General
-
Target
wj.exe
-
Size
131KB
-
Sample
230106-ewqxdaeb97
-
MD5
c139e5739b99c5a835aaf6642b7a4378
-
SHA1
4ef2c73cd79984bd634adddbeef4dd091394ff46
-
SHA256
c82ab145610c19c3f5a1462196b41347c9786f5e600bdaa477bb98814461d279
-
SHA512
2fdfcc9534a8045976a795373557ad60548c36ea3c54e334e4a337100e3a879f802989b2dcac6565688f466d5fbde8e4e1e5e7d1b54151aacd2408329140f799
-
SSDEEP
3072:wLDfdYjOWlRjd+J3lIV4g4SAacOWJPMbwbNddf7wHx7hzlP:wvdkOhfPMcDN7I7tlP
Malware Config
Targets
-
-
Target
wj.exe
-
Size
131KB
-
MD5
c139e5739b99c5a835aaf6642b7a4378
-
SHA1
4ef2c73cd79984bd634adddbeef4dd091394ff46
-
SHA256
c82ab145610c19c3f5a1462196b41347c9786f5e600bdaa477bb98814461d279
-
SHA512
2fdfcc9534a8045976a795373557ad60548c36ea3c54e334e4a337100e3a879f802989b2dcac6565688f466d5fbde8e4e1e5e7d1b54151aacd2408329140f799
-
SSDEEP
3072:wLDfdYjOWlRjd+J3lIV4g4SAacOWJPMbwbNddf7wHx7hzlP:wvdkOhfPMcDN7I7tlP
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-