a212b00fc2ef30cbe2a896d2312739a6757f01730675bfbdf44470736160a024

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e304a34ea425d0e9e247779025675e1.exe
Size

132KB
MD5

4e304a34ea425d0e9e247779025675e1
SHA1

bad2e8e6189fc8363a89ec3a1a1fd1112c1de9a4
SHA256

a212b00fc2ef30cbe2a896d2312739a6757f01730675bfbdf44470736160a024
SHA512

1673f90c9e7f29636cc2f41fd9b2dae1b3ba969a4e9607669eb19c6208f7735e56ae112a2cdfe60252f7b42afdc2d60d184ffa16b2aaa3b026858356b89c2411
SSDEEP

3072:4NlVOkquTD5GtVOlibl6sLVIgSsr8WZTru5PBh1Eimb:4NvtTeKibl6qVZZnu55h1Lmb

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	wfurhq.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	cmd.exe
2704	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012274-12.dat	upx
behavioral1/memory/2704-13-0x0000000000370000-0x0000000000391000-memory.dmp	upx
behavioral1/memory/2820-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2820-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\ziwwa\\command	wfurhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	wfurhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\ziwwa	wfurhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\ziwwa	wfurhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	wfurhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	wfurhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	wfurhq.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2300	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2704	2988	4e304a34ea425d0e9e247779025675e1.exe	28
PID 2988 wrote to memory of 2704	2988	4e304a34ea425d0e9e247779025675e1.exe	28
PID 2988 wrote to memory of 2704	2988	4e304a34ea425d0e9e247779025675e1.exe	28
PID 2988 wrote to memory of 2704	2988	4e304a34ea425d0e9e247779025675e1.exe	28
PID 2704 wrote to memory of 2820	2704	cmd.exe	30
PID 2704 wrote to memory of 2820	2704	cmd.exe	30
PID 2704 wrote to memory of 2820	2704	cmd.exe	30
PID 2704 wrote to memory of 2820	2704	cmd.exe	30
PID 2704 wrote to memory of 2300	2704	cmd.exe	31
PID 2704 wrote to memory of 2300	2704	cmd.exe	31
PID 2704 wrote to memory of 2300	2704	cmd.exe	31
PID 2704 wrote to memory of 2300	2704	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\4e304a34ea425d0e9e247779025675e1.exe
"C:\Users\Admin\AppData\Local\Temp\4e304a34ea425d0e9e247779025675e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\tavllxl.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\wfurhq.exe
    "C:\Users\Admin\AppData\Local\Temp\wfurhq.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2820
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\displm.bat

Filesize
156B

MD5
8073cf9bec5963a7340f17426b130e2e

SHA1
e021000f950563ca883233b06a2e2da953a6616b

SHA256
d973772a47b39b02c21d2078539ffa3c2e89eaf231273215c9be927d511238df

SHA512
3a2743252eae62848ccbb29b0b38ab810f5d36ab20d83c2705ff0fa17a3a724af749a9f49b940a2e67c5195a381c580b6c692127c0be8d5378e0508142e87d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tavllxl.bat

Filesize
124B

MD5
2c21916c128701d14af8a5d78766fcfe

SHA1
0af85699a8961e30ce18af490d672073b43570d1

SHA256
3cee04167f5c3bbfbc5380436a96974ba52f1f26bb6264aa963199de989e661c

SHA512
e1bee2df9a74521bab88dea9bf27b047558cd06cc80ac1ebf504ff05723c79ad28abdceb148f10210a673d3958ad7a8c0e837b207bccd5c5f8f5f89a38bfca40

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfurhq.exe

Filesize
82KB

MD5
d9baf78cdb4ef2906434f8010d6247ac

SHA1
16d0e1d1ab3d404b3f01188e194c5ea2833138e0

SHA256
c2f6e0bed2534734220de8d46d2d935779dd5d0cfdaf3964a29dfb89a3de0a10

SHA512
62dbb1fb43ec693ac0b7e4ed816b5b3af0609a3c0ca098870a40523d4294add7cb2a6d365676ac62d447da6027703b2fcc245b6fcd4d44f58ebda5e1e158593c

Download Submit
memory/2704-13-0x0000000000370000-0x0000000000391000-memory.dmp

Filesize
132KB

Download
memory/2704-15-0x0000000000370000-0x0000000000391000-memory.dmp

Filesize
132KB

Download
memory/2820-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2820-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download