7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f

General

Target

7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe
Size

6.0MB
MD5

820241820224a5c7eed0ca74b7420361
SHA1

4ad3588ecd226fde7fe8543c281290997a4ad9ac
SHA256

7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f
SHA512

17cc22e2d7c59bc86b5145e2990b76faf2602c3a4c19d6c7b23a84067240455e1293c857c1966217c26d8ae4baded83b612ed5325c7e5dea3bfa42335aa0d59c
SSDEEP

98304:x4S0clXTS9EIv1281Ey0l6iEz0JzA3+rBAlrHC3dNtCLChB:v/lX3I9R1EFlnxJzVA1ALI+hB

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

2.1.1.exewfplwfs.exe

pid process

3584 2.1.1.exe
752 wfplwfs.exe

pid	process
3584	2.1.1.exe
752	wfplwfs.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe	vmprotect
behavioral1/memory/752-151-0x0000000000400000-0x0000000000D4A000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 1 IoCs

Processes:

wfplwfs.exe

description pid process target process

PID 752 set thread context of 2552 752 wfplwfs.exe rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

wfplwfs.exe

description ioc process

File created C:\Windows\Tasks\e74a2e864eaf84a8.job wfplwfs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2156 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wfplwfs.exe

pid process

752 wfplwfs.exe
752 wfplwfs.exe
752 wfplwfs.exe
752 wfplwfs.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

rundll32.exe

pid process

2552 rundll32.exe
2552 rundll32.exe
2552 rundll32.exe

description	pid	process	target process
PID 752 set thread context of 2552	752	wfplwfs.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\e74a2e864eaf84a8.job	wfplwfs.exe

pid	process
2156	PING.EXE

pid	process
752	wfplwfs.exe
752	wfplwfs.exe
752	wfplwfs.exe
752	wfplwfs.exe

pid	process
2552	rundll32.exe
2552	rundll32.exe
2552	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.execmd.exewfplwfs.exe

description	pid	process	target process
PID 1236 wrote to memory of 3584	1236	7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe	2.1.1.exe
PID 1236 wrote to memory of 3584	1236	7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe	2.1.1.exe
PID 1236 wrote to memory of 3584	1236	7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe	2.1.1.exe
PID 1236 wrote to memory of 752	1236	7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe	wfplwfs.exe
PID 1236 wrote to memory of 752	1236	7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe	wfplwfs.exe
PID 1236 wrote to memory of 752	1236	7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe	wfplwfs.exe
PID 1236 wrote to memory of 2464	1236	7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe	cmd.exe
PID 1236 wrote to memory of 2464	1236	7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe	cmd.exe
PID 1236 wrote to memory of 2464	1236	7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe	cmd.exe
PID 2464 wrote to memory of 2156	2464	cmd.exe	PING.EXE
PID 2464 wrote to memory of 2156	2464	cmd.exe	PING.EXE
PID 2464 wrote to memory of 2156	2464	cmd.exe	PING.EXE
PID 752 wrote to memory of 4308	752	wfplwfs.exe	rundll32.exe
PID 752 wrote to memory of 4308	752	wfplwfs.exe	rundll32.exe
PID 752 wrote to memory of 4308	752	wfplwfs.exe	rundll32.exe
PID 752 wrote to memory of 2552	752	wfplwfs.exe	rundll32.exe
PID 752 wrote to memory of 2552	752	wfplwfs.exe	rundll32.exe
PID 752 wrote to memory of 2552	752	wfplwfs.exe	rundll32.exe
PID 752 wrote to memory of 2552	752	wfplwfs.exe	rundll32.exe
PID 752 wrote to memory of 2552	752	wfplwfs.exe	rundll32.exe
PID 752 wrote to memory of 2552	752	wfplwfs.exe	rundll32.exe
PID 752 wrote to memory of 2552	752	wfplwfs.exe	rundll32.exe
PID 752 wrote to memory of 2552	752	wfplwfs.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe
"C:\Users\Admin\AppData\Local\Temp\7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
2⤵
- Executes dropped EXE
PID:3584

