Overview

overview

10

Static

static

3

PermEdit.exe

windows7-x64

1

PermEdit.exe

windows10-2004-x64

1

WPE by elektro255.exe

windows7-x64

1

WPE by elektro255.exe

windows10-2004-x64

1

elektr.dll

windows7-x64

1

elektr.dll

windows10-2004-x64

1

wpe.exe

windows7-x64

10

wpe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 23:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wpe.exe

  • Size

    56KB

  • MD5

    77ed29c8348379d43ecb9e841d64f6b6

  • SHA1

    14f53a4d5f4a3cc8cd8f2040e28401aa4b9e8c1e

  • SHA256

    fb62a5da456ee9a0f90fe48c3fa57c09d7d4f30bc7cdebee45f6dda02ccf34e6

  • SHA512

    2db27ee4ff7afda5670adf58f7465a5c4f9ee63cefacad5c973660866b6cda62a67f69587ab0497f1ab017548225fff827d90187b031d5b8681557fc61b5a962

  • SSDEEP

    768:J4JPHOF3W8nMIbk6KQVEs8rA7FYM9M6Ap9riiJ:J4Jf83W8W60IL26Ap8iJ

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Windows directory 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wpe.exe
    "C:\Users\Admin\AppData\Local\Temp\wpe.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:924
    • C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3456
      • C:\Windows\SVIQ.EXE
        C:\Windows\SVIQ.EXE
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1688
    • C:\Windows\dc.exe
      C:\Windows\dc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SVIQ.EXE
    Filesize

    56KB

    MD5

    77ed29c8348379d43ecb9e841d64f6b6

    SHA1

    14f53a4d5f4a3cc8cd8f2040e28401aa4b9e8c1e

    SHA256

    fb62a5da456ee9a0f90fe48c3fa57c09d7d4f30bc7cdebee45f6dda02ccf34e6

    SHA512

    2db27ee4ff7afda5670adf58f7465a5c4f9ee63cefacad5c973660866b6cda62a67f69587ab0497f1ab017548225fff827d90187b031d5b8681557fc61b5a962

    Download Submit

  • C:\Windows\wininit.ini
    Filesize

    41B

    MD5

    e839977c0d22c9aa497b0b1d90d8a372

    SHA1

    b5048e501399138796b38f3d3666e1a88c397e83

    SHA256

    478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

    SHA512

    4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

    Download Submit