Analysis
-
max time kernel
201s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2024 11:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe
Resource
win7-20231215-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe
-
Size
240KB
-
MD5
3cb5c4680d1143e6e24fc5e1a9c1aa6b
-
SHA1
180ac7df0027964a80ab1c60a706d278be630a23
-
SHA256
5b668735265bef06fca6c5d3ea333c358fab200b3e6f2493e5b2dcbbd85f9345
-
SHA512
1e0522bbdefa1a02436673365d19948794a2fa61b533e1b9f8ca2ee06852341c11a87629d9bd45dff2bc52f474ffa54e72bf07915ebda040d1b13c865e9c7715
-
SSDEEP
3072:ykBGrT8j6VlpvBd90i/SmWKLi7CjFSivnfu3fbMdozt5czII:yX0UGKGkFRKfeoztO
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" waibei.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe -
Executes dropped EXE 1 IoCs
pid Process 4324 waibei.exe -
Adds Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /q" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /k" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /x" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /f" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /a" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /v" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /o" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /j" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /c" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /h" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /u" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /g" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /t" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /b" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /y" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /j" 3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /n" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /r" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /m" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /p" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /l" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /w" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /s" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /d" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /i" waibei.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waibei = "C:\\Users\\Admin\\waibei.exe /z" waibei.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 744 3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe 744 3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe 4324 waibei.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 744 3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe 4324 waibei.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 744 wrote to memory of 4324 744 3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe 101 PID 744 wrote to memory of 4324 744 3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe 101 PID 744 wrote to memory of 4324 744 3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe"C:\Users\Admin\AppData\Local\Temp\3cb5c4680d1143e6e24fc5e1a9c1aa6b.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\waibei.exe"C:\Users\Admin\waibei.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5145c6c8fd3bbf93a8c11b6c9dfbe785d
SHA1ad4c900f716c3d790e15dfc19be6d4c3451c7b34
SHA256a5d23fa4dd4f64f0d537bc0c37e0b452b0bc6950e4ef2f7e1957b684df877481
SHA512bd5d0c4dd015a2f7f38f6235715cbae86bc7d12d0ff79c6b7c20ee3a785526b7f0531baf4b45295c8d59a521fc53ee83e6c6e0f2bcdd3f6c92707d4a2d49f657
-
Filesize
54KB
MD52205828d7f6055b5a2923186601ed22a
SHA18d4432ba21a3e60c3d177bae54b8f3044c2726b6
SHA256a67fcc0483901a0d86f2d939c5e27194f14239a5eb10cf0b9fe7b514b07f5972
SHA51213ba4a88fdadf57aaa82a835290505e3551826e8ba85046b613d33efb8f49fb10a25d442c3b1f350020a69bc49fadb1225062fba49ab93206a1083f3ece70714
-
Filesize
83KB
MD53520abe42efdc73908a2931950fa1211
SHA1157a972c521666e140b0d8bff793850e5fabb768
SHA256d4e36ea38bd33b58cecd453c74e5cd76c791bfe508b41fe9b62c801b065cc1d8
SHA512adfd636c7a17859392e254229c46d23e4dc5d3978f126e56a63cd280be2d0929e3759ce1709a901af19c2edc67f4ba4e8eb9c87485697206fb5c1372f02e1b6e