749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
Size

565KB
MD5

27601d095e5b3761d9289584415a73cc
SHA1

9570f23b5abe2ef46a23ded17adb2fb6c203a201
SHA256

749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4
SHA512

066263bf8f11d48b4e3715b8962686e0ca32aa8647b642a193b5331513538a44bb49edad5ef6a08ae6cc6401504fadc7adf38efb07c9ae9560e947aac443e0e7
SSDEEP

12288:REqmA0wfzInoQJUi1KHvQtzDNfo1arLaLRvs+Jkp/eH:RHmSyo+Ui13zZCI7+up/eH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2264	WombatStarter.exe
2460	HPWombatSrv.exe

Loads dropped DLL 11 IoCs

pid	Process
2408	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
2408	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
2408	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
2460	HPWombatSrv.exe
2460	HPWombatSrv.exe
2460	HPWombatSrv.exe
2460	HPWombatSrv.exe
2460	HPWombatSrv.exe
2460	HPWombatSrv.exe
2460	HPWombatSrv.exe
2460	HPWombatSrv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HPWombat\uninstaller.exe	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\Resources\Icons\Browsers\1.ico	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\Resources\Icons\Browsers\2.ico	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\Resources\Icons\Browsers\3.ico	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\Resources\Icons\Browsers\4.ico	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\Resources\Icons\Browsers\5.ico	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\HPWombatSrv.exe	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\WombatStarter.exe	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	HPWombatSrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	HPWombatSrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	HPWombatSrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	HPWombatSrv.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2408	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
2408	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2264	2408	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe	28
PID 2408 wrote to memory of 2264	2408	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe	28
PID 2408 wrote to memory of 2264	2408	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe	28
PID 2408 wrote to memory of 2264	2408	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe	28

C:\Users\Admin\AppData\Local\Temp\749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
"C:\Users\Admin\AppData\Local\Temp\749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Program Files (x86)\HPWombat\WombatStarter.exe
  "C:\Program Files (x86)\HPWombat\WombatStarter.exe" "install_and_start_srv" "C:\Users\Admin\AppData\Local\Temp\749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe"
  2⤵
  - Executes dropped EXE
  PID:2264

C:\Program Files (x86)\HPWombat\HPWombatSrv.exe
"C:\Program Files (x86)\HPWombat\HPWombatSrv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HPWombat\HPWombatSrv.exe

Filesize
2.4MB

MD5
bac2e4856879885af0251cb4cbb3d521

SHA1
a8d3f6492e20e775c84f16a8ca6683a2c1aabc2d

SHA256
18dd7fe65140120d10004e475effb1ce386d8f280094429f4654882120899d73

SHA512
5d550a67764a54145808a12953435a5dd75d1bea8200f2872e288f1eb9f8c0b798db539289950b2c42a0cac4a55689fc65427d1c97afdf83a10881a74d7a1935

Download Submit
C:\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
C:\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
C:\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firеfох.lnk

Filesize
1KB

MD5
0582dd344f72cdcae5d383aeb20bb904

SHA1
de62358d82209f0597247c7751bcb2c9e612895f

SHA256
2909c76cd3eafefe6d3f4944cf47528332ae725684cae94ab805879b09716e85

SHA512
12ca610aad9a3bff21745537e3bbd299d121379bead3136a61e1e92d8b21417a653d79d21894e4e6dc43c33177f359a157c4844ff6773a163c737d976b79ec4e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk

Filesize
1KB

MD5
793eded296e70fa3d0243c104027d075

SHA1
09bdcfe31ea3fa8c37499ee9f1e751cc939f6020

SHA256
d6014f41b58387599a04b7440169700386ef72cfb03d332a3e1ad857ba72bb7e

SHA512
c30e7eff8f4af2d22b6cdc91214d194bc4738571c841e94d38d4ab58fbb8b1d454fdf4daf74c36e8bc92d1366fa7f857fb953bf516bca9f3f177baa4fb61631f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy560E.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооglе Сhrоmе.lnk

Filesize
2KB

MD5
9d0ccf6cd707cfd092d02d5975b6d52d

SHA1
861a8187ca08bb673aa56ebb78c2f47626a55068

SHA256
9bd856764a4c32b5bf9d0003817302fa3ad92ea6126f7fc291e4435f35331650

SHA512
1333541879b17dff75f80160b2f8bf02630ff582742c587e2f71e82efd77f22efdbd5162217c04e30ab658b75c82b0fd71be1c5cf8675d5e94f8244829d938f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Intеrnеt Ехрlоrеr.lnk

Filesize
1KB

MD5
dd83b4170083666b0c104656418d025a

SHA1
48b9c4be4412e0038897f3f051ce9675ef079602

SHA256
7dfc8fe08e35eba2a46869f22611ad2e83cc06a5a023bd2880a3dcc748a2c17f

SHA512
161996894674e530701bd6cdf9e238b5fbc0147438bf6f080d1a91f3dae7272ee2cd6c5c51801070c4ee46c1e9bfac4f766d0977200cb7a95790a0e81c0d6198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnеt Ехрlоrеr (Nо Аdd-оns).lnk

Filesize
2KB

MD5
08f7bdaa6434168e80aeb2ed62aff58a

SHA1
135735705deefc34ac55ff0f8638150fb094726a

SHA256
43afbf966bd146910926b2145ce4b11c63936fdfc5999c3061c7987cb12326b4

SHA512
350c342bfae95640b92404187ff49d920f2c437574682d3d156badd6fa010c471b00106fe4249a68d26944244ba9b9cb16dbe25d4239fab91d0de0f8f701a5ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Ехрlоrеr.lnk

Filesize
2KB

MD5
f93b36090db5281b608fc2cd53d8394a

SHA1
3c88d485ece9623cf655479d914c60fd33f14fc5

SHA256
86ec66ccb9cb8a266b027d8446aef1ff6246df7d03388df9f8547cae88db7c29

SHA512
de51fad08a1017ccd547a7fc9b9c2b4199b251efcce8511d2419ca3d0c9239b543da20ea97e42e6cc3ca0c2812b49909e25af47e42c1bb989ff1b2af83ec80b7

Download Submit
C:\Users\Public\Desktop\Firеfох.lnk

Filesize
1KB

MD5
2ebc84c8d5777bc749933c6de18c6259

SHA1
9eb8871ff42b2fdfabd40870501ad491799ae5cc

SHA256
2c1e1dfdae7304ee2f00937b60b8c680ee57112fa7dcd80f8648df7b1f052f77

SHA512
16d6e1a72b48984b304c1eb1a0c76bbce8a050f71bd2928d94d3c769859004d53e2db29b0cf17544349e86f9b063d8fecdcaa1a1dc52ea1f0e1f48cf483db01c

Download Submit
C:\Users\Public\Desktop\Gооglе Сhrоmе.lnk

Filesize
1KB

MD5
abd2131cc21e731f7e9b88454c664fa6

SHA1
31aa550163d0e93bdda90bd6de85357099f75c18

SHA256
3afa8c157d736e823918da21a27e25187c4790fc631ea8094a8148832bc1ca64

SHA512
a78f061cc44e5a125c27139f6d95f8bc8c0d373204a2a145c56f9cc732fbcdbf9b87d12a0195554f19cfe56120b87581e37745e274e8118a49df13e0e2cc9339

Download Submit
\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy560E.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit