Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-01-2024 07:19
Static task
static1
Behavioral task
behavioral1
Sample
485c51b0fb2fbe22f7ed04375ccf40a5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
485c51b0fb2fbe22f7ed04375ccf40a5.exe
Resource
win10v2004-20231215-en
General
-
Target
485c51b0fb2fbe22f7ed04375ccf40a5.exe
-
Size
260KB
-
MD5
485c51b0fb2fbe22f7ed04375ccf40a5
-
SHA1
56387676b51b3061f8046e2ec5c1baae07cd7809
-
SHA256
5e1eb74a419a31dec70e77baf3c67544cbe11be0930020f517b1c26b0f5ba18e
-
SHA512
1708bb1c2e716b68f60c0ffcf06b48151b6f4b7160db6642b2be8fc8b03dc71c668782ad7564c5e15fb82349cf41571c09f4953b32697cf7701824eefb49d5b6
-
SSDEEP
3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpEc:ZY7xh6SZI4z7FSVpD
Malware Config
Signatures
-
Executes dropped EXE 11 IoCs
pid Process 2592 wwbfofj.exe 2472 wxyevvf.exe 1872 wto.exe 2004 wxq.exe 1552 wmki.exe 2892 wsnns.exe 2588 wklso.exe 1468 wxa.exe 2544 wprtcmlv.exe 2312 wyptv.exe 2372 welx.exe -
Loads dropped DLL 47 IoCs
pid Process 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 2592 wwbfofj.exe 2592 wwbfofj.exe 2592 wwbfofj.exe 2592 wwbfofj.exe 2472 wxyevvf.exe 2472 wxyevvf.exe 2472 wxyevvf.exe 2472 wxyevvf.exe 1872 wto.exe 1872 wto.exe 1872 wto.exe 1872 wto.exe 2004 wxq.exe 2004 wxq.exe 2004 wxq.exe 2004 wxq.exe 1552 wmki.exe 1552 wmki.exe 1552 wmki.exe 1552 wmki.exe 2892 wsnns.exe 2892 wsnns.exe 2892 wsnns.exe 2892 wsnns.exe 2588 wklso.exe 2588 wklso.exe 2588 wklso.exe 2588 wklso.exe 1468 wxa.exe 1468 wxa.exe 1468 wxa.exe 1468 wxa.exe 2544 wprtcmlv.exe 2544 wprtcmlv.exe 2544 wprtcmlv.exe 2544 wprtcmlv.exe 1628 WerFault.exe 1628 WerFault.exe 1628 WerFault.exe 2312 wyptv.exe 2312 wyptv.exe 2312 wyptv.exe 2312 wyptv.exe -
Drops file in System32 directory 23 IoCs
description ioc Process File created C:\Windows\SysWOW64\wxa.exe wklso.exe File opened for modification C:\Windows\SysWOW64\wxa.exe wklso.exe File created C:\Windows\SysWOW64\wyptv.exe wprtcmlv.exe File opened for modification C:\Windows\SysWOW64\wyptv.exe wprtcmlv.exe File opened for modification C:\Windows\SysWOW64\welx.exe wyptv.exe File created C:\Windows\SysWOW64\wto.exe wxyevvf.exe File opened for modification C:\Windows\SysWOW64\wto.exe wxyevvf.exe File created C:\Windows\SysWOW64\wxq.exe wto.exe File opened for modification C:\Windows\SysWOW64\wklso.exe wsnns.exe File created C:\Windows\SysWOW64\wpmetfyhm.exe welx.exe File created C:\Windows\SysWOW64\wxyevvf.exe wwbfofj.exe File created C:\Windows\SysWOW64\wmki.exe wxq.exe File opened for modification C:\Windows\SysWOW64\wsnns.exe wmki.exe File opened for modification C:\Windows\SysWOW64\wwbfofj.exe 485c51b0fb2fbe22f7ed04375ccf40a5.exe File created C:\Windows\SysWOW64\wprtcmlv.exe wxa.exe File created C:\Windows\SysWOW64\welx.exe wyptv.exe File opened for modification C:\Windows\SysWOW64\wmki.exe wxq.exe File created C:\Windows\SysWOW64\wsnns.exe wmki.exe File created C:\Windows\SysWOW64\wklso.exe wsnns.exe File opened for modification C:\Windows\SysWOW64\wprtcmlv.exe wxa.exe File created C:\Windows\SysWOW64\wwbfofj.exe 485c51b0fb2fbe22f7ed04375ccf40a5.exe File opened for modification C:\Windows\SysWOW64\wxyevvf.exe wwbfofj.exe File opened for modification C:\Windows\SysWOW64\wxq.exe wto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1628 2544 WerFault.exe 61 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2592 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 29 PID 2356 wrote to memory of 2592 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 29 PID 2356 wrote to memory of 2592 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 29 PID 2356 wrote to memory of 2592 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 29 PID 2356 wrote to memory of 2448 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 30 PID 2356 wrote to memory of 2448 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 30 PID 2356 wrote to memory of 2448 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 30 PID 2356 wrote to memory of 2448 2356 485c51b0fb2fbe22f7ed04375ccf40a5.exe 30 PID 2592 wrote to memory of 2472 2592 wwbfofj.exe 32 PID 2592 wrote to memory of 2472 2592 wwbfofj.exe 32 PID 2592 wrote to memory of 2472 2592 wwbfofj.exe 32 PID 2592 wrote to memory of 2472 2592 wwbfofj.exe 32 PID 2592 wrote to memory of 2136 2592 wwbfofj.exe 33 PID 2592 wrote to memory of 2136 2592 wwbfofj.exe 33 PID 2592 wrote to memory of 2136 2592 wwbfofj.exe 33 PID 2592 wrote to memory of 2136 2592 wwbfofj.exe 33 PID 2472 wrote to memory of 1872 2472 wxyevvf.exe 36 PID 2472 wrote to memory of 1872 2472 wxyevvf.exe 36 PID 2472 wrote to memory of 1872 2472 wxyevvf.exe 36 PID 2472 wrote to memory of 1872 2472 wxyevvf.exe 36 PID 2472 wrote to memory of 2812 2472 wxyevvf.exe 38 PID 2472 wrote to memory of 2812 2472 wxyevvf.exe 38 PID 2472 wrote to memory of 2812 2472 wxyevvf.exe 38 PID 2472 wrote to memory of 2812 2472 wxyevvf.exe 38 PID 1872 wrote to memory of 2004 1872 wto.exe 40 PID 1872 wrote to memory of 2004 1872 wto.exe 40 PID 1872 wrote to memory of 2004 1872 wto.exe 40 PID 1872 wrote to memory of 2004 1872 wto.exe 40 PID 1872 wrote to memory of 812 1872 wto.exe 42 PID 1872 wrote to memory of 812 1872 wto.exe 42 PID 1872 wrote to memory of 812 1872 wto.exe 42 PID 1872 wrote to memory of 812 1872 wto.exe 42 PID 2004 wrote to memory of 1552 2004 wxq.exe 46 PID 2004 wrote to memory of 1552 2004 wxq.exe 46 PID 2004 wrote to memory of 1552 2004 wxq.exe 46 PID 2004 wrote to memory of 1552 2004 wxq.exe 46 PID 2004 wrote to memory of 972 2004 wxq.exe 48 PID 2004 wrote to memory of 972 2004 wxq.exe 48 PID 2004 wrote to memory of 972 2004 wxq.exe 48 PID 2004 wrote to memory of 972 2004 wxq.exe 48 PID 1552 wrote to memory of 2892 1552 wmki.exe 50 PID 1552 wrote to memory of 2892 1552 wmki.exe 50 PID 1552 wrote to memory of 2892 1552 wmki.exe 50 PID 1552 wrote to memory of 2892 1552 wmki.exe 50 PID 1552 wrote to memory of 892 1552 wmki.exe 51 PID 1552 wrote to memory of 892 1552 wmki.exe 51 PID 1552 wrote to memory of 892 1552 wmki.exe 51 PID 1552 wrote to memory of 892 1552 wmki.exe 51 PID 2892 wrote to memory of 2588 2892 wsnns.exe 53 PID 2892 wrote to memory of 2588 2892 wsnns.exe 53 PID 2892 wrote