478e5a10a2d3f41fd903448dd9d06c7d901a53933cfa7d90f10d905d01c8fb49

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upgrade.exe
Size

655KB
MD5

6200fd0bf01918f26533c82758163b5a
SHA1

6b7397caf49036062dc8b7210c27e5a3e3fc36fc
SHA256

66f26009c24d3b893aed432ad50b80427869b78f17e1a1bb34cfcb0c5c9ee43d
SHA512

76be6261325f3e39edf07984179911ec3a86d24bea4db10e67dc8a49fb07d8db9044d9d725bbb81a0290fe865e71615cc662cebd985e6397d684f8cae8bd81e5
SSDEEP

12288:22mfYcDGg+uQdFGzJUoBIJPtx2nNtJhqmFi8plxgtj5SSiJtL3JL0T:ZiGFTdozH2AnNtJhXi8plx4j5itVoT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2288	wyeke.exe
4092	wyeke.exe
1456	wyeke127.exe
1204	wyeke.exe

Loads dropped DLL 3 IoCs

pid	Process
4092	wyeke.exe
1456	wyeke127.exe
1204	wyeke.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\M8WGAVVO.htm	wyeke127.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	wyeke127.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	wyeke127.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	wyeke127.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	wyeke127.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Wyeke\wyeke.exe	wyeke.exe
File created	C:\Program Files (x86)\Wyeke\uninstall.exe	upgrade.exe
File created	C:\Program Files (x86)\Wyeke\wyeke.dll	wyeke.exe
File opened for modification	C:\Program Files (x86)\Wyeke\wyeke.dll	wyeke.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000002321e-34.dat	nsis_installer_1

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wyeke127.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wyeke127.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wyeke127.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wyeke127.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wyeke127.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wyeke127.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wyeke127.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wyeke127.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe
1456	wyeke127.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1204	wyeke.exe
1204	wyeke.exe
1204	wyeke.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2288	2172	upgrade.exe	85
PID 2172 wrote to memory of 2288	2172	upgrade.exe	85
PID 2172 wrote to memory of 2288	2172	upgrade.exe	85
PID 2172 wrote to memory of 4092	2172	upgrade.exe	86
PID 2172 wrote to memory of 4092	2172	upgrade.exe	86
PID 2172 wrote to memory of 4092	2172	upgrade.exe	86
PID 1456 wrote to memory of 1204	1456	wyeke127.exe	88
PID 1456 wrote to memory of 1204	1456	wyeke127.exe	88
PID 1456 wrote to memory of 1204	1456	wyeke127.exe	88

C:\Users\Admin\AppData\Local\Temp\upgrade.exe
"C:\Users\Admin\AppData\Local\Temp\upgrade.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe
  "C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe" "C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.dll" -r
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe
  "C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe" "C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.dll" Install ""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:4092

C:\ProgramData\Wyeke\wyeke127.exe
"C:\ProgramData\Wyeke\wyeke127.exe" "C:\Program Files (x86)\Wyeke\wyeke.dll" Service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Program Files (x86)\Wyeke\wyeke.exe
  "C:\Program Files (x86)\Wyeke\wyeke.exe" "C:\Program Files (x86)\Wyeke\wyeke.dll" Main
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wyeke\uninstall.exe

Filesize
87KB

MD5
ff795d8c92ba9e210087811450f07b86

SHA1
6c2959c83a4c460b77a285473cb02de79d01d1b0

SHA256
7911cc2005f04f64f514f0aedaf9bde9aec48e51ecb9e0b21981e39a3885cd68

SHA512
951620bede769f77b40f1d315841604212632a2f5095df5cf9134811f43328e95f4c36962fecc2fdc7639ed1570238a9578c6cc1d2e7b17b820ba3c7909cf401

Download Submit
C:\Program Files (x86)\Wyeke\wyeke.dll

Filesize
413KB

MD5
f33ad3619c1ba627de703698ab868ce7

SHA1
233d4feb619306fb68a75ddfaab9472d4edefe20

SHA256
cb69db2772526eca4f570e8925c9343bc9960d7bf35a9b3fbc68defab83f88ff

SHA512
e74094624e2f54bb7d8ce04830d99425bf731cf3b7b805625ff40c84dbbc57de50a5232e9e1d7557ea91436e84993fc61324bb7c95ebecb29cf1a7b3776440f8

Download Submit
C:\Program Files (x86)\Wyeke\wyeke.dll

Filesize
327KB

MD5
8bab6da6fcb55ff8fd19e4b040048248

SHA1
ab485effea7263cec8b81aa0acf5d41a3af10249

SHA256
5dbf62ee4208ac8608fc57da20b871896bc51a4e991b09e987c4542a51f94eab

SHA512
188a4fd3b7f3c9b4a0f230ea3206e7a05da18f220318489b9262b82c2af7470e822a8d5f02798278b7193bda683b5c3ee7cb414bebc440afc8072a8edf88a9a8

Download Submit
C:\Program Files (x86)\Wyeke\wyeke.dll

Filesize
255KB

MD5
1ed9d05d1bb9ae6147f71c14a7c9692b

SHA1
6bd7276997464bcfe566917b358ada436e2162d9

SHA256
84c73cdf41e385d83a8ea4635c5a77510316c0a193ec1204b3dbf9e9a77ca445

SHA512
987a07631a786c237c7625b2bf8863408a6f3f2796dec6107060eb70c05fa3ddc189e57c0b186966dc2677affc3217dc1e7cf3ccaebf4ad3c66c3a56d273b375

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.dll

Filesize
584KB

MD5
485308e6665d76b37fec8acbd7598455

SHA1
20c6961f2c50c3ec6b9444bdd5c4e46563de5d53

SHA256
0b1d29264ed12e4ef85e499babf83b702805a0647e5f2958f07ec5d32703e8e7

SHA512
6c5481b985cbe4282d8835264f873ae0a603938d8fcf7dd134d4e17295d9953f4ac8c6c2fdd85f6330418b3e9b496351dcf9b6c80cabdb581575d5777d641429

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp475B.tmp\wyeke.exe

Filesize
57KB

MD5
1a6a68ce5fbe650abca2450c245aca9e

SHA1
f1d3aa00d1f60a0fc9e40e1da18a7ee5851bf493

SHA256
bb957c094016983a5c41dd684a22b834024219e99bed8531f245d8753703b1e2

SHA512
8763e3fab06a52c080243ea4b9ca8e0befc83c0f0afb5881d213c54ff1db5de3f3d3a529ed72c7e2da49eb696b28741f0abf9d367da5b346c7dc9368a22f98d6

Download Submit
memory/1204-42-0x0000000002350000-0x00000000023D4000-memory.dmp

Filesize
528KB

Download
memory/1456-22-0x00000000010D0000-0x0000000001154000-memory.dmp

Filesize
528KB

Download
memory/4092-11-0x0000000002390000-0x0000000002414000-memory.dmp

Filesize
528KB

Download