Overview

overview

7

Static

static

1

2570b7ad99...7f.exe

windows7-x64

7

2570b7ad99...7f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2570b7ad99f3b153558fbf1abe998f7f.exe

  • Size

    576KB

  • MD5

    2570b7ad99f3b153558fbf1abe998f7f

  • SHA1

    bb64e8fd3817a65cb1fda05901b0eade09229f0a

  • SHA256

    dcaa9cd4eeb2766a42a91e79ccde9aba1e0b4e83e2d9ba51c8f9c3844c9aa1d4

  • SHA512

    a4b4de78a9d948d3925e0fb952f9f670cae05f6114e38d3443f112d6cc90c6ff37130440d2bcbfcce8d3f61d3e9e41f76be22e1573176f0f100ab19d6d557db4

  • SSDEEP

    12288:p63oJSROXu07R9OIaVmYFiXgzTybq3OoxHkCl:Wo6Wu07RdaV9iXgybq3OoxHkC

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 24 IoCs
  • Drops file in Windows directory 10 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2570b7ad99f3b153558fbf1abe998f7f.exe
    "C:\Users\Admin\AppData\Local\Temp\2570b7ad99f3b153558fbf1abe998f7f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\whinstaller.exe
      .\whinstaller.exe /silent
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Program Files\webHancer\programs\whAgent.exe
        whAgent.exe C:\PROGRA~1\WEBHAN~1\
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\license.txt
    Filesize

    7KB

    MD5

    ee20d42446ae181b7bca553342143f47

    SHA1

    43b8c5a69e97c7ae48528564b75b83a5fb3f7ae7

    SHA256

    ed440e0a3712c5f8f6b263e0ef366d2e436fe23bd98d8b42734033246ca57d4b

    SHA512

    d5223beba149ebc54cfa8946a7d5039aea2439d89344a5029a0be5c6978cb9d868a9dd039954963f8dfdbd407f9e7a4ca0aaedf73e4eea1444bafa83440ffb2f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\readme.txt
    Filesize

    1KB

    MD5

    e4c96fc384c06da6b6e186d3a1358ee2

    SHA1

    d9f40cc0e6f39629ec33388d99b6f989ead747c8

    SHA256

    a9170533207e1c27fc07043e0627e5b2243a50b1309f1203089d88a0a7c24e3b

    SHA512

    38512da3c4da6cb43f211a323d7e1101988de7006c7ed1aaa3b04c27194608364ecdab3b873e6d9806b1814f987d5753040d8eb6fa5c68f06c2b1606676652d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\sporder.dll
    Filesize

    11KB

    MD5

    471789f182c0b60304ce19f023d8911d

    SHA1

    2c5e44949734650d50a6b8a47a73ee2296eb1bf7

    SHA256

    aa7db6f720c50f0705f36165c738ae5dbac3c348e814e81dfa6b018277663870

    SHA512

    c8cf49f5814375f9f72884f9753f08244f3af7ed26fa414e986ec367789e7135cccb2a4758139dd2157a3d982beea1fe99855796e2e4e050ba8c6d12be36205d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\wbhshare.dll
    Filesize

    28KB

    MD5

    213c1d3f003c01c84b6033c451d25191

    SHA1

    9447acbd48266a5250612a37424d4701bc4a365b

    SHA256

    91b360b7645fa6ccfa678787fda3d2598b258efbf5ce4f306be8aa45ff96c8d3

    SHA512

    79896b320cda59dacae28a444b3d3e029d148a8f99a54f3b71ee9641d8574c1c27546e87da7e8e639f1f4c195cde8be6abd9f72949f9c3af089f123d43039be2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\webhdll.dll
    Filesize

    36KB

    MD5

    d3120aabe92913709d59babe77ee62a8

    SHA1

    41b044c83e6cd93fc8faadaf92ae67480f63bcae

    SHA256

    510e6f5962572d44889afb0399cb8b7c936ab61c9050ac6e96751904627a08a3

    SHA512

    58a9d6bd68d5608390aba41fdc0b656d197c31a8872156e9677379d3d04f4c7fa01268e2479f06c9770adfeeecf045b5d398ca8a5f2053d96fa0bf4517a07885

