Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 08:57
Static task
static1
Behavioral task
behavioral1
Sample
whats.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
whats.exe
Resource
win10v2004-20240508-en
General
-
Target
whats.exe
-
Size
12.1MB
-
MD5
ff9ad3e1150b2a99335ab5e295513062
-
SHA1
9ef477c731e01214f76e4f6161b2b09d92c4fc33
-
SHA256
b3f70a8027e35c91ad1a18f7176a29f755bba27b20ace5159e5b784c7dab4443
-
SHA512
5ffd609ba0e0d9b6b3aa029eca7083a1fce286a4f3db1dfefb114e48d33ce16fb1e53834c19a83c5909a1e71aa5f1668ac2760516770517805654397684b533b
-
SSDEEP
196608:CNESzoOoT8GyziDMqM4mUFBgFzBQDjMPDt7xqxWM/QstP4imicl69ppdJWs4dJ2k:sfz68FEeIgajMCxLQstIifHd4s4T2k
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
whats.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation whats.exe -
Executes dropped EXE 1 IoCs
Processes:
irsetup.exepid process 892 irsetup.exe -
Loads dropped DLL 1 IoCs
Processes:
irsetup.exepid process 892 irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
irsetup.exepid process 892 irsetup.exe 892 irsetup.exe 892 irsetup.exe 892 irsetup.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
whats.exedescription pid process target process PID 412 wrote to memory of 892 412 whats.exe irsetup.exe PID 412 wrote to memory of 892 412 whats.exe irsetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\whats.exe"C:\Users\Admin\AppData\Local\Temp\whats.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5836146 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\whats.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-4124900551-4068476067-3491212533-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
4.9MB
MD5d33dd57c830b9b52ec844d713ea1a1da
SHA151fc3d3316bb308e164a981d364181ae6cadbd1b
SHA256b4255a661c37f4bffcb74baf33d1860cf54f0bdaf68a7b172d4beef3e22729d3
SHA5129b28c9968f0fd1e908d696e363725c6278771c51ac11e52fc6e89081197b88e5f1153293d6e61ae706278b3a98ee70be5ea2765443492461bc5d2330e5c8a260
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllFilesize
329KB
MD552a0b3c36a01a89187342803bc11709d
SHA18f17c48ecfb5f798cfe565b8f370a86cf8efb091
SHA256af97caa9ff7fba485bdbc688ac1f9de451d38efd102b2bf18deeeed7bd1a30c0
SHA512830259b06dc26197eb5bff1d12cc490a2813bf15ce99b2eb8fa3a61586d0cf613f5ba81fe120be8350ac7f27841633c74a97add2c33591952a0060404249c89c