Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2024 07:19

General

  • Target

    485c51b0fb2fbe22f7ed04375ccf40a5.exe

  • Size

    260KB

  • MD5

    485c51b0fb2fbe22f7ed04375ccf40a5

  • SHA1

    56387676b51b3061f8046e2ec5c1baae07cd7809

  • SHA256

    5e1eb74a419a31dec70e77baf3c67544cbe11be0930020f517b1c26b0f5ba18e

  • SHA512

    1708bb1c2e716b68f60c0ffcf06b48151b6f4b7160db6642b2be8fc8b03dc71c668782ad7564c5e15fb82349cf41571c09f4953b32697cf7701824eefb49d5b6

  • SSDEEP

    3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpEc:ZY7xh6SZI4z7FSVpD

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 47 IoCs
  • Drops file in System32 directory 23 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\485c51b0fb2fbe22f7ed04375ccf40a5.exe
    "C:\Users\Admin\AppData\Local\Temp\485c51b0fb2fbe22f7ed04375ccf40a5.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\SysWOW64\wwbfofj.exe
      "C:\Windows\system32\wwbfofj.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\wxyevvf.exe
        "C:\Windows\system32\wxyevvf.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Windows\SysWOW64\wto.exe
          "C:\Windows\system32\wto.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1872
          • C:\Windows\SysWOW64\wxq.exe
            "C:\Windows\system32\wxq.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Windows\SysWOW64\wmki.exe
              "C:\Windows\system32\wmki.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:1552
              • C:\Windows\SysWOW64\wsnns.exe
                "C:\Windows\system32\wsnns.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2892
                • C:\Windows\SysWOW64\wklso.exe
                  "C:\Windows\system32\wklso.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:2588
                  • C:\Windows\SysWOW64\wxa.exe
                    "C:\Windows\system32\wxa.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    PID:1468
                    • C:\Windows\SysWOW64\wprtcmlv.exe
                      "C:\Windows\system32\wprtcmlv.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      PID:2544
                      • C:\Windows\SysWOW64\wyptv.exe
                        "C:\Windows\system32\wyptv.exe"
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        PID:2312
                        • C:\Windows\SysWOW64\welx.exe
                          "C:\Windows\system32\welx.exe"
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          PID:2372
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyptv.exe"
                          12⤵
                            PID:1060
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wprtcmlv.exe"
                          11⤵
                            PID:608
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 180
                            11⤵
                            • Loads dropped DLL
                            • Program crash
                            PID:1628
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxa.exe"
                          10⤵
                            PID:2780
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wklso.exe"
                          9⤵
                            PID:956
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnns.exe"
                          8⤵
                            PID:2580
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmki.exe"
                          7⤵
                            PID:892
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxq.exe"
                          6⤵
                            PID:972
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wto.exe"
                          5⤵
                            PID:812
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxyevvf.exe"
                          4⤵
                            PID:2812
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwbfofj.exe"
                          3⤵
                            PID:2136
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\485c51b0fb2fbe22f7ed04375ccf40a5.exe"
                          2⤵
                            PID:2448

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5V2FM3GM.txt

                          Filesize

                          99B

                          MD5

                          ca827a51e244d484eac4187cb398cd57

                          SHA1

                          cd148d4494ada6963b39703726c45ed737317591

                          SHA256

                          033d5eac3e5b39843db4f253b45e7387bd57262b35a75234daf0e91dde7e6b37

                          SHA512

                          6dd36548411cc19699dfc78b7aec6a6b160dc56f144c381d750cf1e7b7d78391cb43d63eb02950f3e2e6166a372576aa1a89164150751dfd9a8f290562b00f08

                        • \Windows\SysWOW64\wklso.exe

                          Filesize

                          260KB

                          MD5

                          c3f8a7bbd1252b5ce9e554136c2aea12

                          SHA1

                          2bab02b10c4e4ad75202c726205c2cec228a7b0e

                          SHA256

                          26d012c6f434ddc56c3015abcbb31d9bf9ff0d2d9edcc9ab3c6efd5812a5f4e3

                          SHA512

                          ae51d8904bbcfe4f7d6b79b81ef2e718598fc7f2296f9a47bb4217db250b955a64118fa364fd190d1729e73d979ab92bd8548bfdd2e90787536a58746cc3f23a

