10610db8df272f408d0b67b16c845e4f76519dd43d3cc3de4574c859af1fb463

Analysis

max time kernel
209s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4521b0b85ca8b55d61e30f99ed36ea26.exe
Size

257KB
MD5

4521b0b85ca8b55d61e30f99ed36ea26
SHA1

90b0732b2ccab0b3150979916a60329a8b42f91d
SHA256

10610db8df272f408d0b67b16c845e4f76519dd43d3cc3de4574c859af1fb463
SHA512

e14e5178f416e5b60390481870b282ee3e8545ca73e7d13412426a441ed27f1778133bec7905f46fd5b562bfd911e288ee5627029c0fabdeae553fb084e609c9
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpKA9:ZY7xh6SZI4z7FSVp19

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	wfexor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	4521b0b85ca8b55d61e30f99ed36ea26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	wbolmnkj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	wwaky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	wmnasg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	wdvitd.exe

Executes dropped EXE 6 IoCs

pid	Process
3680	wbolmnkj.exe
2568	wwaky.exe
1792	wmnasg.exe
1556	wdvitd.exe
4852	wfexor.exe
2568	wwxrng.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wdvitd.exe	wmnasg.exe
File opened for modification	C:\Windows\SysWOW64\wdvitd.exe	wmnasg.exe
File created	C:\Windows\SysWOW64\wfexor.exe	wdvitd.exe
File created	C:\Windows\SysWOW64\wbolmnkj.exe	4521b0b85ca8b55d61e30f99ed36ea26.exe
File opened for modification	C:\Windows\SysWOW64\wbolmnkj.exe	4521b0b85ca8b55d61e30f99ed36ea26.exe
File created	C:\Windows\SysWOW64\wwaky.exe	wbolmnkj.exe
File opened for modification	C:\Windows\SysWOW64\wwaky.exe	wbolmnkj.exe
File created	C:\Windows\SysWOW64\wmnasg.exe	wwaky.exe
File opened for modification	C:\Windows\SysWOW64\wmnasg.exe	wwaky.exe
File opened for modification	C:\Windows\SysWOW64\wfexor.exe	wdvitd.exe
File created	C:\Windows\SysWOW64\wwxrng.exe	wfexor.exe
File opened for modification	C:\Windows\SysWOW64\wwxrng.exe	wfexor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2276	1792	WerFault.exe	106

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3680	4372	4521b0b85ca8b55d61e30f99ed36ea26.exe	99
PID 4372 wrote to memory of 3680	4372	4521b0b85ca8b55d61e30f99ed36ea26.exe	99
PID 4372 wrote to memory of 3680	4372	4521b0b85ca8b55d61e30f99ed36ea26.exe	99
PID 4372 wrote to memory of 2532	4372	4521b0b85ca8b55d61e30f99ed36ea26.exe	101
PID 4372 wrote to memory of 2532	4372	4521b0b85ca8b55d61e30f99ed36ea26.exe	101
PID 4372 wrote to memory of 2532	4372	4521b0b85ca8b55d61e30f99ed36ea26.exe	101
PID 3680 wrote to memory of 2568	3680	wbolmnkj.exe	103
PID 3680 wrote to memory of 2568	3680	wbolmnkj.exe	103
PID 3680 wrote to memory of 2568	3680	wbolmnkj.exe	103
PID 3680 wrote to memory of 2896	3680	wbolmnkj.exe	105
PID 3680 wrote to memory of 2896	3680	wbolmnkj.exe	105
PID 3680 wrote to memory of 2896	3680	wbolmnkj.exe	105
PID 2568 wrote to memory of 1792	2568	wwaky.exe	106
PID 2568 wrote to memory of 1792	2568	wwaky.exe	106
PID 2568 wrote to memory of 1792	2568	wwaky.exe	106
PID 2568 wrote to memory of 4256	2568	wwaky.exe	107
PID 2568 wrote to memory of 4256	2568	wwaky.exe	107
PID 2568 wrote to memory of 4256	2568	wwaky.exe	107
PID 1792 wrote to memory of 1556	1792	wmnasg.exe	111
PID 1792 wrote to memory of 1556	1792	wmnasg.exe	111
PID 1792 wrote to memory of 1556	1792	wmnasg.exe	111
PID 1792 wrote to memory of 2120	1792	wmnasg.exe	112
PID 1792 wrote to memory of 2120	1792	wmnasg.exe	112
PID 1792 wrote to memory of 2120	1792	wmnasg.exe	112
PID 1556 wrote to memory of 4852	1556	wdvitd.exe	117
PID 1556 wrote to memory of 4852	1556	wdvitd.exe	117
PID 1556 wrote to memory of 4852	1556	wdvitd.exe	117
PID 1556 wrote to memory of 4064	1556	wdvitd.exe	119
PID 1556 wrote to memory of 4064	1556	wdvitd.exe	119
PID 1556 wrote to memory of 4064	1556	wdvitd.exe	119
PID 4852 wrote to memory of 2568	4852	wfexor.exe	123
PID 4852 wrote to memory of 2568	4852	wfexor.exe	123
PID 4852 wrote to memory of 2568	4852	wfexor.exe	123
PID 4852 wrote to memory of 740	4852	wfexor.exe	124
PID 4852 wrote to memory of 740	4852	wfexor.exe	124
PID 4852 wrote to memory of 740	4852	wfexor.exe	124

C:\Users\Admin\AppData\Local\Temp\4521b0b85ca8b55d61e30f99ed36ea26.exe
"C:\Users\Admin\AppData\Local\Temp\4521b0b85ca8b55d61e30f99ed36ea26.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\SysWOW64\wbolmnkj.exe
  "C:\Windows\system32\wbolmnkj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\wwaky.exe
    "C:\Windows\system32\wwaky.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\wmnasg.exe
      "C:\Windows\system32\wmnasg.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\SysWOW64\wdvitd.exe
        
        "C:\Windows\system32\wdvitd.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Windows\SysWOW64\wfexor.exe
        
        "C:\Windows\system32\wfexor.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\wwxrng.exe
        
        "C:\Windows\system32\wwxrng.exe"
        7⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfexor.exe"
        7⤵
        
        PID:740
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdvitd.exe"
        6⤵
        
        PID:4064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmnasg.exe"
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1104
        5⤵
        Program crash
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwaky.exe"
      4⤵
      PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbolmnkj.exe"
    3⤵
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\4521b0b85ca8b55d61e30f99ed36ea26.exe"
  2⤵
  PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1792 -ip 1792
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wbolmnkj.exe

Filesize
257KB

MD5
b6c4dfe89956153ccfc62181e4c82413

SHA1
284a955af2855da7242039a30cd7fec75b55589e

SHA256
0f8d4d282134b4f0bd925a2da9634d4cb10a1f8f8554c61198750b18f40a99ae

SHA512
79dd0d311602924be53710c032ee6463ee9fa441c5462fc4b1f5b512d93d25b155aea857d5cd060c33bc521632f67a32858846ab476c3b71bd9db13dd6c4dc98

Download Submit
C:\Windows\SysWOW64\wdvitd.exe

Filesize
257KB

MD5
9dcfb3dbd1f6975356d61333ff62c0a0

SHA1
dd3c1c7e77946382eaa02b635b401a348339aca3

SHA256
aabc685fd1cbbde80eb27addfcfa97282b755dd444bf2a06de218653499a7614

SHA512
db0e0cd525ec4c34130da93614cbd0178ae9668c4140dcc281d0c84b52dc4f897ee00de61d0344e0753308ce091918c024b24f3d4baf57cf531f08935b58614f

Download Submit
C:\Windows\SysWOW64\wdvitd.exe

Filesize
239KB

MD5
d7e5002e8a238fe15ea0379a6a4ef1df

SHA1
cc207f581c47d1f5198ca33c42e8a17fc7bcf971

SHA256
b0fa34da5afa6dd0c019b11ebefa66b25343aa3d4a194c1077913466ebf0a591

SHA512
fe763c31ecb77f595caa54ce2dc744af403a3eedb996c0a9546e90841ef7ab99a1e02cebfa637154df0207e73672d5fb1fcfacb2ec065f1f9002612a96c39fab

Download Submit
C:\Windows\SysWOW64\wfexor.exe

Filesize
257KB

MD5
55db860d6de592af2f0b4b45c7e64c08

SHA1
91e7600790e00cdfdf22ae1e1ff9826e53c8ee60

SHA256
5d0c5956ce56e37b3c75b19217b9155b7476f34e1b7db2781794703a1a20928a

SHA512
4aaf00919a01bb854391c809bf7497c74e7a71897a12ce2aa967216676998ab90b01ee52479341b3e93576d555645126a06437c00bfd6dd14f6174919cb96d15

Download Submit
C:\Windows\SysWOW64\wmnasg.exe

Filesize
257KB

MD5
65a099c66f75ff2923da8d9969894b2f

SHA1
ef44ec0444f97f4946b736f9bb8ca900174c6e7f

SHA256
b9a4ce36da57d9f3021a7b853c632062d6a1557d814aad45409a5db25777c519

SHA512
ca9ef5d14283ada57232f9711f7de0c41c0d0d55bc70c580b0f011fd7a078d6fc7cb581f8d589685bc02f936c5f62ee1de2ed4b36a265cefaadd6ef0d2d5d5c1

Download Submit
C:\Windows\SysWOW64\wwaky.exe

Filesize
257KB

MD5
5458d5edafd4c2e70871c327d4224011

SHA1
298dc2723e478a7c162086809b2017e1a5d7a1c2

SHA256
c0795fe95a1385c8c20cc318ef5341916c11ae2150bacfb9486c1c8128547d71

SHA512
286686bb1f06d45d12d424a99e2da760f669ff1ff8bbb32340ab2083b64e51a5b03d2985acbe2249db277064696e9406692ac106612453a432e1453e6910f157

Download Submit
C:\Windows\SysWOW64\wwxrng.exe

Filesize
257KB

MD5
5ebd0b67af3b6c8704a6e29d6067f8a8

SHA1
589ff3a37eabf71da77ff3d1d65462533a0be80a

SHA256
71ab03ef6583c4c7a7d7239482e084bedeb70150ed91041acee5b641bac7e0da

SHA512
735fd63ad430784ce357d0e3cc00fed2fe783325403bb51f055e949b3180ada144e87afc295da1abc23d278e35913978ef6249a48581f0c789eb84fad3aa53df

Download Submit
memory/1556-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1792-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2568-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3680-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4372-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4372-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4372-1-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4852-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4852-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download