Analysis

  • max time kernel
    42s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20221111-es
  • resource tags

    arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    28/12/2022, 21:04

General

  • Target

    WhatsAppImage2012-02-20.exe

  • Size

    710KB

  • MD5

    fca2523902a26b9d9069c4f7bc276412

  • SHA1

    e5798517668c4ea40cf21a7cf0562eca8fd142ea

  • SHA256

    acd49cc5cb7a530b0ffa7e3de893978492f7cf57bf67174109b7f20b576532c3

  • SHA512

    6846663d3d9ab02dd54d1f2d2c3e2dfe02590892b4c4fc05175a84e9e39a2be567b9ca45c02b1bd6da1af66bd4a3059c9a4a82dfc8768e0bad08a252a3c56f56

  • SSDEEP

    12288:JRZ+IoG/n9IQxW3OBsFt5cubIZabOh7yMv5HAoaFRtIobpb6:B2G/nvxW3W25bI0b0OmgNFMS16

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WhatsAppImage2012-02-20.exe
    "C:\Users\Admin\AppData\Local\Temp\WhatsAppImage2012-02-20.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\android.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1608
      • C:\Windows\SysWOW64\calc.exe
        calc
        3⤵
          PID:112
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://netlide.com/lol
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1992
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1432
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
            PID:1456
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            3⤵
              PID:652
            • C:\Windows\SysWOW64\calc.exe
              calc
              3⤵
                PID:1668
              • C:\Windows\SysWOW64\calc.exe
                calc
                3⤵
                  PID:1292
                • C:\Windows\SysWOW64\notepad.exe
                  notepad
                  3⤵
                    PID:1868
                  • C:\Windows\SysWOW64\calc.exe
                    calc
                    3⤵
                      PID:928
                    • C:\Windows\SysWOW64\notepad.exe
                      notepad
                      3⤵
                        PID:2044
                      • C:\Windows\SysWOW64\notepad.exe
                        notepad
                        3⤵
                          PID:1428
                        • C:\Windows\SysWOW64\calc.exe
                          calc
                          3⤵
                            PID:1592
                          • C:\Windows\SysWOW64\calc.exe
                            calc
                            3⤵
                            • Suspicious use of FindShellTrayWindow
                            PID:776
                          • C:\Windows\SysWOW64\notepad.exe
                            notepad
                            3⤵
                              PID:1240
                            • C:\Windows\SysWOW64\calc.exe
                              calc
                              3⤵
                              • Suspicious use of FindShellTrayWindow
                              PID:1144

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                          Filesize

                          61KB

                          MD5

                          fc4666cbca561e864e7fdf883a9e6661

                          SHA1

                          2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

                          SHA256

                          10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

                          SHA512

                          c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                          Filesize

                          342B

                          MD5

                          1b8f87e4e2266bcd2bbe26cbb4fbaa5c

                          SHA1

                          fbe797e8167c2321e1a16dc2c5ce43632c7c0c1e

                          SHA256

                          48d10f3419b4dc7e9c0f4de4c50e5f3747234e6e8e819f390d408cc1e1ce25d6

                          SHA512

                          76cea7dc81299ee7c24cfb0f07af71d2c9f8bc5487173daf0a852a255c989cec9956c8bf43c87660dd748fe722eae765bda67bde138fb514f4fe7f9a0e2e1d6d

                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\android.bat

                          Filesize

                          2KB

                          MD5

                          4cc4a826562c75f785924e8489167f5b

                          SHA1

                          a1c08aa5b27700b0e079fac424318e4fa0022cc7

                          SHA256

                          6a504abe4cb517883d37a9dc868133dadae35895a4e0a52bf86dfcbc0c97014a

                          SHA512

                          0947accb86a9ccb7e2d693d840d33ad7cb6ab6bde5ade7f3577e7ed2e7954dd50d1097b483c92fb14d0dd9437ae1bbac72b2a3a45e47724c8f9d1d6008278ec0

                        • memory/532-54-0x0000000075691000-0x0000000075693000-memory.dmp

                          Filesize

                          8KB