7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f

Analysis

max time kernel
88s
max time network
106s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-05-2023 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a02.exe
Size

6.0MB
MD5

820241820224a5c7eed0ca74b7420361
SHA1

4ad3588ecd226fde7fe8543c281290997a4ad9ac
SHA256

7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f
SHA512

17cc22e2d7c59bc86b5145e2990b76faf2602c3a4c19d6c7b23a84067240455e1293c857c1966217c26d8ae4baded83b612ed5325c7e5dea3bfa42335aa0d59c
SSDEEP

98304:x4S0clXTS9EIv1281Ey0l6iEz0JzA3+rBAlrHC3dNtCLChB:v/lX3I9R1EFlnxJzVA1ALI+hB

Score

7^/10

vmprotect

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1548 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

2.1.1.exewfplwfs.exe

pid process

1696 2.1.1.exe
808 wfplwfs.exe
Loads dropped DLL 3 IoCs

Processes:

a02.exe

pid process

2008 a02.exe
2008 a02.exe
2008 a02.exe

pid	process
1548	cmd.exe

pid	process
1696	2.1.1.exe
808	wfplwfs.exe

pid	process
2008	a02.exe
2008	a02.exe
2008	a02.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\wfplwfs.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe	vmprotect
behavioral1/memory/808-95-0x0000000000400000-0x0000000000D4A000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 1 IoCs

Processes:

wfplwfs.exe

description pid process target process

PID 808 set thread context of 1724 808 wfplwfs.exe rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

wfplwfs.exe

description ioc process

File created C:\Windows\Tasks\ff0e3e19cf354ab0.job wfplwfs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1448 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wfplwfs.exe

pid process

808 wfplwfs.exe
808 wfplwfs.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

rundll32.exe

pid process

1724 rundll32.exe
1724 rundll32.exe
1724 rundll32.exe

description	pid	process	target process
PID 808 set thread context of 1724	808	wfplwfs.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\ff0e3e19cf354ab0.job	wfplwfs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

pid	process
1448	PING.EXE

pid	process
808	wfplwfs.exe
808	wfplwfs.exe

pid	process
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a02.execmd.exewfplwfs.exe

description	pid	process	target process
PID 2008 wrote to memory of 1696	2008	a02.exe	2.1.1.exe
PID 2008 wrote to memory of 1696	2008	a02.exe	2.1.1.exe
PID 2008 wrote to memory of 1696	2008	a02.exe	2.1.1.exe
PID 2008 wrote to memory of 1696	2008	a02.exe	2.1.1.exe
PID 2008 wrote to memory of 808	2008	a02.exe	wfplwfs.exe
PID 2008 wrote to memory of 808	2008	a02.exe	wfplwfs.exe
PID 2008 wrote to memory of 808	2008	a02.exe	wfplwfs.exe
PID 2008 wrote to memory of 808	2008	a02.exe	wfplwfs.exe
PID 2008 wrote to memory of 1548	2008	a02.exe	cmd.exe
PID 2008 wrote to memory of 1548	2008	a02.exe	cmd.exe
PID 2008 wrote to memory of 1548	2008	a02.exe	cmd.exe
PID 2008 wrote to memory of 1548	2008	a02.exe	cmd.exe
PID 1548 wrote to memory of 1448	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 1448	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 1448	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 1448	1548	cmd.exe	PING.EXE
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe
PID 808 wrote to memory of 1724	808	wfplwfs.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a02.exe
"C:\Users\Admin\AppData\Local\Temp\a02.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
2⤵
- Executes dropped EXE
PID:1696

C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\a02.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.1.1.exe

Filesize
478KB

MD5
eb75a43690afdea95c83ba331de640b7

SHA1
b65715468e185c3b54b60e075459a5f8b6e9c0f7

SHA256
21df0ff4710ab3ea44a1950745f9c71f3098bce46c5b0a7e86ba2777810ae855

SHA512
781a0b3fd4afecad6e4acf6cea53377b6c2d883fa9f14290f9530f7824fb4c1a89831edd2b67740392390bb984d530e1a34bcd45d350cec8341a8ffc55c01a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe

Filesize
478KB

MD5
eb75a43690afdea95c83ba331de640b7

SHA1
b65715468e185c3b54b60e075459a5f8b6e9c0f7

SHA256
21df0ff4710ab3ea44a1950745f9c71f3098bce46c5b0a7e86ba2777810ae855

SHA512
781a0b3fd4afecad6e4acf6cea53377b6c2d883fa9f14290f9530f7824fb4c1a89831edd2b67740392390bb984d530e1a34bcd45d350cec8341a8ffc55c01a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
5.4MB

MD5
ad08fb264dd83251bebda5b2c71871f0

SHA1
ca71a18d8a696031c016434de89c7a158e3a6052

SHA256
74cd8cebc022b06c2cb58d00eb7d4dedaa47442bd7011130302785a3533c03ae

SHA512
20012378e6c05e27c79baad9c76dad237ecdb154bd638df87ad69fbfba5f03880bd1501edfcf71002b45e6d351acf96d32dc7548c0c57dd4fa7ea730ddebf540

