Analysis
-
max time kernel
1049s -
max time network
838s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 21:49
Static task
static1
Behavioral task
behavioral1
Sample
WeMod-Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
WeMod-Setup.exe
Resource
win10v2004-20240226-en
General
-
Target
WeMod-Setup.exe
-
Size
141KB
-
MD5
6eea550d20eb78a505428431d8599581
-
SHA1
e6a5c169eb1b203987863d611511648b9a1208bc
-
SHA256
9865a54dc5191d22de1b27be4be1e0babe609d5e671d3a62b68cff975ad8071d
-
SHA512
e5a13f8829019c4bbe9eae105a1e2a0a4a3e740292d050e47e6df7ae12712b7f75d5293ab4710758816ccfe31e45495ba7fafbe58e3962335bd23cf45abaabb3
-
SSDEEP
3072:Bojm4ILlCI+4COHCyhaEtHZkOpk97oc4ILlCI+4TOHHSafx:Bd+bwaEtHLhiHt
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation WeMod.exe Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation WeMod.exe -
Executes dropped EXE 13 IoCs
pid Process 1004 WeMod-Setup-638482098099970000.exe 1412 Update.exe 2396 Squirrel.exe 1768 WeMod.exe 380 Update.exe 2332 Update.exe 2632 WeMod.exe 3032 WeMod.exe 2932 WeMod.exe 756 WeMod.exe 2132 WeMod.exe 2748 Update.exe 2508 WeModAuxiliaryService.exe -
Loads dropped DLL 20 IoCs
pid Process 1004 WeMod-Setup-638482098099970000.exe 1768 WeMod.exe 1768 WeMod.exe 2632 WeMod.exe 2932 WeMod.exe 3032 WeMod.exe 756 WeMod.exe 3032 WeMod.exe 3032 WeMod.exe 3032 WeMod.exe 2132 WeMod.exe 2132 WeMod.exe 2132 WeMod.exe 2132 WeMod.exe 2132 WeMod.exe 2132 WeMod.exe 2132 WeMod.exe 2132 WeMod.exe 2132 WeMod.exe 756 WeMod.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString WeMod.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 WeMod.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 WeMod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WeMod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WeMod.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 WeMod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz WeMod.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main WeMod-Setup.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\shell\open WeMod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\WeMod\\app-8.16.1\\WeMod.exe\" \"%1\"" WeMod.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod WeMod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\URL Protocol WeMod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\ = "URL:wemod" WeMod.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\shell\open\command WeMod.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wemod\shell WeMod.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 WeMod-Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 WeMod-Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 WeMod-Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 WeMod-Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1412 Update.exe 1412 Update.exe 2632 WeMod.exe 2632 WeMod.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1504 WeMod-Setup.exe Token: SeDebugPrivilege 1412 Update.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeDebugPrivilege 2748 Update.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe Token: SeShutdownPrivilege 2632 WeMod.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1504 WeMod-Setup.exe 1504 WeMod-Setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1504 wrote to memory of 1004 1504 WeMod-Setup.exe 29 PID 1504 wrote to memory of 1004 1504 WeMod-Setup.exe 29 PID 1504 wrote to memory of 1004 1504 WeMod-Setup.exe 29 PID 1504 wrote to memory of 1004 1504 WeMod-Setup.exe 29 PID 1504 wrote to memory of 1004 1504 WeMod-Setup.exe 29 PID 1504 wrote to memory of 1004 1504 WeMod-Setup.exe 29 PID 1504 wrote to memory of 1004 1504 WeMod-Setup.exe 29 PID 1004 wrote to memory of 1412 1004 WeMod-Setup-638482098099970000.exe 30 PID 1004 wrote to memory of 1412 1004 WeMod-Setup-638482098099970000.exe 30 PID 1004 wrote to memory of 1412 1004 WeMod-Setup-638482098099970000.exe 30 PID 1004 wrote to memory of 1412 1004 WeMod-Setup-638482098099970000.exe 30 PID 1412 wrote to memory of 2396 1412 Update.exe 31 PID 1412 wrote to memory of 2396 1412 Update.exe 31 PID 1412 wrote to memory of 2396 1412 Update.exe 31 PID 1412 wrote to memory of 1768 1412 Update.exe 32 PID 1412 wrote to memory of 1768 1412 Update.exe 32 PID 1412 wrote to memory of 1768 1412 Update.exe 32 PID 1412 wrote to memory of 1768 1412 Update.exe 32 PID 1768 wrote to memory of 380 1768 WeMod.exe 33 PID 1768 wrote to memory of 380 1768 WeMod.exe 33 PID 1768 wrote to memory of 380 1768 WeMod.exe 33 PID 1768 wrote to memory of 380 1768 WeMod.exe 33 PID 1504 wrote to memory of 2332 1504 WeMod-Setup.exe 35 PID 1504 wrote to memory of 2332 1504 WeMod-Setup.exe 35 PID 1504 wrote to memory of 2332 1504 WeMod-Setup.exe 35 PID 2332 wrote to memory of 2632 2332 Update.exe 36 PID 2332 wrote to memory of 2632 2332 Update.exe 36 PID 2332 wrote to memory of 2632 2332 Update.exe 36 PID 2332 wrote to memory of 2632 2332 Update.exe 36 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37 PID 2632 wrote to memory of 3032 2632 WeMod.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\WeMod-Setup.exe"C:\Users\Admin\AppData\Local\Temp\WeMod-Setup.exe"1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638482098099970000.exe"C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638482098099970000.exe" --silent2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\Squirrel.exe"C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe4⤵
- Executes dropped EXE
PID:2396
-
-
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe"C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --squirrel-install 8.16.14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\WeMod\Update.exeC:\Users\Admin\AppData\Local\WeMod\Update.exe --createShortcut WeMod.exe5⤵
- Executes dropped EXE
PID:380
-
-
-
-
-
C:\Users\Admin\AppData\Local\WeMod\Update.exe"C:\Users\Admin\AppData\Local\WeMod\Update.exe" --processStart "WeMod.exe" --process-start-args "wemod://?_inst=nY1ISe9HSMpgSrJn"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe"C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" wemod://?_inst=nY1ISe9HSMpgSrJn3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe"C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=948 --field-trial-handle=984,i,864806722815716998,3212790759271467905,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032
-
-
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe"C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --force-ui-direction=ltr --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --mojo-platform-channel-handle=1308 --field-trial-handle=984,i,864806722815716998,3212790759271467905,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932
-
-
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe"C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --app-user-model-id=com.squirrel.WeMod.WeMod --app-path="C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1520 --field-trial-handle=984,i,864806722815716998,3212790759271467905,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exeC:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe WeMod\Support_1712613037304_Out5⤵
- Executes dropped EXE
PID:2508
-
-
-
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe"C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\WeMod.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeMod" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=948 --field-trial-handle=984,i,864806722815716998,3212790759271467905,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132
-
-
C:\Users\Admin\AppData\Local\WeMod\Update.exeC:\Users\Admin\AppData\Local\WeMod\Update.exe --checkForUpdate https://api.wemod.com/client/channels/stable4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize1KB
MD5e744b211753f45b387e00af2aae69c6b
SHA123beb8357e158d3a162524b96495f293853b8147
SHA256bfde85cbb4f9503779c19c8ed8a463e2782028fed2ee0726cc55018856baed9e
SHA512c4ccacdfe546522ca8be841b535005f688d250a2d9a68011d5181bf07ae6466785c3dd0c647c6930ed7627d65ca928e4397fd61ae46331b41a110ba76b3962bb
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize408B
MD5b10664206c67c22168d75f2814d92e80
SHA17f7b31490faa972af0de1d8f6e6121f0cbe85211
SHA256c1fb336edaf274099c94bd36ce270095d72fe2cf9550dcd543d73d1d4d498489
SHA5123269ff3df819f9a8fc07fb32e979c6f2ab9b6666ff94ec8a71fa8e96b7f7b95093ff6eda306cdf838f36a956ecec85a3662666ba70901267e642dbc3e51bd881
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ed3a46e589d8d0f0b924076d7349bdbe
SHA1001a9c0a5ea5c67c10bbdcb58121d2599eab2c9c
SHA2562d128066dcecd1bbe620a849612d8a4e569870b59a0ee6a390d92c06ef884e98
SHA5122704e991ff9fa5bf9c5e2ecc248c5582831282c72b21898982f9ac639ac22303b238f9945dbaedc6170137f2335bfca8380482e49cfc64dec0081d3cc7189913
-
Filesize
77B
MD5eb57d40350a65656c93c83deb4d62782
SHA1aaf2dd180f11a3ba3c8da53f635910e0fd7a9c64
SHA2560b328db09af31969dcd7987f65fa78c0fd6f01b4e51b59752dfb875a21b5d832
SHA512ac65249088fea1e810ca0216c7cd842f5bb8cbfec78f6b7ae4566ce23fc643dad312856ecffd31525db842595d93fad20f78372d79da02603400c8dca524420e
-
Filesize
99.9MB
MD559a0bacb9d0f7e5f1b195dfd683d0e72
SHA1986ff93d69ed07ed967fa36be550f1a58ca2286d
SHA256752d53f6529940694965ff22a9136a80b464a2750e326eeebde66eac4c08ccd5
SHA512921690b07f50368630b59bf25ab3f2d649b2c7c2b344f7cb66270987645004a5f4179f42850f572b0b197fd534e12a696743b82538db4d3dbcc2109691bce5ef
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
100.8MB
MD51c9da682268453db59f11b8129f827a3
SHA1d34e82203d3be584ba02e15772de6a5fc0f52978
SHA256120c915fd6c5b15eac234a676c94722985578483ee7883406ce6d40e76cca94b
SHA512810589a1252d3f598289852e2889ea4ec745e7abb92463518c20901906449907cef94c4b803d64f86c36215634209ee74f6cdbcffe16382dd4c6faeb7c4aaa38
-
Filesize
536KB
MD5962ad3ca5b38e18954d2992912369d49
SHA199a9c9d14f9f2ddaf7fd0818cc8b829c858b141d
SHA256cfeab93bcfd99a583a0dd47197c0ead1c54a4ce94d19d777cb004eaa9a18f909
SHA5120340397f3326a237332704112125e522fef1d967e408493a5674fc0a997fdb3e0fbe308dca9d5a9d4cf8d21addcbd9ad2e9a5f7e9e09239384a5af76152f2d52
-
Filesize
1.8MB
MD5dee4a16b8a08762e6d7abe7f71ad1b5b
SHA109248ab4df71826c4b9128b091a0e2cba6f63dd0
SHA2567168ee307189a338fe189acc983899d552fa2652579bedd627ea83c91b33369d
SHA5120ce9fb7fda310f77bfe5b6150ca0ff466e6c530e8ce77fe0f8ddfad478cf935d779c94ae912aac74bbd05efd86c6d7c3a5909d235ede56ae8d205404621885a3
-
Filesize
130.2MB
MD5337f0c70d43d402a28cfbddbcb821a2b
SHA1c7d148c12b401a7fed082747ca565ff987db74f8
SHA25641cef8681a124639bc6475c431180dc6312d13a4e9a94d1b589b7e0225b25cf0
SHA5124e1dd04bc799ea3fb372137a33fa1d32e2f294a1573dcd4ccd0f1af65e99e86d469063b2859fab6e17548d8802f9cdc95d81f2aed32bcca7dc87efae790c89c8
-
Filesize
126KB
MD5d31f3439e2a3f7bee4ddd26f46a2b83f
SHA1c5a26f86eb119ae364c5bf707bebed7e871fc214
SHA2569f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e
SHA512aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5
-
Filesize
175KB
MD55604b67e3f03ab2741f910a250c91137
SHA1a4bb15ac7914c22575f1051a29c448f215fe027f
SHA2561408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c
SHA5125e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d
-
Filesize
10.0MB
MD576bef9b8bb32e1e54fe1054c97b84a10
SHA105dfea2a3afeda799ab01bb7fbce628cacd596f4
SHA25697b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3
SHA5127330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6
-
Filesize
313KB
MD53f6f4b2c2f24e3893882cdaa1ccfe1a3
SHA1b021cca30e774e0b91ee21b5beb030fea646098f
SHA256bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f
SHA512bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c
-
Filesize
5.1MB
MD5f5ab76d2b17459b5288b6269b0925890
SHA175be4046f33919340014a88815f415beb454a641
SHA2564f29587bcd952de1dbc0b98df0aa506bd9fcf447e6a7258c5eb7e9eb780e6d6c
SHA5126ec6a08418743adb5e20218b73169be4f45f5458592219497c3718e620e37871876788937418f1341e0023c1137f9cac715e6bb941f4690febdda993b072feab
-
Filesize
7.1MB
MD5539471ef86f782e5863248b43637b986
SHA1d7622bb8c7d9c2000557831b266505aa66b9cf31
SHA2569b2744abdcb0eff53c2763de1f6d3008037cca5392661a6e0893c05826603c39
SHA512e5e16dd0fa89d1dc5e810f1bee50ae3c15dbc10702efd1b3534b1dc56ac965dd89ad5b5449554700576a41ee623bb0bb85eacb50e47162bd0adc71c59a9a651b
-
C:\Users\Admin\AppData\Local\WeMod\app-8.16.1\resources\app.asar.unpacked\static\unpacked\auxiliary\WeModAuxiliaryService.exe
Filesize945KB
MD574bdec2a1b6ee5cc7276f47d13edc48a
SHA171a8a2b69cb0e4f333812bd72fd06cf6e1a3b61e
SHA2567fb226a4b4c6f72314f74bd5f667d678bb3b2c2d5d76c0c9b1b4a8fa0799fb19
SHA512a0798582456212c55a74c1dfa059148726601440f7d64c5957ee5fc8fc14368017ff4af6d99295b8ce651a38bf3d086eef46f78a1fff7008552cf6a2e6984e30
-
Filesize
279KB
MD534ee19ccd44f31cd831dc50920f19890
SHA124545d2f4741fb5a4649840486ffd3597b7ade5b
SHA256136cf9b3a30268d1d439df7b9fd9104cb1d83be7fd2b562c3e9a47450ae0df3d
SHA512ded8ade93c143dc8abc7a76b03b4015a8637b2ee13b85dd70655d5857289f19ebef76562eace56a3ad3c2418fab5305bb0b6cadd0a412ddb781b8f496e82c74a
-
Filesize
585KB
MD5b32cbc4a5ff34f441e8e0c264aa61849
SHA1435d88a3e50ff85b6030c4c6e8918161fa340201
SHA2564f72c7b625b64d38f819a970cfff5921ff4080e27de84b00b9a7cf8be15277c5
SHA5127c13eedfab9fba821d5a26e5ba81444a84b48aff13a7cd508c03f7ea113997c2edf7126e5547e16fb3e98a942f0070a5d597c25971afbde92b46125085b57b4e
-
Filesize
106B
MD58642dd3a87e2de6e991fae08458e302b
SHA19c06735c31cec00600fd763a92f8112d085bd12a
SHA25632d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1.8MB
MD5750294620c347fcd51c9c7d3a91df1f6
SHA132f96f434b87f27ab55cc561d0773d0892bb49f9
SHA25626ca155b98e36912ee537b55671e2bd5a75107d168168375e58a8b713ef2358f
SHA5124e0acd0c093ca7b5b42b51e89fc90d58d3306c4847ff2f6e1cd5e6a1bea1a656c35528a017d0a4ab8d699c7d3e6756d0f61f031d66b09a5180a62d00e7568f87
-
Filesize
3.9MB
MD5ab3be0c427c6e405fad496db1545bd61
SHA176012f31db8618624bc8b563698b2669365e49cb
SHA256827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6
SHA512d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba
-
Filesize
2.4MB
MD53621280d3e04d9643822ef8f5dc0fb91
SHA16a552d28c3d87908fb583eede8a3eab44ebbd259
SHA2565ac630e962666a21346cf7efa20eb09ac2a45ae3110eaf6c28ad3ddc87533ed5
SHA5129c655b0d5b72d57d49b5c94b406b5abdc2e1d668f40a7e754134655e333abf50cc96204b0d516dbcc4c74831ca7f3577756f7d6f0112bc610e8b3e59837333dd
-
Filesize
385KB
MD58b2fd69c70b2b1a64558893bbc9c1423
SHA1f619e5b9202063221ffdd746aa4b630d07e3bc3c
SHA2562eec2c76aa01b0562be3f76c539b1a5086a437d66254c7237c6562056f767fb8
SHA51242ad67059380fa4be5d2481d2db282716cbe0dfa20d63ee88d3802c022c9fb088b313c686b849b5fe890d5f89f7ea3d4ecac0c64e201335fa74c5bde29f0ad25
-
Filesize
6.4MB
MD5b309eccc727895e3b3481f9326bdcb41
SHA1149f033e550de20f41311c46bb23fed09bb9201f
SHA2569dfcd4d9b417f70e80c0b81b9e55a6be9800900d0c30e34fb6db12d5a094497c
SHA512cba32db9d50c4c79b4a740b083baa5a7b24858d7608f0671a4abbc1aa63a738352fbda219ec7690e9b386eb1bcfb7765daebc1950c18e6c8bfe46a9387668827
-
Filesize
4.3MB
MD51bc5d8a0419f8d8ac2b2b7a74e9678ec
SHA1c64f2f7f3b4b174866b4db8e720d809bed557b91
SHA256f58c0177b48538f6ec2cfa3675cd9420ed82a50ff49185e7dd581a778c48b48e
SHA512434181b1b4d5adfcaff457c31a0fdb4df77cf01da2cf4d7090e9f387f44006fc829b372f10ebb64e795e4f38096eb7678ab3c3ce539074d93e6f7b7845a3a79d
-
Filesize
784KB
MD518b618dc84321794a818a665770d3720
SHA17dc7990452bd3c2e26dfdb7f14fdc38310b2ac79
SHA256a7888b8651d16156fbe389ae25581332b7518f50535cadc1b7da554c98ddcbfa
SHA512166d96a69ce08085d40d4207c2cb02fbda2ae51e2187c3e67ca08b6c05c2b31a77c39dd920ecc028f12854399eb2fcf48954904c36800bcc42a92d97d96a3a3a