e7b53420e1a8808dd4dc9bcb0199bdc772dbb154422b65f22164fa1511d0bf8a

General

Target

9907dfd45365e9408286058e09808dc1.exe
Size

627KB
MD5

9907dfd45365e9408286058e09808dc1
SHA1

19caab185fbbfc6ba205b6d87667f018f558a74d
SHA256

e7b53420e1a8808dd4dc9bcb0199bdc772dbb154422b65f22164fa1511d0bf8a
SHA512

48456f0f275b65365a51426c9e54eac2b5342d9c17dda0c9227d679b8ce2210898dd3dee0819e310ce127a99fbc6285fce858b16d635b6d0f8fd6c11c731e3ed
SSDEEP

12288:fq9jFepo670nuJc1qHmSUFRTSRXmwpd+l7NbGcCfwYP4IMSM/RuJQ8:fmUpoM0n8qUzQRTcJ8hNbTAwYLMkJQ8

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2820	WjfClean.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	9907dfd45365e9408286058e09808dc1.exe
2820	WjfClean.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2228-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2228-39-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	WjfClean.exe
File opened (read-only)	\??\T:	WjfClean.exe
File opened (read-only)	\??\U:	WjfClean.exe
File opened (read-only)	\??\E:	WjfClean.exe
File opened (read-only)	\??\J:	WjfClean.exe
File opened (read-only)	\??\Q:	WjfClean.exe
File opened (read-only)	\??\R:	WjfClean.exe
File opened (read-only)	\??\I:	WjfClean.exe
File opened (read-only)	\??\K:	WjfClean.exe
File opened (read-only)	\??\P:	WjfClean.exe
File opened (read-only)	\??\S:	WjfClean.exe
File opened (read-only)	\??\V:	WjfClean.exe
File opened (read-only)	\??\G:	WjfClean.exe
File opened (read-only)	\??\H:	WjfClean.exe
File opened (read-only)	\??\L:	WjfClean.exe
File opened (read-only)	\??\M:	WjfClean.exe
File opened (read-only)	\??\O:	WjfClean.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WjfClean\SubPro.JPG	9907dfd45365e9408286058e09808dc1.exe
File created	C:\Program Files (x86)\WjfClean\SkinPlusPlus.dll	9907dfd45365e9408286058e09808dc1.exe
File created	C:\Program Files (x86)\WjfClean\WjfClean.ini	9907dfd45365e9408286058e09808dc1.exe
File created	C:\Program Files (x86)\WjfClean\WmKillDrv.sys	9907dfd45365e9408286058e09808dc1.exe
File created	C:\Program Files (x86)\WjfClean\WmNdisDrv.sys	9907dfd45365e9408286058e09808dc1.exe
File created	C:\Program Files (x86)\WjfClean\SubPro.htm	9907dfd45365e9408286058e09808dc1.exe
File created	C:\Program Files (x86)\WjfClean\WjfClean.exe	9907dfd45365e9408286058e09808dc1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	WjfClean.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WjfClean.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WjfClean.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2820	WjfClean.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2820	WjfClean.exe
2820	WjfClean.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2820	WjfClean.exe
2820	WjfClean.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2820	WjfClean.exe
2820	WjfClean.exe
2820	WjfClean.exe
2820	WjfClean.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2820	2228	9907dfd45365e9408286058e09808dc1.exe	28
PID 2228 wrote to memory of 2820	2228	9907dfd45365e9408286058e09808dc1.exe	28
PID 2228 wrote to memory of 2820	2228	9907dfd45365e9408286058e09808dc1.exe	28
PID 2228 wrote to memory of 2820	2228	9907dfd45365e9408286058e09808dc1.exe	28

C:\Users\Admin\AppData\Local\Temp\9907dfd45365e9408286058e09808dc1.exe
"C:\Users\Admin\AppData\Local\Temp\9907dfd45365e9408286058e09808dc1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Program Files (x86)\WjfClean\WjfClean.exe
  "C:\Program Files (x86)\WjfClean\WjfClean.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WjfClean\SkinPlusPlus.dll

Filesize
720KB

MD5
30bfb82b3ebe516c96007725ba964c28

SHA1
3b169816fca706f3f3d6d178af3c63fa0ee0e4f6

SHA256
0a6a1cdbaec23ba24b42e4591e54c2845425dc74756112d848c7ee254df8511b

SHA512
811d6ac925d3299f9e85e9528e33f9e5564be03270b67af9b8929c0f8592c6996077096448042526c00584074f01de798c8941554208b7effaf0813fa6858c93

Download Submit
C:\Program Files (x86)\WjfClean\SubPro.htm

Filesize
289B

MD5
2bd1ab04125a088bf446c8f38feba3cc

SHA1
092ed49295c5d8633aba8f316bc1eb3d420a1a9e

SHA256
0c981cc554310bfb6c4e8ed75a9a9e6b192717373cb98c493983d07221e89466

SHA512
55f389b050ccc28c4c058197a78be179a9e68b0a1666a649bad4e347fb776f3ba8a1cb4bcc34590f7814d3bdcf5921b31f70de41f0067df509476b52c2dd2197

Download Submit
C:\Program Files (x86)\WjfClean\SubPro.jpg

Filesize
20KB

MD5
88e5090287d7d339718cb69e58a1a029

SHA1
141e7e9f3e76c790655c3c590f98e6ebb7029405

SHA256
621dba09dd11a9e8b407e825ed5f7cfefc8bd598f6d97fcbb0cc2708981fe7e1

SHA512
887fd6a1680724609c0a035b78db90cf4e35b228e01c3ffa6c7efd9be8192b8d96fa1dc9155624315ffdf9bd2f56a123a692749437b1dc62dea68d84b6059fc5

Download Submit
C:\Program Files (x86)\WjfClean\WjfClean.ini

Filesize
9KB

MD5
487797c815c3ca8c3c807f4ba6cc2f0d

SHA1
fd571c3c96972d3b0d65a83018082a4037a00322

SHA256
fd932ee9b6c3bcd15f7f32f9bd8c088f0fe6ff458c2e93ec5389d36dc9b4a9de

SHA512
a2a93fc1344690d79bd8fe83cd204415fceba0c2d52b3cef80c0505b0794f751b6058ba3d6245e6c3f018762d1d2d4231c3f7ddcbc135593148494c22b841c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\FP1342.tmp

Filesize
190B

MD5
07be71f62073901d8b5cff9e95523b5a

SHA1
1e048f86afa0a4de23502d300450cee3dcb367f0

SHA256
bdcc34819530c2f1bd729315248590dd9eb790605f6d4ec58787b082af587c1a

SHA512
258a4ffad49dfc20ed2aedfb134171a5113949f8f7174329ed8311ac100a825e05931d2b96849d92a51012af992afbaecd3ebd750a36959c2d274114ce2847a1

Download Submit
\Program Files (x86)\WjfClean\WjfClean.exe

Filesize
980KB

MD5
797bf832f22673533363113b02e25e9b

SHA1
de68557315980b241acd93074992f41ebed36d80

SHA256
fd7c98b724575aed0bfb9818bc1bd71c66b1db8f22599b66bc78382c551affab

SHA512
08acc36fb2b2b9051ee67ffd87ff0df7af47751b918ff5ed8eb5a30d7be0962e08e4ee685a10dab9eede00ee60f16d24a61261824eadf0d338e78eb35deb4a81

Download Submit
memory/2228-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2228-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing