Overview

overview

7

Static

static

1

WhatsApp.msi

windows10-1703-x64

7

WhatsApp.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2023, 04:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WhatsApp.msi

  • Size

    124.6MB

  • MD5

    31a882ef9d5a0c2c2954de8e4f5b1f5a

  • SHA1

    8b5837fe4a119637f47ed2328d8aed6b2c130592

  • SHA256

    dddff8c76f01f60cb373d71c073c9e5f09f7ca57ced4f5cea1eaaced2ab48353

  • SHA512

    d2f6cedc146b76609e8ab9b7fa320a291976e024d6bf96dbb1945de11a142aa659660064166bca7210d7220e40816d9482178d2a2606950dd9dece3637e62641

  • SSDEEP

    3145728:gk9pnvYFF5AhV6BDv8UGLVxfjPC3drAuBpBqGghd9z:pYZA+b8nl3uBpDY

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 13 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WhatsApp.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4880
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AE9DE68CE6DA82CEAD2C28CFDCDD7CFA C
      2⤵
      • Loads dropped DLL
      PID:4840
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1440
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1975AB8EF4DE576FC2F80E8BC3424293
        2⤵
        • Loads dropped DLL
        PID:2400
      • C:\Windows\system32\cmd.exe
        cmd.exe /c install.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-AppxPackage *.dat
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2152
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-AppxPackage *.dll
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4520
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:1948
    • C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\ApplicatonLaunch.exe
      "C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\ApplicatonLaunch.exe"
      1⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      PID:4820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e584c86.rbs
      Filesize

      3KB

      MD5

      ca88945ce03166a69a23094561e7ed0f

      SHA1

      84058ca7c49f4345dd7b8575ba875e7abe873550

      SHA256

      0296c617da50ca683cde252d9948a36629be5c58c3162c5d755bed4fdfd0a092

      SHA512

      a85a01c9afb66de2fc953ea8590b3a8b50c481793c2c642b3a580e57eda1e291af781a132143fce5e4ef12c588e8d6f10bf199c619f05eb1fc601daa2ae69d92

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      c7126aaba7608a4ee161069d2e193570

      SHA1

      91e729eabd040794d61e4bee31a27829ebd9a572

      SHA256

      df376a9b8a7f0f009cca3f52cd1203839bec25ba2e93e9b60ddd79fb3484aa4a

      SHA512

      985607629402e7e09135231dec407f5e645f0ab70f87d712567620d929826f1c4d310238bbd50b29e4a3cce05aa9cb9bddc72e4c0306a38e1b66178ce94d36b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      73e500ae8c95596ae74d371dd62d707a

      SHA1

      24049d55e42812ce35f43011f677a882b46e2d35

      SHA256

      9012e2bd854d852cbb141ef0cdd080d2e09d4822d7175709d6f3c52316b9558d

      SHA512

      fc924392f8d8a3cff1f36a2892f529fc59f9cc7ab5f40624d416560c5262f8f3d50900092df8237ae53f075b524e923e9fc6344c1a961aed4ea1613ef34fb5dc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI95D7.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI95D7.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9943.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9943.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9973.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9973.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9973.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI99D2.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI99D2.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9B2B.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9B2B.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vlnmrj2t.1cd.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\ApplicatonLaunch.exe
      Filesize

      2.0MB

      MD5

      b7c3d07dd8c327f76763c4df0cc7018c

      SHA1

      ac8b0daf52382c711836cbe00081a6584d7b5f4c

      SHA256

      ffb8b8c36012a6ddbb4ab91c9b2d9f64c280feffe2a2bd5d3ca536cea6b697b8

      SHA512

      c4b46878d93ac86e514bbf5323f42446a0b27c1c86fca8b55fca37efc92bb9136fa54f9554a9445686b96dfa3859438c671cb9841f82c21b175bd61cc881e0dd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\install.bat
      Filesize

      77B

      MD5

      0ec7fb1b5a72701bf94495d0f1dc1ee6

      SHA1

      3cae540c7b896391fb71a6c1eed3c55cb44369ab

      SHA256

      86befb9328e11ea9ca97e848ba0ea91eefc3382fe2bbc951fc2c01820b8b3d65

      SHA512

      c2cb3ab4590c2cb2ed719f76723a7a09f2b3c310e4b57bfcbc7b3b164ab76181b14bd699822d5f4707df268d199150e5b9b0624f9db77d8921df35925152d052

      Download Submit

    • C:\Windows\Installer\MSI4D6F.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Windows\Installer\MSI4D6F.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Windows\Installer\MSI4E89.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Windows\Installer\MSI4E89.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Windows\Installer\MSI4ED9.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Windows\Installer\MSI4ED9.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      0708bfeeae89e27b7caf45c0375dd1c1

      SHA1

      c652cbb127f6ec863a5fefac0937e657125551fd

      SHA256

      20732898d1d6f91e65617fbd136294d293c2e29a860c880720d95a29ad9bda9e

      SHA512

      620ca97b3f6a56d3ca0ba92a0997798f211c92d275dc9949ccd4362c30a38104269080317a4d1e622bb95be48d0b1bdf7f74699dd8b78198db7d7648c4ee4008

      Download Submit

    • \??\Volume{6ada271e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{25a33300-5d2d-4ef7-b317-da709844fecd}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      bc5f3c63bcc737adcb766644c3c13b55

      SHA1

      ecaf82c26831eb0df0c0d9115492dd8e21939a9e

      SHA256

      03c6469eb03de0396df414cd99e8cda160fb673c3944c1b9e86aec8b84a5d224

      SHA512

      d5fc5696e70d2bedee4b44d1a4c68abb42e52852198d18093813370f9a43831904b4b613ec0459f25f0bc7599eea4f29c661f8548339543562d1530074b275fb

      Download Submit

    • memory/2152-74-0x000001776A3E0000-0x000001776A402000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2152-81-0x000001774FC70000-0x000001774FC80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2152-83-0x000001776A6B0000-0x000001776A6C6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2152-84-0x000001776A6D0000-0x000001776A6DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2152-85-0x000001774FC70000-0x000001774FC80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2152-86-0x000001774FC70000-0x000001774FC80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2152-87-0x00007FFB76CE0000-0x00007FFB777A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2152-89-0x000001774FC70000-0x000001774FC80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2152-88-0x000001774FC70000-0x000001774FC80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2152-90-0x000001774FC70000-0x000001774FC80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2152-93-0x00007FFB76CE0000-0x00007FFB777A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2152-82-0x000001774FC70000-0x000001774FC80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2152-79-0x00007FFB76CE0000-0x00007FFB777A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2152-80-0x000001774FC70000-0x000001774FC80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4520-96-0x000001B77CEE0000-0x000001B77CEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4520-107-0x000001B77CEE0000-0x000001B77CEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4520-108-0x000001B77CEE0000-0x000001B77CEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4520-109-0x000001B77CEE0000-0x000001B77CEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4520-111-0x00007FFB76CE0000-0x00007FFB777A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4520-112-0x000001B77CEE0000-0x000001B77CEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4520-114-0x00007FFB76CE0000-0x00007FFB777A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4520-95-0x00007FFB76CE0000-0x00007FFB777A1000-memory.dmp

      Filesize

      10.8MB

      Download