baec4a9f7a79d37ed568b0ce0b2d5ddf6cb9abb36e582df689e58ed2c4eb09fb

General

Target

Wexide.exe
Size

79KB
MD5

e3074a3b713935925e9e30cff2ae9463
SHA1

41aa3bcb286eeb3b4efcde992eb40419aeaeae59
SHA256

baec4a9f7a79d37ed568b0ce0b2d5ddf6cb9abb36e582df689e58ed2c4eb09fb
SHA512

e18dfa0e7609e94b3d5e6a3d09ec2c3b80c272f47f16c3c40a24b663b37fb3773f8837ec68b31b028ca8d268e1d6b4c3145a2c7d813b91754438eb6cb051d0d4
SSDEEP

1536:jqO5TvSH2yEHf8kEpSSjqbJ4Kd6G6BP68OtkhNLWKKSf:jRY5qbJlmNOWhNauf

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk	Wexide.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk	Wexide.exe

Executes dropped EXE 1 IoCs

pid	Process
1960	Updater.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\Users\\Admin\\AppData\\Local\\Updater.exe"	Wexide.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2756	powershell.exe
1628	powershell.exe
2500	powershell.exe
1904	powershell.exe
1168	Wexide.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	Wexide.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1168	Wexide.exe
Token: SeDebugPrivilege	1960	Updater.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1168	Wexide.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2756	1168	Wexide.exe	29
PID 1168 wrote to memory of 2756	1168	Wexide.exe	29
PID 1168 wrote to memory of 2756	1168	Wexide.exe	29
PID 1168 wrote to memory of 1628	1168	Wexide.exe	31
PID 1168 wrote to memory of 1628	1168	Wexide.exe	31
PID 1168 wrote to memory of 1628	1168	Wexide.exe	31
PID 1168 wrote to memory of 2500	1168	Wexide.exe	33
PID 1168 wrote to memory of 2500	1168	Wexide.exe	33
PID 1168 wrote to memory of 2500	1168	Wexide.exe	33
PID 1168 wrote to memory of 1904	1168	Wexide.exe	35
PID 1168 wrote to memory of 1904	1168	Wexide.exe	35
PID 1168 wrote to memory of 1904	1168	Wexide.exe	35
PID 1168 wrote to memory of 2988	1168	Wexide.exe	37
PID 1168 wrote to memory of 2988	1168	Wexide.exe	37
PID 1168 wrote to memory of 2988	1168	Wexide.exe	37
PID 1768 wrote to memory of 1960	1768	taskeng.exe	42
PID 1768 wrote to memory of 1960	1768	taskeng.exe	42
PID 1768 wrote to memory of 1960	1768	taskeng.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Wexide.exe
"C:\Users\Admin\AppData\Local\Temp\Wexide.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Wexide.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wexide.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Updater.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Updater.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Updater" /tr "C:\Users\Admin\AppData\Local\Updater.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2988

C:\Windows\system32\taskeng.exe
taskeng.exe {544F7D04-E474-4F7E-9D0A-11ACE014A513} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Updater.exe
  C:\Users\Admin\AppData\Local\Updater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Updater.exe

Filesize
79KB

MD5
e3074a3b713935925e9e30cff2ae9463

SHA1
41aa3bcb286eeb3b4efcde992eb40419aeaeae59

SHA256
baec4a9f7a79d37ed568b0ce0b2d5ddf6cb9abb36e582df689e58ed2c4eb09fb

SHA512
e18dfa0e7609e94b3d5e6a3d09ec2c3b80c272f47f16c3c40a24b663b37fb3773f8837ec68b31b028ca8d268e1d6b4c3145a2c7d813b91754438eb6cb051d0d4

Download Submit
C:\Users\Admin\AppData\Local\Updater.exe

Filesize
79KB

MD5
e3074a3b713935925e9e30cff2ae9463

SHA1
41aa3bcb286eeb3b4efcde992eb40419aeaeae59

SHA256
baec4a9f7a79d37ed568b0ce0b2d5ddf6cb9abb36e582df689e58ed2c4eb09fb

SHA512
e18dfa0e7609e94b3d5e6a3d09ec2c3b80c272f47f16c3c40a24b663b37fb3773f8837ec68b31b028ca8d268e1d6b4c3145a2c7d813b91754438eb6cb051d0d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
feaa1956d508dbdeed50885faa0cdc77

SHA1
04d6479b0ccb0e5a9002b39fbc5a55c0ef08b3c5

SHA256
2f1da8267fd81cb15ec313a0b15686189da6d8c5be653ef8bc247de8f3d8fa43

SHA512
b1b1372145c7cab76656f0e2704fb82f2c1997073ee22df05a4bc72b594eea028b3cd5b9b9757377c4249720532c076444dc02cafa93bca91c5432f3980cd22a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
feaa1956d508dbdeed50885faa0cdc77

SHA1
04d6479b0ccb0e5a9002b39fbc5a55c0ef08b3c5

SHA256
2f1da8267fd81cb15ec313a0b15686189da6d8c5be653ef8bc247de8f3d8fa43

SHA512
b1b1372145c7cab76656f0e2704fb82f2c1997073ee22df05a4bc72b594eea028b3cd5b9b9757377c4249720532c076444dc02cafa93bca91c5432f3980cd22a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
feaa1956d508dbdeed50885faa0cdc77

SHA1
04d6479b0ccb0e5a9002b39fbc5a55c0ef08b3c5

SHA256
2f1da8267fd81cb15ec313a0b15686189da6d8c5be653ef8bc247de8f3d8fa43

SHA512
b1b1372145c7cab76656f0e2704fb82f2c1997073ee22df05a4bc72b594eea028b3cd5b9b9757377c4249720532c076444dc02cafa93bca91c5432f3980cd22a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q4K5I1R8R9DXHRLJCVDC.temp

Filesize
7KB

MD5
feaa1956d508dbdeed50885faa0cdc77

SHA1
04d6479b0ccb0e5a9002b39fbc5a55c0ef08b3c5

SHA256
2f1da8267fd81cb15ec313a0b15686189da6d8c5be653ef8bc247de8f3d8fa43

SHA512
b1b1372145c7cab76656f0e2704fb82f2c1997073ee22df05a4bc72b594eea028b3cd5b9b9757377c4249720532c076444dc02cafa93bca91c5432f3980cd22a

Download Submit
memory/1168-2-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/1168-1-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/1168-3-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/1168-0-0x00000000010A0000-0x00000000010BA000-memory.dmp

Filesize
104KB

Download
memory/1628-27-0x000007FEEE680000-0x000007FEEF01D000-memory.dmp

Filesize
9.6MB

Download
memory/1628-20-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/1628-22-0x000007FEEE680000-0x000007FEEF01D000-memory.dmp

Filesize
9.6MB

Download
memory/1628-21-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/1628-23-0x000007FEEE680000-0x000007FEEF01D000-memory.dmp

Filesize
9.6MB

Download
memory/1628-24-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1628-25-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1628-26-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1904-49-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/1904-51-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/1904-52-0x000007FEEE680000-0x000007FEEF01D000-memory.dmp

Filesize
9.6MB

Download
memory/1904-50-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/1904-48-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/1904-47-0x000007FEEE680000-0x000007FEEF01D000-memory.dmp

Filesize
9.6MB

Download
memory/1904-46-0x000007FEEE680000-0x000007FEEF01D000-memory.dmp

Filesize
9.6MB

Download
memory/1960-62-0x0000000001350000-0x000000000136A000-memory.dmp

Filesize
104KB

Download
memory/1960-64-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-63-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-34-0x000007FEEF020000-0x000007FEEF9BD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-38-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2500-36-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2500-39-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2500-35-0x000007FEEF020000-0x000007FEEF9BD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-37-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2500-40-0x000007FEEF020000-0x000007FEEF9BD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-8-0x000007FEEF020000-0x000007FEEF9BD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-13-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2756-12-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2756-11-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2756-14-0x000007FEEF020000-0x000007FEEF9BD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-9-0x000007FEEF020000-0x000007FEEF9BD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-10-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads