Analysis
-
max time kernel
60s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2023 18:37
Behavioral task
behavioral1
Sample
WH-ApkCrypter-V2-master.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
WH-ApkCrypter-V2-master/WH-Apkcrypter-v2.1.exe
Resource
win10v2004-20230220-en
General
-
Target
WH-ApkCrypter-V2-master/WH-Apkcrypter-v2.1.exe
-
Size
47.5MB
-
MD5
ff56a1336540b6e081c763d4a9ebf032
-
SHA1
028faefe160dce7c086a1445da52abcfa1d91df3
-
SHA256
66d56bded084646b509d47f8941ab3a82651c5d58aa9b428b776e1d6efa196b6
-
SHA512
7d516814df1614b1a8cdea92a61323c19b1fc45af974e79d20be35ae26966b651d793367ee833ae5aaaf6dd4526235a88fe8f5a7822734274674297fd281ec89
-
SSDEEP
786432:2oVLUw+wlF7NWwCpi9dWsnBD4U5e0i0pktS8SX5owi6VBHWWjLw/pSJBJkMRcd2r:2o5UwVWpi9dW/Sen0+88SJ663W2LPRHF
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4660 3324 WerFault.exe 81 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 1620 dw20.exe Token: SeBackupPrivilege 1620 dw20.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3324 wrote to memory of 1620 3324 WH-Apkcrypter-v2.1.exe 83 PID 3324 wrote to memory of 1620 3324 WH-Apkcrypter-v2.1.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\WH-ApkCrypter-V2-master\WH-Apkcrypter-v2.1.exe"C:\Users\Admin\AppData\Local\Temp\WH-ApkCrypter-V2-master\WH-Apkcrypter-v2.1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 10642⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3324 -s 11122⤵
- Program crash
PID:4660
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 496 -p 3324 -ip 33241⤵PID:4528