Overview

overview

3

Static

static

3

WeMod-Setup.exe

windows7-x64

1

WeMod-Setup.exe

windows10-2004-x64

1

Resubmissions

22/02/2024, 18:35

240222-w8j32aeb82 3

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 18:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    WeMod-Setup.exe

  • Size

    141KB

  • MD5

    b7a8c7f363ac58aa95c8c2090e1b87a7

  • SHA1

    10f01392b18643b522a07750f23b4b3a1fae8225

  • SHA256

    cf050a532236fb9762be5db9a81414d6e1befebc0e6a0cb80778cb295acb86bb

  • SHA512

    9409ed3cca63deb5fb5513bad4e86e23adbe47e2ea890dc322fe4a7e90b29bbfe343361f21530748d5ba3c329e93684bf7b136a8c00f41cf08ef5c0025a9cd56

  • SSDEEP

    3072:Bojm4ILlCI+4COHCyhaEtHZkOpk97oc4ILlCI+4TOHHSafx:Bd+bwaEtHLhiHt

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\WeMod-Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\WeMod-Setup.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2932
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4068
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.0.474445121\2108852611" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a042361c-eb25-430a-99bc-5b58696d7d57} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 1980 23db29d8858 gpu
          3⤵
            PID:908
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.1.494665382\427729434" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25f1841f-81a7-4260-8e73-e7dbfc3628e2} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 2380 23da6271958 socket
            3⤵
              PID:3568
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.2.515334188\1951185130" -childID 1 -isForBrowser -prefsHandle 1664 -prefMapHandle 2972 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad333ca-0f7f-4d40-a86f-6eea0e98eee9} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 3024 23db6aa0758 tab
              3⤵
                PID:3592
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.3.1030214327\691359862" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad635f24-367f-44b5-8a3e-56ae6b67bb5d} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 3588 23db52f0858 tab
                3⤵
                  PID:2856
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.4.1100526519\24291892" -childID 3 -isForBrowser -prefsHandle 4184 -prefMapHandle 4176 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e1107dc-7823-4657-bb59-54ab88b7df76} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 4216 23db79d4658 tab
                  3⤵
                    PID:3864
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.5.605724217\1924029892" -childID 4 -isForBrowser -prefsHandle 5144 -prefMapHandle 5140 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c92e2b42-8f37-406a-869a-bae0c78fdcf4} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 5152 23db529a558 tab
                    3⤵
                      PID:4088
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.6.1250187471\1379800684" -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bd4321b-9a67-4ab2-8f21-3883526832c6} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 1700 23da626d358 tab
                      3⤵
                        PID:3448
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.7.992008302\387178425" -childID 6 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e45b2de9-e4a8-4e68-8163-3eba56f44a34} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 5480 23db29d5e58 tab
                        3⤵
                          PID:1508
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.8.474359057\1547363419" -childID 7 -isForBrowser -prefsHandle 5920 -prefMapHandle 5932 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36a766e6-251b-457d-bb31-fb9804ba5f55} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 5944 23dbaaf4b58 tab
                          3⤵
                            PID:4612

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\cache2\entries\100E4F205CA11E878C76CAE6999A265E20FF1B60
                              Filesize

                              204KB

                              MD5

                              57b46481906deba2ce6c70e5909e6fdd

                              SHA1

                              e2b4b06880866329ae322b87dab88c5c6a1c40b2

                              SHA256

                              f770f938ecccf75c7a708a0df2ef5f95595665f219b158b48f542c5cfefc8079

                              SHA512

                              02627d19453abac83818eb77011ff004302f8dcd8199e95dd80a4b64acec846e3d92e075ae95cecd672da5c0a0848b08bed093528c175960f72fa54ae591f1e2

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\cache2\entries\166F2232D21D568AF4700252B7B75E876BF9C981
                              Filesize

                              57KB

                              MD5

                              58f35c630ff258691519796a2f1bfd46

                              SHA1

                              a0219865c9bad2523e458992655684383a6cbdba

                              SHA256

                              425954c6fdd86572008cbc2636a89395c1a82c5849b176b71dd66a60f213ab39

                              SHA512

                              1a1c1089807ee7f423ef9428dc11d204f316f05640a2d97e3f884a7eaca6590b900ee6ba3f4cff36a3b9343261095c92073aa15ac045c7f0981674bc392a3205

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\datareporting\glean\db\data.safe.bin
                              Filesize

                              2KB

                              MD5

                              f131a4f0b772752341b3b2f3808058ac

                              SHA1

                              9d56ce3eaa8949ea80d0eefb509a854016ab18f0

                              SHA256

                              d4e186922c1c0a309ef81d97df6a2ba68457269d17843a5edfd799a09aef9dcd

                              SHA512

                              17eade6dd759d582844bb382606c39054e09581d045ee73c42d9a65a4d944a0b4882e0f10b7e2b95baccdb9f513ea46660cf7e8331afb8b35c26437f35b3e60e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\datareporting\glean\pending_pings\0d28ffc4-fcf7-4cf9-86ab-351219e0eebf
                              Filesize

                              11KB

                              MD5

                              cdd8d0fdf3d0b3c5c9e06dadb7fac96d

                              SHA1

                              1be3dd14147b03d92bfdbc1dc4805a8b96b29eb0

                              SHA256

                              daa48a8fc49be315f2bf7f0e75064c0a267ef7d0d8b8be2b1e94542760174109

                              SHA512

                              4c1161cc4f71b9a29437f34223f652aac0a2a5bfd375a0101b75f2474cb04ba24d305a253b4b03efbf2a68280b6ea33d0bffd6180f1ba2e493e7d5ee28a95e04

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\datareporting\glean\pending_pings\54c5ee85-968c-41df-84b2-24138eed8268
                              Filesize

                              746B

                              MD5

                              1995004ce397db3555ea5f2b41da4dd6

                              SHA1

                              ae231ad2117e5ef863a11c40dc4635105c22b979

                              SHA256

                              8cb5072f08e803f52e32cd8c4ec11f239d40e5be3979573e7a9650ef63686c66

                              SHA512

                              7729ff1b7e62c1dd95dbe10d30f81cca8546496a0019dc3b2399ac9a291670ddd183305fb3a09f6bd6cd4e72c8aede16e8f598a1893728553540e39d66bae0a1

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              0c14d6d208ca200de5a3490b0c0d473f

                              SHA1

                              2d078dbe0b9c4dc6d27e1af4db03519b65fc4a57

                              SHA256

                              7cf5218456b5d06bdd4021dc3fa03812a6d796459ad89d76dfbc8e7c4654474d

                              SHA512

                              1bfbd3b902c1187ac2d05740930bdc618d65853967d72fbd7a641b64a749cdcd5e299116270438966f800040d3a51a62e8af30db3c3e2c86e641cc5e04d49236

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              d8fae7f5cc244b80ff21f1068e17d5b8

                              SHA1

                              b99428ba3892f4343702f46a43655d440d8b9922

                              SHA256

                              8edcecba9dccde2fc8045f3f33a9e610551a3267780b4d251a8f203ac5409218

                              SHA512

                              cfff1a4c7472adebf0bfd3bfb1e93781a90ae71eb202fcbdb619f289685fd1028e8571a52bdc4c18852411090be934139fa4cd660c3fb8707c3293f052f1dd06

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\prefs.js
                              Filesize

                              6KB

                              MD5

                              e054bee936c6f39268e501aadd73b7bc

                              SHA1

                              3849faaa6868659b8c4eea69e68a2ebaa585af62

                              SHA256

                              9b39ac862ffc78e1510680febeb5729a5ec0fcff95aade51676ea4df8f64dd6a

                              SHA512

                              ad877c98e800d7c310f74d4aac6316e7e02850cb413a2ab31d2d79a23d464475d978731f735008239d57f575ba0d9cbad3abf7f9e577d8b0e5945c3a00798a0c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              3KB

                              MD5

                              2f13bedd8db486f205e4d911aaced9cf

                              SHA1

                              7af8a432521b3e5470a00c63c88567f397512406

                              SHA256

                              ef68cae5332a88ac111e591950945ffde9b2ae914d69820e97e60357f7ae0b77

                              SHA512

                              7cd4c1170406ffe7cfcca336713e25ca7ad7f39fa443efb078e579b4af7ff73c342a1042bcef5f499a743aa008022e021b27aa64c1e4cb35d4cdb68d33523622

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              4KB

                              MD5

                              d23bd7429fd8775aa561694dfbf78e76

                              SHA1

                              ae7d120aa475d0ebf518cae4625cbb1ac13e0f13

                              SHA256

                              6d2411af11fe64d3f9667699a1fc6432d13c8a876f1b05d7d45ab485b83c0f26

                              SHA512

                              52a565963ed0adcdcc6fbe2ca5968fb50d481a969365f40acc2f8c595b91db6ced3c764792389d09145dbe7f82d9d845a35c7bb59e596ea38fb48f94ea1e975e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zoo1d5k8.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              4KB

                              MD5

                              9bc62b1101a9bd1c7119f391479687f6

                              SHA1

                              6501f1b72873ad5f851967d43bc2067e9ec3fff1

                              SHA256

                              96612dab1d165beb87c540c540efa351a3ce50bc14377056a6dbb51570005083

                              SHA512

                              3304e8454f1fcbe976fc3f109e99e096f7baa7848d8041ed7929b1f77f3e12243bba13d8dec15aebf958a4e3f856497ed063692a4fb67f27dfd3096376208012

                              Download Submit

                            • memory/2932-0-0x000001488AEE0000-0x000001488AF06000-memory.dmp

                              Filesize

                              152KB

                              Download

                            • memory/2932-3-0x00000148A5520000-0x00000148A5530000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2932-14-0x00007FFA07590000-0x00007FFA08051000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2932-2-0x00000148A5520000-0x00000148A5530000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2932-4-0x00000148A5520000-0x00000148A5530000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2932-1-0x00007FFA07590000-0x00007FFA08051000-memory.dmp

                              Filesize

                              10.8MB

                              Download