478e5a10a2d3f41fd903448dd9d06c7d901a53933cfa7d90f10d905d01c8fb49

Analysis

max time kernel
147s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upgrade.exe
Size

655KB
MD5

6200fd0bf01918f26533c82758163b5a
SHA1

6b7397caf49036062dc8b7210c27e5a3e3fc36fc
SHA256

66f26009c24d3b893aed432ad50b80427869b78f17e1a1bb34cfcb0c5c9ee43d
SHA512

76be6261325f3e39edf07984179911ec3a86d24bea4db10e67dc8a49fb07d8db9044d9d725bbb81a0290fe865e71615cc662cebd985e6397d684f8cae8bd81e5
SSDEEP

12288:22mfYcDGg+uQdFGzJUoBIJPtx2nNtJhqmFi8plxgtj5SSiJtL3JL0T:ZiGFTdozH2AnNtJhXi8plx4j5itVoT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2916	wyeke.exe
2696	wyeke.exe
2000	wyeke127.exe
2612	wyeke.exe

Loads dropped DLL 9 IoCs

pid	Process
2204	upgrade.exe
2204	upgrade.exe
2204	upgrade.exe
2204	upgrade.exe
2696	wyeke.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2612	wyeke.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wyeke127.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XBT2C3S0.htm	wyeke127.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Wyeke\wyeke.dll	wyeke.exe
File opened for modification	C:\Program Files (x86)\Wyeke\wyeke.dll	wyeke.exe
File created	C:\Program Files (x86)\Wyeke\wyeke.exe	wyeke.exe
File created	C:\Program Files (x86)\Wyeke\uninstall.exe	upgrade.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000015c2f-45.dat	nsis_installer_1

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wyeke127.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wyeke127.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ADEC240-BFF8-4805-B6E4-8794447AA96E}	wyeke127.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wyeke127.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-94-ad-a5-64-81\WpadDecisionTime = 8085b3ff5f56da01	wyeke127.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wyeke127.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wyeke127.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wyeke127.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	wyeke127.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wyeke127.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ADEC240-BFF8-4805-B6E4-8794447AA96E}\WpadDecisionTime = 8085b3ff5f56da01	wyeke127.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ADEC240-BFF8-4805-B6E4-8794447AA96E}\WpadNetworkName = "Network 3"	wyeke127.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wyeke127.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ADEC240-BFF8-4805-B6E4-8794447AA96E}\WpadDecisionReason = "1"	wyeke127.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ADEC240-BFF8-4805-B6E4-8794447AA96E}\WpadDecision = "0"	wyeke127.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-94-ad-a5-64-81\WpadDecisionReason = "1"	wyeke127.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wyeke127.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-94-ad-a5-64-81\WpadDecision = "0"	wyeke127.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wyeke127.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wyeke127.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wyeke127.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wyeke127.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-94-ad-a5-64-81	wyeke127.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ADEC240-BFF8-4805-B6E4-8794447AA96E}\7a-94-ad-a5-64-81	wyeke127.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe
2000	wyeke127.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2612	wyeke.exe
2612	wyeke.exe
2612	wyeke.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2916	2204	upgrade.exe	28
PID 2204 wrote to memory of 2916	2204	upgrade.exe	28
PID 2204 wrote to memory of 2916	2204	upgrade.exe	28
PID 2204 wrote to memory of 2916	2204	upgrade.exe	28
PID 2204 wrote to memory of 2696	2204	upgrade.exe	29
PID 2204 wrote to memory of 2696	2204	upgrade.exe	29
PID 2204 wrote to memory of 2696	2204	upgrade.exe	29
PID 2204 wrote to memory of 2696	2204	upgrade.exe	29
PID 2000 wrote to memory of 2612	2000	wyeke127.exe	31
PID 2000 wrote to memory of 2612	2000	wyeke127.exe	31
PID 2000 wrote to memory of 2612	2000	wyeke127.exe	31
PID 2000 wrote to memory of 2612	2000	wyeke127.exe	31

C:\Users\Admin\AppData\Local\Temp\upgrade.exe
"C:\Users\Admin\AppData\Local\Temp\upgrade.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\nsd3E69.tmp\wyeke.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd3E69.tmp\wyeke.exe" "C:\Users\Admin\AppData\Local\Temp\nsd3E69.tmp\wyeke.dll" -r
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\nsd3E69.tmp\wyeke.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd3E69.tmp\wyeke.exe" "C:\Users\Admin\AppData\Local\Temp\nsd3E69.tmp\wyeke.dll" Install ""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:2696

C:\ProgramData\Wyeke\wyeke127.exe
"C:\ProgramData\Wyeke\wyeke127.exe" "C:\Program Files (x86)\Wyeke\wyeke.dll" Service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files (x86)\Wyeke\wyeke.exe
  "C:\Program Files (x86)\Wyeke\wyeke.exe" "C:\Program Files (x86)\Wyeke\wyeke.dll" Main
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd3E69.tmp\uninstall.exe

Filesize
87KB

MD5
ff795d8c92ba9e210087811450f07b86

SHA1
6c2959c83a4c460b77a285473cb02de79d01d1b0

SHA256
7911cc2005f04f64f514f0aedaf9bde9aec48e51ecb9e0b21981e39a3885cd68

SHA512
951620bede769f77b40f1d315841604212632a2f5095df5cf9134811f43328e95f4c36962fecc2fdc7639ed1570238a9578c6cc1d2e7b17b820ba3c7909cf401

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3E69.tmp\wyeke.dll

Filesize
584KB

MD5
94af0fa9a9a86c80a375405f6dc5fee2

SHA1
fad0f53b4d0d9b4e3249996be23e84bf96019709

SHA256
08228703bb9f053bd9180ab7280999d3d03540083f894156b98db176ae1eb0ca

SHA512
01896b6b522e2351fa30a560388061e294d963d088a2ad394b6364aaf32473cd426b1c69c2930c9969ef0e84a6e4300602a9811ff3a7ecdc7592c1b8949b9e4c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3E69.tmp\wyeke.exe

Filesize
57KB

MD5
1a6a68ce5fbe650abca2450c245aca9e

SHA1
f1d3aa00d1f60a0fc9e40e1da18a7ee5851bf493

SHA256
bb957c094016983a5c41dd684a22b834024219e99bed8531f245d8753703b1e2

SHA512
8763e3fab06a52c080243ea4b9ca8e0befc83c0f0afb5881d213c54ff1db5de3f3d3a529ed72c7e2da49eb696b28741f0abf9d367da5b346c7dc9368a22f98d6

Download Submit
memory/2000-35-0x0000000000C40000-0x0000000000CC4000-memory.dmp

Filesize
528KB

Download
memory/2612-56-0x0000000000410000-0x0000000000494000-memory.dmp

Filesize
528KB

Download
memory/2696-24-0x0000000000750000-0x00000000007D4000-memory.dmp

Filesize
528KB

Download