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
5.4MB

MD5
ad08fb264dd83251bebda5b2c71871f0

SHA1
ca71a18d8a696031c016434de89c7a158e3a6052

SHA256
74cd8cebc022b06c2cb58d00eb7d4dedaa47442bd7011130302785a3533c03ae

SHA512
20012378e6c05e27c79baad9c76dad237ecdb154bd638df87ad69fbfba5f03880bd1501edfcf71002b45e6d351acf96d32dc7548c0c57dd4fa7ea730ddebf540

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09

Filesize
812B

MD5
1c3527f8fe5a24623bdd6ad96bf602fd

SHA1
bc988ad300ca4d581a7056bf8c342377d72d7c73

SHA256
308de7da302d3ecf499b6c140b11fb3d9db0d3b9515d8fa3dd0ce4a65659266c

SHA512
5c54b19308985ed63ee59cda2260b8651a27a79c2864debd349092fbacc15ad9d3df309dbd3699684ebbc2751a8d5a6d8ac4e723c983a6272ae756ac58358d83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\index.html

Filesize
1KB

MD5
12cf60e57791e7a8bd78033c9f308931

SHA1
f6c8a295064f7fa8553295e3cd8a9c62352f7c2c

SHA256
2f9f2fe135d66c296ab6071d01529623bac31d4a63ab073be3c6c1e20d34f50a

SHA512
72735d76803980afe7260d713a377f82316fa24109f1d2767b352984aa53d4a5e441a89d99aa3fdb32042dcb61b43d88465272bc98552892747829d7986cf3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\logo.png

Filesize
2KB

MD5
561a5a310ac6505c1dc2029a61632617

SHA1
f267ab458ec5d0f008a235461e466b1fd3ed14ee

SHA256
b41bd7c17b6bdfe6ae0d0dbbb5ce92fd38c4696833ae3333a1d81cf7e38d6e35

SHA512
4edb7ef8313e20bbc73fd96207c2076ce3bac0754a92bb00aff0259ffe1adf6f7e4d6917e7815fd643139a08bd4a0f325f66982378f94483ce1ee0924df6d3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qrcode.png

Filesize
1KB

MD5
abcf7fd62d78b302475bac66fd1e2968

SHA1
fad0de7476d1cb563ffd3723dfc8f6dc9d7fbac4

SHA256
741a816750ffd35e3c4828cca24e90ffad946e040e11eca3c4a2ec2a1c74def4

SHA512
323492e5b069e0544baa81ea5e1c4b693a5068f55cc20e678672abff55847af48c63e48a13ca8b8908f2defee4654f42941e7f93b5a26775a971bdf186db21ba

Download Submit
\Users\Admin\AppData\Local\Temp\2.1.1.exe

Filesize
478KB

MD5
eb75a43690afdea95c83ba331de640b7

SHA1
b65715468e185c3b54b60e075459a5f8b6e9c0f7

SHA256
21df0ff4710ab3ea44a1950745f9c71f3098bce46c5b0a7e86ba2777810ae855

SHA512
781a0b3fd4afecad6e4acf6cea53377b6c2d883fa9f14290f9530f7824fb4c1a89831edd2b67740392390bb984d530e1a34bcd45d350cec8341a8ffc55c01a9f

Download Submit
\Users\Admin\AppData\Local\Temp\2.1.1.exe

Filesize
478KB

MD5
eb75a43690afdea95c83ba331de640b7

SHA1
b65715468e185c3b54b60e075459a5f8b6e9c0f7

SHA256
21df0ff4710ab3ea44a1950745f9c71f3098bce46c5b0a7e86ba2777810ae855

SHA512
781a0b3fd4afecad6e4acf6cea53377b6c2d883fa9f14290f9530f7824fb4c1a89831edd2b67740392390bb984d530e1a34bcd45d350cec8341a8ffc55c01a9f

Download Submit
\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
5.4MB

MD5
ad08fb264dd83251bebda5b2c71871f0

SHA1
ca71a18d8a696031c016434de89c7a158e3a6052

SHA256
74cd8cebc022b06c2cb58d00eb7d4dedaa47442bd7011130302785a3533c03ae

SHA512
20012378e6c05e27c79baad9c76dad237ecdb154bd638df87ad69fbfba5f03880bd1501edfcf71002b45e6d351acf96d32dc7548c0c57dd4fa7ea730ddebf540

Download Submit
memory/808-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/808-92-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/808-79-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/808-82-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/808-81-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/808-77-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/808-85-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/808-87-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/808-88-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/808-90-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/808-91-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/808-78-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/808-93-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/808-94-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/808-95-0x0000000000400000-0x0000000000D4A000-memory.dmp

Filesize
9.3MB

Download
memory/808-74-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/808-76-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/808-75-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1724-108-0x0000000003050000-0x0000000003462000-memory.dmp

Filesize
4.1MB

Download
memory/1724-104-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1724-102-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1724-112-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download