Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 20:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe
-
Size
257KB
-
MD5
1da3c41b8f0a1a49b39b45b0e4f361cd
-
SHA1
c89d0f754e7a552f4924e3295e569255a5206db2
-
SHA256
48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d
-
SHA512
38a444ccfaf7699a7367571795bf6a0d32a72a0b617751ba6af914e62d9088d766a6a05b6c7fb074d4e31ef354c715779e14cc2584d3b714e01896db6cdb7717
-
SSDEEP
6144:F0tFwzWQx2+OMcppIRW30d+h8wZ2Uf/T11cradKtvr1K/fObT/bGipKgJJeZ4cAn:4FwtOMcppIRW3M+hwUf/Z1craduvr1Ka
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wiajij.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe -
Executes dropped EXE 1 IoCs
pid Process 1172 wiajij.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /F" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /B" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /m" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /G" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /d" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /W" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /H" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /S" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /P" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /x" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /t" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /e" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /k" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /Q" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /i" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /Q" 48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /z" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /a" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /l" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /n" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /o" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /g" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /X" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /R" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /Y" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /j" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /E" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /U" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /V" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /J" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /D" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /h" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /f" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /L" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /O" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /c" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /K" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /C" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /A" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /q" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /v" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /T" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /p" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /y" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /I" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /r" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /N" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /s" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /u" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /w" wiajij.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiajij = "C:\\Users\\Admin\\wiajij.exe /b" wiajij.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3924 48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe 3924 48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe 1172 wiajij.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3924 48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe 1172 wiajij.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3924 wrote to memory of 1172 3924 48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe 96 PID 3924 wrote to memory of 1172 3924 48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe 96 PID 3924 wrote to memory of 1172 3924 48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe"C:\Users\Admin\AppData\Local\Temp\48bc784a13d9c6dfd371e9e12e8886126826750185543d94bdb2e585ad92112d.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\wiajij.exe"C:\Users\Admin\wiajij.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257KB
MD5fb9e8ebf77158358b8cb407b064097fa
SHA102023ae372e8f92c0f8690bd3dfef2dcec148e3b
SHA2567734676944548c85ba7c1a8c683f9f30b58111b516c56691c5fd596cb8cf0c6c
SHA512ad1903f37d765c5ddae75687df034a82940f4658f6917d98906637e795524ff5dddf9785541ae57047a4163c115f7f2b22e3a55694f27685253581dcc8d25e36