Overview

overview

8

Static

static

1

whats.exe

windows7-x64

8

whats.exe

windows10-2004-x64

7

Resubmissions

23-05-2024 08:57

240523-kwt7pabd79 8

23-05-2024 08:53

240523-ktqfqabd23 7

Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    whats.exe

  • Size

    12.1MB

  • MD5

    ff9ad3e1150b2a99335ab5e295513062

  • SHA1

    9ef477c731e01214f76e4f6161b2b09d92c4fc33

  • SHA256

    b3f70a8027e35c91ad1a18f7176a29f755bba27b20ace5159e5b784c7dab4443

  • SHA512

    5ffd609ba0e0d9b6b3aa029eca7083a1fce286a4f3db1dfefb114e48d33ce16fb1e53834c19a83c5909a1e71aa5f1668ac2760516770517805654397684b533b

  • SSDEEP

    196608:CNESzoOoT8GyziDMqM4mUFBgFzBQDjMPDt7xqxWM/QstP4imicl69ppdJWs4dJ2k:sfz68FEeIgajMCxLQstIifHd4s4T2k

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\whats.exe
    "C:\Users\Admin\AppData\Local\Temp\whats.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5836146 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\whats.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-4124900551-4068476067-3491212533-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    Filesize

    4.9MB

    MD5

    d33dd57c830b9b52ec844d713ea1a1da

    SHA1

    51fc3d3316bb308e164a981d364181ae6cadbd1b

    SHA256

    b4255a661c37f4bffcb74baf33d1860cf54f0bdaf68a7b172d4beef3e22729d3

    SHA512

    9b28c9968f0fd1e908d696e363725c6278771c51ac11e52fc6e89081197b88e5f1153293d6e61ae706278b3a98ee70be5ea2765443492461bc5d2330e5c8a260

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
    Filesize

    329KB

    MD5

    52a0b3c36a01a89187342803bc11709d

    SHA1

    8f17c48ecfb5f798cfe565b8f370a86cf8efb091

    SHA256

    af97caa9ff7fba485bdbc688ac1f9de451d38efd102b2bf18deeeed7bd1a30c0

    SHA512

    830259b06dc26197eb5bff1d12cc490a2813bf15ce99b2eb8fa3a61586d0cf613f5ba81fe120be8350ac7f27841633c74a97add2c33591952a0060404249c89c

    Download Submit