08b02229299e3d67c60c9d344394b918a88f0

SHA512
cf3c80ca7048a2c7abbb48588c29fc9c556b23da72387b3db1a387871f4e4d889b2f5426deeb0ee345c77ac6b2ec4e90c12c991dcacfae49f74807d263ac7fcb

Download Submit
C:\nth\Setup.exe

Filesize
39KB

MD5
93f2abed8dea90e7849a8bf157abd9c3

SHA1
975a77bd562964323dcc7913eaf87b7c45ac9a71

SHA256
861f8cda5dbf0ee736e25777095061c14a4c46a4ce36455a44dd8932fce039be

SHA512
2d709ecf7b0f5babe47fc9a168dde00bcee3974de3176c12ed6c55ee50e868574bc7a26b47da2d36feb2e7a8b96754c792fe9af3a10a202bc626f53b5844b8a1

Download Submit
C:\nth\Wiseman.exe

Filesize
372KB

MD5
e6d6560e5c1c397089296424250b76e7

SHA1
4bcb5260c97686859d9518af737631c5ee9595a0

SHA256
940c30a08792ca54e94c2a1fe7cb3b852919be595d1b2c63e48c1ffb5707fd1e

SHA512
42923740204f17900992d9aaae2fb305e8e9d6c12338ef23c1b4b3a481214806a9e60cd417b1e0d6f8d0437bc7eb5c727842f656d866b62238293d9d4bb5e903

Download Submit
C:\nth\Wiseman.exe

Filesize
372KB

MD5
e6d6560e5c1c397089296424250b76e7

SHA1
4bcb5260c97686859d9518af737631c5ee9595a0

SHA256
940c30a08792ca54e94c2a1fe7cb3b852919be595d1b2c63e48c1ffb5707fd1e

SHA512
42923740204f17900992d9aaae2fb305e8e9d6c12338ef23c1b4b3a481214806a9e60cd417b1e0d6f8d0437bc7eb5c727842f656d866b62238293d9d4bb5e903

Download Submit
C:\nth\setup.exe

Filesize
39KB

MD5
93f2abed8dea90e7849a8bf157abd9c3

SHA1
975a77bd562964323dcc7913eaf87b7c45ac9a71

SHA256
861f8cda5dbf0ee736e25777095061c14a4c46a4ce36455a44dd8932fce039be

SHA512
2d709ecf7b0f5babe47fc9a168dde00bcee3974de3176c12ed6c55ee50e868574bc7a26b47da2d36feb2e7a8b96754c792fe9af3a10a202bc626f53b5844b8a1

Download Submit
\nth\Setup.exe

Filesize
39KB

MD5
93f2abed8dea90e7849a8bf157abd9c3

SHA1
975a77bd562964323dcc7913eaf87b7c45ac9a71

SHA256
861f8cda5dbf0ee736e25777095061c14a4c46a4ce36455a44dd8932fce039be

SHA512
2d709ecf7b0f5babe47fc9a168dde00bcee3974de3176c12ed6c55ee50e868574bc7a26b47da2d36feb2e7a8b96754c792fe9af3a10a202bc626f53b5844b8a1

Download Submit
\nth\Setup.exe

Filesize
39KB

MD5
93f2abed8dea90e7849a8bf157abd9c3

SHA1
975a77bd562964323dcc7913eaf87b7c45ac9a71

SHA256
861f8cda5dbf0ee736e25777095061c14a4c46a4ce36455a44dd8932fce039be

SHA512
2d709ecf7b0f5babe47fc9a168dde00bcee3974de3176c12ed6c55ee50e868574bc7a26b47da2d36feb2e7a8b96754c792fe9af3a10a202bc626f53b5844b8a1

Download Submit
\nth\Setup.exe

Filesize
39KB

MD5
93f2abed8dea90e7849a8bf157abd9c3

SHA1
975a77bd562964323dcc7913eaf87b7c45ac9a71

SHA256
861f8cda5dbf0ee736e25777095061c14a4c46a4ce36455a44dd8932fce039be

SHA512
2d709ecf7b0f5babe47fc9a168dde00bcee3974de3176c12ed6c55ee50e868574bc7a26b47da2d36feb2e7a8b96754c792fe9af3a10a202bc626f53b5844b8a1

Download Submit
\nth\Setup.exe

Filesize
39KB

MD5
93f2abed8dea90e7849a8bf157abd9c3

SHA1
975a77bd562964323dcc7913eaf87b7c45ac9a71

SHA256
861f8cda5dbf0ee736e25777095061c14a4c46a4ce36455a44dd8932fce039be

SHA512
2d709ecf7b0f5babe47fc9a168dde00bcee3974de3176c12ed6c55ee50e868574bc7a26b47da2d36feb2e7a8b96754c792fe9af3a10a202bc626f53b5844b8a1

Download Submit
\nth\Wiseman.exe

Filesize
372KB

MD5
e6d6560e5c1c397089296424250b76e7

SHA1
4bcb5260c97686859d9518af737631c5ee9595a0

SHA256
940c30a08792ca54e94c2a1fe7cb3b852919be595d1b2c63e48c1ffb5707fd1e

SHA512
42923740204f17900992d9aaae2fb305e8e9d6c12338ef23c1b4b3a481214806a9e60cd417b1e0d6f8d0437bc7eb5c727842f656d866b62238293d9d4bb5e903

Download Submit
\nth\Wiseman.exe

Filesize
372KB

MD5
e6d6560e5c1c397089296424250b76e7

SHA1
4bcb5260c97686859d9518af737631c5ee9595a0

SHA256
940c30a08792ca54e94c2a1fe7cb3b852919be595d1b2c63e48c1ffb5707fd1e

SHA512
42923740204f17900992d9aaae2fb305e8e9d6c12338ef23c1b4b3a481214806a9e60cd417b1e0d6f8d0437bc7eb5c727842f656d866b62238293d9d4bb5e903

Download Submit
\nth\Wiseman.exe

Filesize
372KB

MD5
e6d6560e5c1c397089296424250b76e7

SHA1
4bcb5260c97686859d9518af737631c5ee9595a0

SHA256
940c30a08792ca54e94c2a1fe7cb3b852919be595d1b2c63e48c1ffb5707fd1e

SHA512
42923740204f17900992d9aaae2fb305e8e9d6c12338ef23c1b4b3a481214806a9e60cd417b1e0d6f8d0437bc7eb5c727842f656d866b62238293d9d4bb5e903

Download Submit
memory/1496-84-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1496-85-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1496-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1496-72-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1496-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1496-83-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1580-94-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1580-96-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1580-97-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1580-95-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1580-99-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1580-98-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2040-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/2040-56-0x0000000000A60000-0x0000000000A7C000-memory.dmp

Filesize
112KB

Download