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\whAgent.exe
    Filesize

    160KB

    MD5

    22f3d53432f0cc4d6427a9b95f610411

    SHA1

    e5ba3d30c4d877cf218c030b74fd6481675e8262

    SHA256

    33f5792af9016a279d77bd3988a824e68f198c3485e9854ca4806879138c3c70

    SHA512

    7719683eacca05a62d07a3fafdfda650af810a249eb6e75aa303f88eddb516c10b5354e137fd24422db4a5a4dc074d5568be76c8dfb003adfafc4feec46191e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\whAgent.inf
    Filesize

    4KB

    MD5

    36ad94db8981bc0dc233046aff349431

    SHA1

    e6a5f085c6b3244a610f227c7ac4d79904c247c4

    SHA256

    d55bc412c7e9ffa6187cb2f7613190572e807c2fb5d3eae21b660c162028f110

    SHA512

    aac56ed389de9ede7bef12432a90b126ff3e4422fe8559bc10e315b84ebda4d83e4bc1f47de3cb32985af9d394fd58acbd94e37c33968c3fa6f0464b426c2f13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\whAgent.ini
    Filesize

    17B

    MD5

    55d46b99cc8f1a7328d7f9cc2de6b934

    SHA1

    7b8efea2b0987b4ab7022ed93bc4fa1761ca7f78

    SHA256

    7becf7301a84997861b517150016ca6d6a81da177acf55b2fdfaa5d19e91dce5

    SHA512

    4efc24db3e83e3a0a332ed405c2f66920e97a9a370f3afdd38a0138584b4607bd535cf913d5be10319287464dabf44851041593b53a323db14c81329cdae5d95

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\whInstaller.exe
    Filesize

    32KB

    MD5

    900ad141b17288334f7ab4be462b5b11

    SHA1

    3b24ab30068e0a703043b27380b66035f4a70d7c

    SHA256

    124aaf24c247cba647e3a4fd0c8c95884158de2c3c91a5664a26c8e0b1b64b0d

    SHA512

    61ee38a695f330057b7a2fe4cfe50036146c866337f3320a658b1a9db177bb5a1270529d714e0b6d28d4526b9e98809b3c0e0b0431d692e27e39abffd09af67d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\whInstaller.ini
    Filesize

    760B

    MD5

    92444216a47d94516c6d1b0e054479e4

    SHA1

    922cd72930f6cb84f49847d5289d5403588dbce4

    SHA256

    9d84eed486f3ea2cf3edff1df88dad6baa29bae4e2f561925a88cc16834031f0

    SHA512

    e64f327f0dde2eb88bb0900068b79900600e7b48a2bb24df4c56347193932437bd8e8a76c7a1acdde7412fe8f00e7c79bf23c9b48e338c3cd5edbf41cc036ca6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\whiehlpr.dll
    Filesize

    92KB

    MD5

    a8ecc5af82efc2bb737f1971f73f72a8

    SHA1

    3589339cc49c5e416d77e690ae2fbb743b6472f5

    SHA256

    8a62a444799402d1757cab4a589a22398374c02c3f6f973b1d5f724315228b49

    SHA512

    c1c2d7b6863dc78fc6781fe5b06b5ac86870f2422b9901f418196341d791978ce4c1361af9fd4a4898c58e8e4d9703203d879af6d7cba4cf72871a70bc9a4a1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WZSF31A.tmp\whieshm.dll
    Filesize

    28KB

    MD5

    de1788f09629177eb14431808f76e67e

    SHA1

    a4afdad1a7921f5a9f4ca9e00f7819b9ebe176d3

    SHA256

    997805b6568b5a9e85efa51067bee10f9ba1bcc354d387dffd55fe4bfea870a6

    SHA512

    337f8b8fa9307f5ad4f9ee1cf079a5b6aff7a2236e33ef5cffaf24da0cc72f6611990fb237e9366b34d20d949159386340cb4b4fe223d52ef601a91c9d64a7fa

    Download Submit