to memory of 2588 2892 wsnns.exe 53 PID 2892 wrote to memory of 2588 2892 wsnns.exe 53 PID 2892 wrote to memory of 2580 2892 wsnns.exe 54 PID 2892 wrote to memory of 2580 2892 wsnns.exe 54 PID 2892 wrote to memory of 2580 2892 wsnns.exe 54 PID 2892 wrote to memory of 2580 2892 wsnns.exe 54 PID 2588 wrote to memory of 1468 2588 wklso.exe 57 PID 2588 wrote to memory of 1468 2588 wklso.exe 57 PID 2588 wrote to memory of 1468 2588 wklso.exe 57 PID 2588 wrote to memory of 1468 2588 wklso.exe 57 PID 2588 wrote to memory of 956 2588 wklso.exe 59 PID 2588 wrote to memory of 956 2588 wklso.exe 59 PID 2588 wrote to memory of 956 2588 wklso.exe 59 PID 2588 wrote to memory of 956 2588 wklso.exe 59
Processes
-
C:\Users\Admin\AppData\Local\Temp\485c51b0fb2fbe22f7ed04375ccf40a5.exe"C:\Users\Admin\AppData\Local\Temp\485c51b0fb2fbe22f7ed04375ccf40a5.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\wwbfofj.exe"C:\Windows\system32\wwbfofj.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\wxyevvf.exe"C:\Windows\system32\wxyevvf.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\wto.exe"C:\Windows\system32\wto.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\wxq.exe"C:\Windows\system32\wxq.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\wmki.exe"C:\Windows\system32\wmki.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\wsnns.exe"C:\Windows\system32\wsnns.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\wklso.exe"C:\Windows\system32\wklso.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\wxa.exe"C:\Windows\system32\wxa.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\wprtcmlv.exe"C:\Windows\system32\wprtcmlv.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\wyptv.exe"C:\Windows\system32\wyptv.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\welx.exe"C:\Windows\system32\welx.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2372
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyptv.exe"12⤵PID:1060
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wprtcmlv.exe"11⤵PID:608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 18011⤵
- Loads dropped DLL
- Program crash
PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxa.exe"10⤵PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wklso.exe"9⤵PID:956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnns.exe"8⤵PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmki.exe"7⤵PID:892
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxq.exe"6⤵PID:972
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wto.exe"5⤵PID:812
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxyevvf.exe"4⤵PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbfofj.exe"3⤵PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\485c51b0fb2fbe22f7ed04375ccf40a5.exe"2⤵PID:2448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99B
MD5ca827a51e244d484eac4187cb398cd57
SHA1cd148d4494ada6963b39703726c45ed737317591
SHA256033d5eac3e5b39843db4f253b45e7387bd57262b35a75234daf0e91dde7e6b37
SHA5126dd36548411cc19699dfc78b7aec6a6b160dc56f144c381d750cf1e7b7d78391cb43d63eb02950f3e2e6166a372576aa1a89164150751dfd9a8f290562b00f08
-
Filesize
260KB
MD5c3f8a7bbd1252b5ce9e554136c2aea12
SHA12bab02b10c4e4ad75202c726205c2cec228a7b0e
SHA25626d012c6f434ddc56c3015abcbb31d9bf9ff0d2d9edcc9ab3c6efd5812a5f4e3
SHA512ae51d8904bbcfe4f7d6b79b81ef2e718598fc7f2296f9a47bb4217db250b955a64118fa364fd190d1729e73d979ab92bd8548bfdd2e90787536a58746cc3f23a
-
Filesize
260KB
MD53608520571462addec5bb5a85db1f6e4
SHA17385bd510c34632970063d2f747672cf84f2a265
SHA25608d7e38daa1105c8c69f4f0f4f1c7acb711d98349ada53a721331f3367ae12bf
SHA5125464745e2c973b303cc5a1a0e62e09ed7c5b7afc1a38d57f6baaf95c01d469425b5eff05bc2795225aef43d1a6be73df610b42013d03c9902f24e022ad5da1f2
-
Filesize
260KB
MD5f4a0464eef841b6c52aa9ec76eec8c2a
SHA1bfbb656daa660d25934681bb0590b9856704ace7
SHA256170c1e5440fbf9b666aaf1854198d8eadcc8db3cdcd9ab53e5fd221e975a989a
SHA512bd8c209c4b265aab5b92de60994aa57e5d3be74e3fdc5c93d620a10f40fb6b2f51f7ba30ce8d2fb51f08c82697fff70860c81ceeef451828b0721e64de5953e6
-
Filesize
260KB
MD533427c4c6b4ae54e2a3c54af435198c5
SHA151a9b1189696e8bbab351bca4fe07732712fe0db
SHA256f23bb6979ae0ba3b67aa1fbbda303fb29a1d778c4d96154e91973e07e5c6ad9d
SHA51268933f7c039d287622329c05fdd99c73bb333002918412d41897bc0ae759843f223a693363ce57490fefe766594ece9d4c0f134e1d91c3dc3f271d6276bfb372
-
Filesize
260KB
MD531e762f09ac7026d630222016f18bf49
SHA1a4e93d0b2a9be57996a836653040d6c014da5e4d
SHA25648f649335511b6570f3a3b0ef1cbcb9f2af79b6443a23ad614e645fede8dc2a2
SHA512059b4a74ca795c450ef9290cbbc93fb9f8e1e99916f511231e9c2e3b9618f51b052eccfb0c472642c13fd3179dfdee531aff5aa8326a0fa49b23e0ebec97cb6d
-
Filesize
260KB
MD582d790fa0d5dd64e79c4a32acef20eee
SHA12e976c98739748a3dc9a9431b6d6d2cb4c7aa1b4
SHA256ea5e07d8bc3937cdc8d5723c13f04c624eb2867910102e2897c5e8cf7c649c29
SHA51201989b9d3f482d8042340cc11f3bcee5329c514b5f6e8c40ab51a4c4dfcda24d2aa379c4395dca1ac8c4183b1d553a1e17c53ead173751568847e806b31ec338
-
Filesize
260KB
MD54b9db5d01b242950c8cb8a069f70d229
SHA1dd9555e43304d31469f961a206524469a3314331
SHA256a2a7626d264b768d5485aef8540afc3793b506b62994054b3c81594f5b808af1
SHA512fa4b8fc056f5e72a443cea9a8122700e90a71b8336012e5f86f17079168594f1b9deeadf948605f2d4e711a9775e61ec74734ee066ae904a65d2e0d9d89b5521
-
Filesize
260KB
MD5a72da811aa7a175326c19289ebf3a3dd
SHA1f18a2b96f3e00ba7335fb6f0357ef5f53e4f5749
SHA2569d5b6730d312d1c94f7ffe959839cdbeed10912fdce64e7e83c2212f2a399bb7
SHA512df5441a64c8c7d4ed2786fa7c7b7a62679bec4ef920c80a84b37565e194d3a1cb9e0c875234ffe1a0893485d0e58f73c012c3f90a0ed8d525c043d4608d42fa2
-
Filesize
260KB
MD5e3baa67d0f7f5e169ef6fb93c9419146
SHA146903f250d1761e8c66c2fde5e50dd12ee7f96d2
SHA256e493aafcab981c97f1454ee64f677b69f21d7e89c980671cbc983ad89de3be2a
SHA5128247bf31dfd2418f42a7e441d54cf8fde298e8ecbaa865500f02ecebb139f06b2a98cd552cf270462282b5a2b77f2ccd07490e612faacc95a9d37fabe48df238
-
Filesize
260KB
MD5ce5c620562959abeff25a842a7650e24
SHA12c514cb9e6a73f6023b48ac14e4b0d545068b622
SHA2560d75908b31a5e4aedcbd3a8c2aa487d9b8d878e5c3b71ca7de22629cb1aa83f3
SHA512c8c3db4eb19bb3fc7e913b665d2c28832ae8d2ea476fea7bcd1afb7fbe4e35dab1df920eb5c6cf40ce73d6b74d661ca956a9b2569fc0cb6991223c256c5ab706