                        • \Windows\SysWOW64\wmki.exe

                          Filesize

                          260KB

                          MD5

                          3608520571462addec5bb5a85db1f6e4

                          SHA1

                          7385bd510c34632970063d2f747672cf84f2a265

                          SHA256

                          08d7e38daa1105c8c69f4f0f4f1c7acb711d98349ada53a721331f3367ae12bf

                          SHA512

                          5464745e2c973b303cc5a1a0e62e09ed7c5b7afc1a38d57f6baaf95c01d469425b5eff05bc2795225aef43d1a6be73df610b42013d03c9902f24e022ad5da1f2

                        • \Windows\SysWOW64\wprtcmlv.exe

                          Filesize

                          260KB

                          MD5

                          f4a0464eef841b6c52aa9ec76eec8c2a

                          SHA1

                          bfbb656daa660d25934681bb0590b9856704ace7

                          SHA256

                          170c1e5440fbf9b666aaf1854198d8eadcc8db3cdcd9ab53e5fd221e975a989a

                          SHA512

                          bd8c209c4b265aab5b92de60994aa57e5d3be74e3fdc5c93d620a10f40fb6b2f51f7ba30ce8d2fb51f08c82697fff70860c81ceeef451828b0721e64de5953e6

                        • \Windows\SysWOW64\wsnns.exe

                          Filesize

                          260KB

                          MD5

                          33427c4c6b4ae54e2a3c54af435198c5

                          SHA1

                          51a9b1189696e8bbab351bca4fe07732712fe0db

                          SHA256

                          f23bb6979ae0ba3b67aa1fbbda303fb29a1d778c4d96154e91973e07e5c6ad9d

                          SHA512

                          68933f7c039d287622329c05fdd99c73bb333002918412d41897bc0ae759843f223a693363ce57490fefe766594ece9d4c0f134e1d91c3dc3f271d6276bfb372

                        • \Windows\SysWOW64\wto.exe

                          Filesize

                          260KB

                          MD5

                          31e762f09ac7026d630222016f18bf49

                          SHA1

                          a4e93d0b2a9be57996a836653040d6c014da5e4d

                          SHA256

                          48f649335511b6570f3a3b0ef1cbcb9f2af79b6443a23ad614e645fede8dc2a2

                          SHA512

                          059b4a74ca795c450ef9290cbbc93fb9f8e1e99916f511231e9c2e3b9618f51b052eccfb0c472642c13fd3179dfdee531aff5aa8326a0fa49b23e0ebec97cb6d

                        • \Windows\SysWOW64\wwbfofj.exe

                          Filesize

                          260KB

                          MD5

                          82d790fa0d5dd64e79c4a32acef20eee

                          SHA1

                          2e976c98739748a3dc9a9431b6d6d2cb4c7aa1b4

                          SHA256

                          ea5e07d8bc3937cdc8d5723c13f04c624eb2867910102e2897c5e8cf7c649c29

                          SHA512

                          01989b9d3f482d8042340cc11f3bcee5329c514b5f6e8c40ab51a4c4dfcda24d2aa379c4395dca1ac8c4183b1d553a1e17c53ead173751568847e806b31ec338

                        • \Windows\SysWOW64\wxa.exe

                          Filesize

                          260KB

                          MD5

                          4b9db5d01b242950c8cb8a069f70d229

                          SHA1

                          dd9555e43304d31469f961a206524469a3314331

                          SHA256

                          a2a7626d264b768d5485aef8540afc3793b506b62994054b3c81594f5b808af1

                          SHA512

                          fa4b8fc056f5e72a443cea9a8122700e90a71b8336012e5f86f17079168594f1b9deeadf948605f2d4e711a9775e61ec74734ee066ae904a65d2e0d9d89b5521

                        • \Windows\SysWOW64\wxq.exe

                          Filesize

                          260KB

                          MD5

                          a72da811aa7a175326c19289ebf3a3dd

                          SHA1

                          f18a2b96f3e00ba7335fb6f0357ef5f53e4f5749

                          SHA256

                          9d5b6730d312d1c94f7ffe959839cdbeed10912fdce64e7e83c2212f2a399bb7

                          SHA512

                          df5441a64c8c7d4ed2786fa7c7b7a62679bec4ef920c80a84b37565e194d3a1cb9e0c875234ffe1a0893485d0e58f73c012c3f90a0ed8d525c043d4608d42fa2

                        • \Windows\SysWOW64\wxyevvf.exe

                          Filesize

                          260KB

                          MD5

                          e3baa67d0f7f5e169ef6fb93c9419146

                          SHA1

                          46903f250d1761e8c66c2fde5e50dd12ee7f96d2

                          SHA256

                          e493aafcab981c97f1454ee64f677b69f21d7e89c980671cbc983ad89de3be2a

                          SHA512

                          8247bf31dfd2418f42a7e441d54cf8fde298e8ecbaa865500f02ecebb139f06b2a98cd552cf270462282b5a2b77f2ccd07490e612faacc95a9d37fabe48df238

                        • \Windows\SysWOW64\wyptv.exe

                          Filesize

                          260KB

                          MD5

                          ce5c620562959abeff25a842a7650e24

                          SHA1

                          2c514cb9e6a73f6023b48ac14e4b0d545068b622

                          SHA256

                          0d75908b31a5e4aedcbd3a8c2aa487d9b8d878e5c3b71ca7de22629cb1aa83f3

                          SHA512

                          c8c3db4eb19bb3fc7e913b665d2c28832ae8d2ea476fea7bcd1afb7fbe4e35dab1df920eb5c6cf40ce73d6b74d661ca956a9b2569fc0cb6991223c256c5ab706

                        • memory/1468-187-0x0000000003960000-0x0000000003977000-memory.dmp

                          Filesize

                          92KB

                        • memory/1468-190-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/1468-188-0x0000000003960000-0x0000000003977000-memory.dmp

                          Filesize

                          92KB

                        • memory/1468-169-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/1468-181-0x0000000003960000-0x0000000003977000-memory.dmp

                          Filesize

                          92KB

                        • memory/1552-132-0x0000000002710000-0x0000000002727000-memory.dmp

                          Filesize

                          92KB

                        • memory/1552-121-0x0000000002710000-0x0000000002727000-memory.dmp

                          Filesize

                          92KB

                        • memory/1552-124-0x0000000002710000-0x0000000002727000-memory.dmp

                          Filesize

                          92KB

                        • memory/1552-123-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/1552-105-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/1872-62-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/1872-81-0x0000000003750000-0x0000000003767000-memory.dmp

                          Filesize

                          92KB

                        • memory/1872-83-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2004-82-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2004-102-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2004-103-0x0000000003FE0000-0x0000000003FF7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2004-100-0x0000000003FE0000-0x0000000003FF7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2004-126-0x0000000003FE0000-0x0000000003FF7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2312-217-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2312-211-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2312-229-0x00000000022C0000-0x00000000022D7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2312-230-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2356-0-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2356-20-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2356-18-0x00000000033F0000-0x0000000003407000-memory.dmp

                          Filesize

                          92KB

                        • memory/2356-11-0x00000000033F0000-0x0000000003407000-memory.dmp

                          Filesize

                          92KB

                        • memory/2372-231-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2472-63-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2472-60-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2472-42-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2544-215-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2544-209-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2544-216-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2544-208-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2588-165-0x00000000038D0000-0x00000000038E7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2588-167-0x0000000003D40000-0x0000000003D57000-memory.dmp

                          Filesize

                          92KB

                        • memory/2588-168-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2592-43-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2592-40-0x00000000034B0000-0x00000000034C7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2592-39-0x00000000023F0000-0x0000000002407000-memory.dmp

                          Filesize

                          92KB

                        • memory/2592-21-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2892-146-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2892-145-0x0000000002490000-0x00000000024A7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2892-144-0x0000000002490000-0x00000000024A7000-memory.dmp

                          Filesize

                          92KB

                        • memory/2892-147-0x0000000000400000-0x0000000000417000-memory.dmp

                          Filesize

                          92KB

                        • memory/2892-143-0x0000000002490000-0x00000000024A7000-memory.dmp

                          Filesize

                          92KB