Overview
overview
10Static
static
10Decrypter_1.exe
windows7-x64
1Decrypter_1.exe
windows10-2004-x64
1Decrypter_3.exe
windows7-x64
1Decrypter_3.exe
windows10-2004-x64
1decrypted_1.exe
windows7-x64
1decrypted_1.exe
windows10-2004-x64
4decrypted_...ed.exe
windows7-x64
10decrypted_...ed.exe
windows10-2004-x64
10decrypted_2.exe
windows7-x64
10decrypted_2.exe
windows10-2004-x64
10decrypted_2.exe
windows7-x64
8decrypted_2.exe
windows10-2004-x64
8decrypter_2.exe
windows7-x64
1decrypter_2.exe
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2023 19:33
Behavioral task
behavioral1
Sample
Decrypter_1.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
Decrypter_1.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Decrypter_3.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
Decrypter_3.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
decrypted_1.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
decrypted_1.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
decrypted_2-cleaned.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
decrypted_2-cleaned.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
decrypted_2.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
decrypted_2.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
decrypted_2.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
decrypted_2.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
decrypter_2.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
decrypter_2.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
decrypted_2.exe
-
Size
36KB
-
MD5
804457c473500f8fe0d57b0864c4c87f
-
SHA1
633c8ff70bc17c12e2727c3e1278349a8b67fe50
-
SHA256
601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
-
SHA512
f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9
-
SSDEEP
768:C9S2Mfp8Y8JuL8O2qD86BhEOaDUeKR0F6Ehq5lxOBcmZPtqojC:C9S2MfgQQahEOaDUzRb5lxOWmyl
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 5068 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation decrypted_2.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf4f23b08f31e19e05b45991905c12da.exe wlninit.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf4f23b08f31e19e05b45991905c12da.exe wlninit.exe -
Executes dropped EXE 1 IoCs
pid Process 3088 wlninit.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf4f23b08f31e19e05b45991905c12da = "\"C:\\Users\\Admin\\AppData\\Roaming\\wlninit.exe\" .." wlninit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bf4f23b08f31e19e05b45991905c12da = "\"C:\\Users\\Admin\\AppData\\Roaming\\wlninit.exe\" .." wlninit.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf wlninit.exe File opened for modification C:\autorun.inf wlninit.exe File created D:\autorun.inf wlninit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe 3088 wlninit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3088 wlninit.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe Token: 33 3088 wlninit.exe Token: SeIncBasePriorityPrivilege 3088 wlninit.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4728 wrote to memory of 3088 4728 decrypted_2.exe 79 PID 4728 wrote to memory of 3088 4728 decrypted_2.exe 79 PID 4728 wrote to memory of 3088 4728 decrypted_2.exe 79 PID 3088 wrote to memory of 5068 3088 wlninit.exe 80 PID 3088 wrote to memory of 5068 3088 wlninit.exe 80 PID 3088 wrote to memory of 5068 3088 wlninit.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\decrypted_2.exe"C:\Users\Admin\AppData\Local\Temp\decrypted_2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Roaming\wlninit.exe"C:\Users\Admin\AppData\Roaming\wlninit.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\wlninit.exe" "wlninit.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:5068
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5804457c473500f8fe0d57b0864c4c87f
SHA1633c8ff70bc17c12e2727c3e1278349a8b67fe50
SHA256601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
SHA512f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9
-
Filesize
36KB
MD5804457c473500f8fe0d57b0864c4c87f
SHA1633c8ff70bc17c12e2727c3e1278349a8b67fe50
SHA256601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
SHA512f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9