c7e6b233012221a1f62b40c1e1549d0ee8de9001cb599bffb614d969f58516ce

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

776be72953ef0e648119e2f62848f2d9.exe
Size

447KB
MD5

776be72953ef0e648119e2f62848f2d9
SHA1

9adc64cd7f6829b0e4abcf64b118b35a9f6215f9
SHA256

c7e6b233012221a1f62b40c1e1549d0ee8de9001cb599bffb614d969f58516ce
SHA512

7b090708d68854e35d1bf6ba068aebb85f3688119987d586d7a3c6372921c2d42d383a355d15cf5ae5ac63271ed267b0473c2c4693a87a156688f0b54833a2ad
SSDEEP

12288:EnNhuBoY8SorxgmA+nlvVlsz4Lf+UEhiOU40vZ/BJ:EPatCg7EP6z4r+OOU40vZZJ

Score

9^/10

upx

Malware Config

Signatures

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/2492-42-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/2492-45-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
2492	WirelessKeyView.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1872-0-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/files/0x00090000000149f5-34.dat	upx
behavioral1/memory/1872-36-0x0000000004860000-0x0000000004878000-memory.dmp	upx
behavioral1/memory/2492-42-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1872-44-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2492-45-0x0000000000400000-0x0000000000418000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1872-44-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1872	776be72953ef0e648119e2f62848f2d9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	WirelessKeyView.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe
1872	776be72953ef0e648119e2f62848f2d9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2492	1872	776be72953ef0e648119e2f62848f2d9.exe	28
PID 1872 wrote to memory of 2492	1872	776be72953ef0e648119e2f62848f2d9.exe	28
PID 1872 wrote to memory of 2492	1872	776be72953ef0e648119e2f62848f2d9.exe	28
PID 1872 wrote to memory of 2492	1872	776be72953ef0e648119e2f62848f2d9.exe	28

C:\Users\Admin\AppData\Local\Temp\776be72953ef0e648119e2f62848f2d9.exe
"C:\Users\Admin\AppData\Local\Temp\776be72953ef0e648119e2f62848f2d9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Roaming\m\WirelessKeyView.exe
  C:\Users\Admin\AppData\Roaming\m\WirelessKeyView.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\m\Done.wav

Filesize
25KB

MD5
739be594898cc12de72c521e2c3bd8a2

SHA1
96cff15df50479e386eb6eea9ead6673ca6cca90

SHA256
52660a6473184ec823fc87a63874d1af1ec63cb1e10111e6192724863f6e0867

SHA512
2aff4aa9f5087e65a4387f80154596e382030f1ecf991446a07b5088f9bfc26226de9426f79480b6277edeb9b67e8c4917044eda25f1fa6dbc378542e2d0198a

Download Submit
C:\Users\Admin\AppData\Roaming\m\WirelessKeyView_lng.ini

Filesize
1KB

MD5
d01d5e251367e2636b15a03c3d963db3

SHA1
d0cfa6b50d5d41d93ab91e2736c21a8b2dce3647

SHA256
27c275e6273d898e34c9cdb0e3b7748f4c4ed600d306914f5f636cc57de50e56

SHA512
749d32a9ac52666f9fa0559af06021f5cdbc9b4485d9a190e394a272e76d9c6d1fcc250a930f5020d8f1f1723e89e0212ba60c0515aa0ec9a26aaa7647e6bb83

Download Submit
C:\Users\Admin\AppData\Roaming\splash.png

Filesize
70KB

MD5
ccbad9677a826a64e24694e5bf538339

SHA1
5c7cce3d035fc74c356324beb0babb204ca8c228

SHA256
1c63dde7a3f1777b037aa7912b10f890de782a74c584eb52dbdac039a1f33296

SHA512
a7949efbbe96394e6898d5bc6231a0491e069ec7f005ce7e1e9689d5994a6cc7caf95611a58bfb56b409b186328478616b21be8568727ec5ed9943fa3a5ace99

Download Submit
\Users\Admin\AppData\Roaming\m\WirelessKeyView.exe

Filesize
38KB

MD5
38257f233ba5c2ba46b626d1198381c0

SHA1
a8b299f4e7564e9446019be17d9dd3fef1814c65

SHA256
c9333222ca825369dd0ad050c2d2deace6e2514f68856fbd920f7be7530b3448

SHA512
3daccc428e6d460be10654231824a6335e34032df0560424930ba9b51119a78a3f5c911bbdde1b8d3ec75bab1b00dfac793c64c4f90b2d6a7930f23f66265419

Download Submit
memory/1872-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1872-36-0x0000000004860000-0x0000000004878000-memory.dmp

Filesize
96KB

Download
memory/1872-41-0x0000000004860000-0x0000000004878000-memory.dmp

Filesize
96KB

Download
memory/1872-44-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1872-48-0x0000000004860000-0x0000000004878000-memory.dmp

Filesize
96KB

Download
memory/1872-50-0x0000000004860000-0x0000000004878000-memory.dmp

Filesize
96KB

Download
memory/2492-42-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2492-45-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download