C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe
3⤵
PID:4308

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe
3⤵
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\7740df954417683f1614403a7fa6607e7b9002ae045e25a07c8fd4e67f0b3c3f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.1.1.exe

Filesize
478KB

MD5
eb75a43690afdea95c83ba331de640b7

SHA1
b65715468e185c3b54b60e075459a5f8b6e9c0f7

SHA256
21df0ff4710ab3ea44a1950745f9c71f3098bce46c5b0a7e86ba2777810ae855

SHA512
781a0b3fd4afecad6e4acf6cea53377b6c2d883fa9f14290f9530f7824fb4c1a89831edd2b67740392390bb984d530e1a34bcd45d350cec8341a8ffc55c01a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe

Filesize
478KB

MD5
eb75a43690afdea95c83ba331de640b7

SHA1
b65715468e185c3b54b60e075459a5f8b6e9c0f7

SHA256
21df0ff4710ab3ea44a1950745f9c71f3098bce46c5b0a7e86ba2777810ae855

SHA512
781a0b3fd4afecad6e4acf6cea53377b6c2d883fa9f14290f9530f7824fb4c1a89831edd2b67740392390bb984d530e1a34bcd45d350cec8341a8ffc55c01a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
5.4MB

MD5
ad08fb264dd83251bebda5b2c71871f0

SHA1
ca71a18d8a696031c016434de89c7a158e3a6052

SHA256
74cd8cebc022b06c2cb58d00eb7d4dedaa47442bd7011130302785a3533c03ae

SHA512
20012378e6c05e27c79baad9c76dad237ecdb154bd638df87ad69fbfba5f03880bd1501edfcf71002b45e6d351acf96d32dc7548c0c57dd4fa7ea730ddebf540

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
5.4MB

MD5
ad08fb264dd83251bebda5b2c71871f0

SHA1
ca71a18d8a696031c016434de89c7a158e3a6052

SHA256
74cd8cebc022b06c2cb58d00eb7d4dedaa47442bd7011130302785a3533c03ae

SHA512
20012378e6c05e27c79baad9c76dad237ecdb154bd638df87ad69fbfba5f03880bd1501edfcf71002b45e6d351acf96d32dc7548c0c57dd4fa7ea730ddebf540

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\index.html

Filesize
1KB

MD5
12cf60e57791e7a8bd78033c9f308931

SHA1
f6c8a295064f7fa8553295e3cd8a9c62352f7c2c

SHA256
2f9f2fe135d66c296ab6071d01529623bac31d4a63ab073be3c6c1e20d34f50a

SHA512
72735d76803980afe7260d713a377f82316fa24109f1d2767b352984aa53d4a5e441a89d99aa3fdb32042dcb61b43d88465272bc98552892747829d7986cf3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\logo.png

Filesize
2KB

MD5
561a5a310ac6505c1dc2029a61632617

SHA1
f267ab458ec5d0f008a235461e466b1fd3ed14ee

SHA256
b41bd7c17b6bdfe6ae0d0dbbb5ce92fd38c4696833ae3333a1d81cf7e38d6e35

SHA512
4edb7ef8313e20bbc73fd96207c2076ce3bac0754a92bb00aff0259ffe1adf6f7e4d6917e7815fd643139a08bd4a0f325f66982378f94483ce1ee0924df6d3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qrcode.png

Filesize
1KB

MD5
abcf7fd62d78b302475bac66fd1e2968

SHA1
fad0de7476d1cb563ffd3723dfc8f6dc9d7fbac4

SHA256
741a816750ffd35e3c4828cca24e90ffad946e040e11eca3c4a2ec2a1c74def4

SHA512
323492e5b069e0544baa81ea5e1c4b693a5068f55cc20e678672abff55847af48c63e48a13ca8b8908f2defee4654f42941e7f93b5a26775a971bdf186db21ba

Download Submit
memory/752-148-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/752-147-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/752-149-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/752-150-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/752-151-0x0000000000400000-0x0000000000D4A000-memory.dmp

Filesize
9.3MB

Download
memory/752-146-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/752-145-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/752-144-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2552-158-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2552-160-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2552-166-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing