16538ee182d296f247a9a1d9c6b6f6ef8b0c098d68b14aeaa0c04727b34ed18f

Analysis

max time kernel
129s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaFilterApp.exe
Size

14.4MB
MD5

a4d195ccd7822ad76ae51614207ff64c
SHA1

76e37dd3761693b27d4b3ed95b1f899d8fa73a6d
SHA256

16538ee182d296f247a9a1d9c6b6f6ef8b0c098d68b14aeaa0c04727b34ed18f
SHA512

961e35c9ed37150602361ef0bb78a4f7f8fab47293c8c34c5b8e50e2daf52f7319e35bdda57e646e8606ccd9ae4c3d8300f98ed0b6bf8b51ccd521e13b51c385
SSDEEP

196608:V1EXPC7hrKiqNpFExqlmEpGzSj6MqYFHSv4qKh3ogUU1CxFkQ52cD9ICRAz4SlmJ:jEfAhrQpWA9ql4qU3woEhIwAlw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
888	WaFilterApp.tmp
3432	WaFilterNew.exe

Loads dropped DLL 11 IoCs

pid	Process
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WaFilter\Licensing.Common.dll	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\WaFilterNew.exe	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\BouncyCastle.Cryptography.dll	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-RE9OQ.tmp	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-JPLIQ.tmp	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\NUniqueHardwareID.dll	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-C7FC7.tmp	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-2J8V9.tmp	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-09VO2.tmp	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\WebDriver.dll	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-FD4SR.tmp	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\Krypton.Navigator.dll	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\selenium-manager\windows\is-H3KNN.tmp	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-B1VR7.tmp	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-2S62E.tmp	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\unins000.dat	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-VEF3O.tmp	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\selenium-manager\windows\selenium-manager.exe	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\Licensing.Validator.dll	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\SuperFilter.Api.dll	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\Newtonsoft.Json.dll	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-BIF7J.tmp	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-CU3H8.tmp	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-QTIUF.tmp	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\unins000.dat	WaFilterApp.tmp
File opened for modification	C:\Program Files (x86)\WaFilter\Krypton.Toolkit.dll	WaFilterApp.tmp
File created	C:\Program Files (x86)\WaFilter\is-KKLLK.tmp	WaFilterApp.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
888	WaFilterApp.tmp
888	WaFilterApp.tmp
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe
3432	WaFilterNew.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3432	WaFilterNew.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
888	WaFilterApp.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3432	WaFilterNew.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 888	4196	WaFilterApp.exe	84
PID 4196 wrote to memory of 888	4196	WaFilterApp.exe	84
PID 4196 wrote to memory of 888	4196	WaFilterApp.exe	84
PID 888 wrote to memory of 3432	888	WaFilterApp.tmp	96
PID 888 wrote to memory of 3432	888	WaFilterApp.tmp	96
PID 888 wrote to memory of 3432	888	WaFilterApp.tmp	96

C:\Users\Admin\AppData\Local\Temp\WaFilterApp.exe
"C:\Users\Admin\AppData\Local\Temp\WaFilterApp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\is-1KT09.tmp\WaFilterApp.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1KT09.tmp\WaFilterApp.tmp" /SL5="$401EC,14276700,844288,C:\Users\Admin\AppData\Local\Temp\WaFilterApp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Program Files (x86)\WaFilter\WaFilterNew.exe
    "C:\Program Files (x86)\WaFilter\WaFilterNew.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WaFilter\BouncyCastle.Cryptography.dll

Filesize
14.0MB

MD5
6c92574a2e7f6cc727d6e38450b0a21a

SHA1
d8fd77c39971341352032a264130fc7cd7e82594

SHA256
65f903947d1903afc93998392d3cfb11d62bd95fe8e69e3a7ae6a42f684a2793

SHA512
83de9a62ac216469bd6020179173b98f9489274ca52e9a3050be9d0628a795385ce4b5bd3068a337fc04e7ab2a0da3719f201d3c4946ca37c3f7d0f79ef48754

Download Submit
C:\Program Files (x86)\WaFilter\Krypton.Toolkit.dll

Filesize
4.3MB

MD5
068b4f05eb35479a419bc55da643781e

SHA1
1d0fe6bb23bbd63dc6d4248f7c17afcf4bc16dea

SHA256
477ebd61ce116c6908a1cd1e50bc93869f6f7b9c3e0e5757551e6dd2a01b4648

SHA512
f9022c7d91364519f5b773fd641741637f89a4f4f8eb1406d1c594e0a286724cea7494fb047e810bbed0579b6870db49a6828b1c79808e4554d762f326a87dcc

Download Submit
C:\Program Files (x86)\WaFilter\Licensing.Common.dll

Filesize
18KB

MD5
820ed09c9f47ea5402c07fd043a60f59

SHA1
701e93cb4ae7af22057dd352d3932df5ce493efb

SHA256
0bc0807cd9d892de407f19b581458a25838cb47cdf6b578424b5fd3e7be274e3

SHA512
41185ae9809f2d339832cb5671fb2cb3cbe0c5e8f83458220022db5efcca15be5e0c64724f93b5c57996d6f3b91e1c705ca0431cd02ba2b1b192fb608ac3e9ed

Download Submit
C:\Program Files (x86)\WaFilter\Licensing.Validator.dll

Filesize
35KB

MD5
408813d612d0d9aab08af0051cbb6936

SHA1
f3ee4ca0a5672c959d9a51924bc602e877d0bb75

SHA256
40222b31104a79a1b336563dde85869e8c1824bddfa58904a020ebcc98a7e213

SHA512
254bfc553feaa0b51cc6208272f51b79b9373621e02eaff225aa4e8615cf94e99980ae7257552c7c43b2bf3f624c1f906e2b38496401dfb791210797689f6f7e

Download Submit
C:\Program Files (x86)\WaFilter\NUniqueHardwareID.dll

Filesize
7KB

MD5
0e089c82dec49dfd68fa9f694e84dd67

SHA1
bef968ceb3f36a7f78b0d50412981a62f13dac9e

SHA256
0e09afc3a7a3ce435dd5d95bcba14b6579ac0874156e1fadea1f46205b5aaa3e

SHA512
8964660545086fdb18a25d4889bb4a151b26aa6c20a03e74c2dd9e8d75aa115e64507a3362583f79acc352a8efcce16cd121501bff2106cbf7976e7f77539171

Download Submit
C:\Program Files (x86)\WaFilter\WaFilterNew.exe

Filesize
2.6MB

MD5
85ca772e58a46df23cfc12b854ba3d84

SHA1
23752a6772732a57da7e37b60248c54a139d49a3

SHA256
a8841c945f5d3117745fac3a64f7735a683eeff78e28a4754dbf75c2b09d3612

SHA512
768aa9186676cf174bd6d7ade1e67f982baf56e41f816d78984a312a36ed5d99a05a26e395c6acd3e51311b3180708c4b7be773e3b31cde8845bc4a6b0450525

Download Submit
C:\Program Files (x86)\WaFilter\WaFilterNew.exe.config

Filesize
518B

MD5
993a2af70831587d2f611c7efb141f96

SHA1
eda856d35705dad0dcecc49ae7367937b839eaa3

SHA256
856026e81cc0bc78d5096f532a40d1ccb7f97044028d37447fd454a9a1582b49

SHA512
005fe13d617bbd12ff57b77323cec187add8bf2322c56616df27ac0aa75bd86543d998e14a3a0b57719bc203de381e9add9d6fa4cd9dd42d0cd5ec6bb226751c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1KT09.tmp\WaFilterApp.tmp

Filesize
3.0MB

MD5
050e34d6662fc104ddce974c90bf3511

SHA1
64e2332a244a8e94e71bb0def89b73ba1dd15839

SHA256
516af84c5ad10b4df6f663b7b3e28617ed42da60ecf1561f04b621071e3dde38

SHA512
75ff1ff4e8cfd25453b772646d8d81ee3670ff00d3b85dfb29e05e3ac5834a0000c776cdc2e7002bbaa7de14654e659cf39c22d93e470e5ebd643e8c97376e07

Download Submit
memory/888-68-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/888-6-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/888-9-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3432-71-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-56-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/3432-59-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-60-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-61-0x0000000005F70000-0x0000000006514000-memory.dmp

Filesize
5.6MB

Download
memory/3432-62-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-63-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/3432-64-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-66-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-57-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-69-0x0000000005C70000-0x0000000005C7A000-memory.dmp

Filesize
40KB

Download
memory/3432-97-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-49-0x00000000738EE000-0x00000000738EF000-memory.dmp

Filesize
4KB

Download
memory/3432-72-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-76-0x0000000007820000-0x0000000007830000-memory.dmp

Filesize
64KB

Download
memory/3432-58-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-96-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-80-0x00000000085B0000-0x0000000008A08000-memory.dmp

Filesize
4.3MB

Download
memory/3432-95-0x000000000AD80000-0x000000000BB8A000-memory.dmp

Filesize
14.0MB

Download
memory/3432-84-0x0000000008A10000-0x0000000008A1C000-memory.dmp

Filesize
48KB

Download
memory/3432-89-0x0000000008A50000-0x0000000008A6A000-memory.dmp

Filesize
104KB

Download
memory/3432-88-0x0000000008A20000-0x0000000008A28000-memory.dmp

Filesize
32KB

Download
memory/3432-50-0x0000000000870000-0x0000000000B0C000-memory.dmp

Filesize
2.6MB

Download
memory/3432-90-0x00000000738E0000-0x0000000074090000-memory.dmp

Filesize
7.7MB

Download
memory/3432-91-0x00000000738EE000-0x00000000738EF000-memory.dmp

Filesize
4KB

Download
memory/4196-1-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4196-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4196-8-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4196-70-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download