5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081

General

Target

5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe
Size

400KB
MD5

47ad0d151e4b68c7b6b68d01b7afb7ff
SHA1

f321d267544fdbd339c9291fd38ecc4778c04162
SHA256

5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081
SHA512

1556a7b61efb83ead650dd52e872f750eb874421dc3b70e22a03176542a896f87ea2402aebb047b3e25ac59027d4f8877fb3cdd0fc03259fb6dcdbed8d9f444a
SSDEEP

6144:MmE1I1rueqotCwLTceXIzgV9pvcGFWSBWBnZ6FOs+x01Z9seGEKUSx:MmJuXofc4IMzpkG8TNZg+yI8w

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3000	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2928	wfplwfs.exe

Loads dropped DLL 1 IoCs

pid	Process
1900	5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 2424	2928	wfplwfs.exe	32

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\a5473a7b91f9f504.job	wfplwfs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2776	PING.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2424	rundll32.exe
2424	rundll32.exe
2424	rundll32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2928	1900	5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe	28
PID 1900 wrote to memory of 2928	1900	5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe	28
PID 1900 wrote to memory of 2928	1900	5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe	28
PID 1900 wrote to memory of 2928	1900	5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe	28
PID 1900 wrote to memory of 3000	1900	5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe	29
PID 1900 wrote to memory of 3000	1900	5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe	29
PID 1900 wrote to memory of 3000	1900	5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe	29
PID 1900 wrote to memory of 3000	1900	5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe	29
PID 3000 wrote to memory of 2776	3000	cmd.exe	31
PID 3000 wrote to memory of 2776	3000	cmd.exe	31
PID 3000 wrote to memory of 2776	3000	cmd.exe	31
PID 3000 wrote to memory of 2776	3000	cmd.exe	31
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32
PID 2928 wrote to memory of 2424	2928	wfplwfs.exe	32

C:\Users\Admin\AppData\Local\Temp\5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe
"C:\Users\Admin\AppData\Local\Temp\5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
  C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\5f92d155696c50f6fc69c0068c964daa7d45dbd0543f0124c29950b0c2440081.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\index.html

Filesize
1KB

MD5
12cf60e57791e7a8bd78033c9f308931

SHA1
f6c8a295064f7fa8553295e3cd8a9c62352f7c2c

SHA256
2f9f2fe135d66c296ab6071d01529623bac31d4a63ab073be3c6c1e20d34f50a

SHA512
72735d76803980afe7260d713a377f82316fa24109f1d2767b352984aa53d4a5e441a89d99aa3fdb32042dcb61b43d88465272bc98552892747829d7986cf3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\logo.png

Filesize
2KB

MD5
561a5a310ac6505c1dc2029a61632617

SHA1
f267ab458ec5d0f008a235461e466b1fd3ed14ee

SHA256
b41bd7c17b6bdfe6ae0d0dbbb5ce92fd38c4696833ae3333a1d81cf7e38d6e35

SHA512
4edb7ef8313e20bbc73fd96207c2076ce3bac0754a92bb00aff0259ffe1adf6f7e4d6917e7815fd643139a08bd4a0f325f66982378f94483ce1ee0924df6d3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qrcode.png

Filesize
2KB

MD5
93a1a761d17ca266066a4b8e286dac1d

SHA1
63b13d8f13fe092aa1cd18dfea86c8c4cf2d5a8d

SHA256
bad6f97f076cf04517a03820b486a2ffe564c2d0ef350932612cc40beec39f6a

SHA512
5d3360d096da7a6b724cc68504dac6691285807f2aca361bbe27ca22acdfe734abf4ee4a4e2f9c55d7f94bb22d50062b19af0a4dd34939cf4673baa1746871bc

Download Submit
\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
284KB

MD5
80dbe57ffe5badecb6ebf8d88e2ffe4b

SHA1
3eb06a331af28c0fa1a08b6728b222f16ca01ac9

SHA256
6ad9890030237001f8cc91739debb06293aaf8cb734bd9992aa942924a1f4e16

SHA512
aa79001e28cb886c40d5b69277e586c766d097a9b2e5b61bc1577a20440beb70a3f958bce73c52c67a294975e3ed96412926fe53b107a7a2036a303018f56bd9

Download Submit
memory/1900-2-0x0000000000230000-0x000000000028D000-memory.dmp

Filesize
372KB

Download
memory/1900-1-0x0000000001B40000-0x0000000001C40000-memory.dmp

Filesize
1024KB

Download
memory/1900-5-0x0000000000400000-0x0000000001A51000-memory.dmp

Filesize
22.3MB

Download
memory/1900-15-0x0000000000400000-0x0000000001A51000-memory.dmp

Filesize
22.3MB

Download
memory/2424-20-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2424-22-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2424-25-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2424-27-0x0000000003700000-0x0000000003B12000-memory.dmp

Filesize
4.1MB

Download
memory/2424-43-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2928-19-0x0000000000400000-0x0000000001A34000-memory.dmp

Filesize
22.2MB

Download
memory/2928-18-0x0000000000230000-0x000000000026B000-memory.dmp

Filesize
236KB

Download
memory/2928-17-0x0000000001B00000-0x0000000001C00000-memory.dmp

Filesize
1024KB

Download
memory/2928-40-0x0000000000400000-0x0000000001A34000-memory.dmp

Filesize
22.2MB

Download
memory/2928-42-0x0000000001B00000-0x0000000001C00000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing