9baf5d36bae5a408043b34c8260050deb27ef8d51bac0a612952504d392e51a3

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WhatsAppSetup_x86.exe
Size

120.5MB
MD5

ff0a595a50e3ccb3182214f38c6e695a
SHA1

ddcd8d47a665587ebb56ac260c56ea39da5922f2
SHA256

9baf5d36bae5a408043b34c8260050deb27ef8d51bac0a612952504d392e51a3
SHA512

e3a8e38de8716a77427f91c04d7ec4d258dae4182fc437706ef556669eb65485b85a300772872dfc59d1f4b583d3e558e6dd61a4140344da39064688a6e29e35
SSDEEP

3145728:kz3DNC1uH8j8ejicMKClHYVsEgUCpqf7v7eE8pMd46UNrOCYQ:kz38j8MQcsfRp+IMd46arDYQ

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2692	Update.exe
640	Squirrel.exe
1472	WhatsApp.exe
2096	WhatsApp.exe
2220	WhatsApp.exe
1464	Update.exe

Loads dropped DLL 19 IoCs

pid	Process
3008	WhatsAppSetup_x86.exe
2692	Update.exe
2692	Update.exe
2692	Update.exe
2692	Update.exe
2692	Update.exe
2692	Update.exe
1472	WhatsApp.exe
1472	WhatsApp.exe
2096	WhatsApp.exe
2220	WhatsApp.exe
1472	WhatsApp.exe
2220	WhatsApp.exe
2220	WhatsApp.exe
2220	WhatsApp.exe
1464	Update.exe
1464	Update.exe
1464	Update.exe
1464	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\whatsapp	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\whatsapp\	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\whatsapp	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1224	reg.exe
2428	reg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2692	3008	WhatsAppSetup_x86.exe	28
PID 3008 wrote to memory of 2692	3008	WhatsAppSetup_x86.exe	28
PID 3008 wrote to memory of 2692	3008	WhatsAppSetup_x86.exe	28
PID 3008 wrote to memory of 2692	3008	WhatsAppSetup_x86.exe	28
PID 3008 wrote to memory of 2692	3008	WhatsAppSetup_x86.exe	28
PID 3008 wrote to memory of 2692	3008	WhatsAppSetup_x86.exe	28
PID 3008 wrote to memory of 2692	3008	WhatsAppSetup_x86.exe	28
PID 2692 wrote to memory of 640	2692	Update.exe	29
PID 2692 wrote to memory of 640	2692	Update.exe	29
PID 2692 wrote to memory of 640	2692	Update.exe	29
PID 2692 wrote to memory of 640	2692	Update.exe	29
PID 2692 wrote to memory of 1472	2692	Update.exe	30
PID 2692 wrote to memory of 1472	2692	Update.exe	30
PID 2692 wrote to memory of 1472	2692	Update.exe	30
PID 2692 wrote to memory of 1472	2692	Update.exe	30
PID 1472 wrote to memory of 1224	1472	WhatsApp.exe	31
PID 1472 wrote to memory of 1224	1472	WhatsApp.exe	31
PID 1472 wrote to memory of 1224	1472	WhatsApp.exe	31
PID 1472 wrote to memory of 1224	1472	WhatsApp.exe	31
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2096	1472	WhatsApp.exe	34
PID 1472 wrote to memory of 2096	1472	WhatsApp.exe	34
PID 1472 wrote to memory of 2096	1472	WhatsApp.exe	34
PID 1472 wrote to memory of 2096	1472	WhatsApp.exe	34
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33
PID 1472 wrote to memory of 2220	1472	WhatsApp.exe	33

C:\Users\Admin\AppData\Local\Temp\WhatsAppSetup_x86.exe
"C:\Users\Admin\AppData\Local\Temp\WhatsAppSetup_x86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\Squirrel.exe
    "C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:640
- - C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\WhatsApp.exe
    "C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\WhatsApp.exe" --squirrel-install 2.2326.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe ADD HKCU\Software\Classes\whatsapp /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:1224
  - - C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\WhatsApp.exe
      "C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\WhatsApp.exe" --type=gpu-process --field-trial-handle=1152,5960130728371633434,5124971212976826027,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1160 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2220
  - - C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\WhatsApp.exe
      C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\WhatsApp.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\WhatsApp /prefetch:7 --no-rate-limit --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\WhatsApp\Crashpad --url=https://crashlogs.whatsapp.net/wa_clb_data?access_token=1063127757113399%7C745146ffa34413f9dbb5469f5370b7af --annotation=_productName=WhatsApp --annotation=_version=2.2326.10 --annotation=prod=Electron --annotation=ver=13.6.9 --initial-client-data=0x52c,0x530,0x534,0x528,0x538,0x7e49820,0x7e49830,0x7e4983c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2096
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe DELETE HKCU\Software\Classes\whatsapp /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:2428
  - - C:\Users\Admin\AppData\Local\WhatsApp\Update.exe
      C:\Users\Admin\AppData\Local\WhatsApp\Update.exe --createShortcut=WhatsApp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
83B

MD5
d806aa9def19bc284f7d4300a6ab5c31

SHA1
8ceef0e597d83ca90d8bbf038f3d3276a126e966

SHA256
eab1e22fca7c3fccd00d77967f17168585d53de3a3ad507fba173de365d00d60

SHA512
6f85a0659f61c1c35449ee305f39b5bb034fc4db2e7459e0847cd32a42e5b99d8ef30601c97265afa0f0cf01aff70f731ed959980fabdb6228c2068a108cbe86

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
281KB

MD5
c2b791fcfe8b61dc9aef10c467832048

SHA1
835494a5fd357cf2dcae0c927cdcaae983ba194a

SHA256
866f78e9297e7fbc8211c8143d7b3a77b71896f1508eecee23fce6d542803273

SHA512
c042d9479056223eac684644f284d7fcdc1824b30a3680211afc2cf57a4aefe5212f6b4d91dbfc31b1b05b0cf3ab11aca0b33d5f31aa5bfee77d136a622444ce

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
561KB

MD5
005bca3b0937698d28cc03c655441a54

SHA1
41c0165c66231c8dc8cdb531fcdf65452b4b99a2

SHA256
e0ebb6994063501a61cd67de56ecd83f174cdc9e2d8b513abd62d9cceb60261d

SHA512
487295b0d2391c5f456af3815e56aef4703043c7e2c786f0c08732c00509402fa49e40ffe13f5af0e5f798762e44660f4b0fd846cc35436fcd16da393c087311

Download Submit
C:\Users\Admin\AppData\Local\WhatsApp\WhatsApp.exe

Filesize
819KB

MD5
60dc5e9831c8d036463048bac141b520

SHA1
d8a56bc0d8f6084d99f8f03900a7e211377165d2

SHA256
35b883bd25631c7a5b75bc55db1fe37e4b0ab049ce01d0c89201ff27b598261b

SHA512
5a1ee2dd7fcd5929f83e51c9c8c50f23382e4836ca8c36fd3f40241eeaf3767070af2fb6a59528c42bdb89c2415bf83988ab9dbd810ae834f6af7b6f3d8af1f4

Download Submit
C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\chrome_100_percent.pak

Filesize
138KB

MD5
03aaa4f8525ba4b3e30d2a02cb40ab7a

SHA1
dd9ae5f8b56d317c71d0a0a738f5d4a320a02085

SHA256
c3f131faeefab4f506bf61c4b7752a6481f320429731d758ef5413a2f71441f7

SHA512
c89a1b89b669602ba7c8bf2c004755cac7320189603fecb4f4c5cf7a36db72da651c7b613607146f0c6da9eec5df412c7fba75475352192351c02aebdaa7d9a9

Download Submit
C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\chrome_200_percent.pak

Filesize
202KB

MD5
7d4f330a5443eadf32e041c63e7e70ad

SHA1
26ce6fb98c0f28f508d7b88cf94a442b81e80c88

SHA256
b8704be578e7396ee3f2188d0c87d0ede5c5702e9bb8c841b5f8d458abf1356d

SHA512
f1b9b0dd7396863aa0feca06175b7f9ea0be4122351ecf0a0549ee4c34f85ac8c63cc927d7409a40b6e19fa91d2cb00a145616ba19f47045b2345bfbc2d4802d

Download Submit
C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\icudtl.dat

Filesize
9.9MB

MD5
80a7528515595d8b0bf99a477a7eff0d

SHA1
fde9a195fc5a6a23ec82b8594f958cfcf3159437

SHA256
6e0b6b0d9e14c905f2278dbf25b7bb58cc0622b7680e3b6ff617a1d42348736b

SHA512
c8df47a00f7b2472d272a26b3600b7e82be7ca22526d6453901ff06370b3abb66328655868db9d4e0a11dcba02e3788cc4883261fd9a7d3e521577dde1b88459

Download Submit
C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\locales\en-US.pak

Filesize
88KB

MD5
af5c77e1d94dc4f772cb641bd310bc87

SHA1
0ceeb456e2601e22d873250bcc713bab573f2247

SHA256
781ef5aa8dce072a3e7732f39a7e991c497c70bfaec2264369d0d790ab7660a4

SHA512
8c3217b7d9b529d00785c7a1b2417a3297c234dec8383709c89c7ff9296f8ed4e9e6184e4304838edc5b4da9c9c3fe329b792c462e48b7175250ea3ea3acc70c

Download Submit
C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\resources.pak

Filesize
4.9MB

MD5
91f8a4b158df6967163ccbbe765e095a

SHA1
95db67f0a2352fd898f4a4cfdfc860f6a9c58c87

SHA256
a30b8269e588c6cc2cea5fd4685da3012fd10451edb59a283005116f8e033182

SHA512
6450d75d53f24d11e1c1e7e3cacfc57ee9dd09c00ca0dc2ff30f580b59a6b17e7ad7d96682195bd7d806b49068653538c77ca4200491560cecff128a0b012d92

Download Submit
C:\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\v8_context_snapshot.bin

Filesize
161KB

MD5
d88d23551a4d7230f98fe0cbd363695b

SHA1
8e28eb4153e00aa5345bdb539b925a777588a26b

SHA256
72c3c123f10eb6e24c83ee40727a3a632cf7a8b062a3b7c7b41db4bfeda52ce4

SHA512
ea757e91c7cfc766b35da226263e82646f5b1153b8800c5cd69321d98b6d424413dcd7a02413a6a0e2f34905daf84bd21302b7ad58f2ebd814a7ac0a92b9d284

Download Submit
C:\Users\Admin\AppData\Roaming\WhatsApp\Crashpad\settings.dat

Filesize
40B

MD5
f42f80eaf2651ab4309e9536c1840ead

SHA1
72483d0be87b792f7e0b6677269550a8c8815d4d

SHA256
270f44b0c798ccad7ff24d21d5f810e210ac52399bd41add0240e5cb9449ffd2

SHA512
aeb50128b7fd59c8a12d7cfda632ce559ddce448fc184ee3d5748a9edc991f58890939ac8bf7e364fa8b0a47d4b5884e1e8bb267a713b405015ad9ad8bb96ffa

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
e145594ae1d98562cabcfb87bcba1dbd

SHA1
a13ff1a0e53ab9c5294cf873faf4771f3844313a

SHA256
9fe75c343733e4fa1375b64888f44671094c0715058c4e00da0cc80af626f581

SHA512
5274330d32bc627d0cd4aab462be97e3e1fb9eced2ea30a5b360dda1fbf67a11d8cc9fb197e17fb99fc481bc1f34d13997887c692ddef214c03f3c8c5accb443

Download Submit
\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\d3dcompiler_47.dll

Filesize
3.5MB

MD5
2f2e363c9a9baa0a9626db374cc4e8a4

SHA1
17f405e81e5fce4c5a02ca049f7bd48b31674c8f

SHA256
2630f4188bd2ea5451ca61d83869bf7068a4f0440401c949a9feb9fb476e15df

SHA512
e668a5d1f5e6f821ebfa0913e201f0dfd8da2f96605701f8db18d14ea4fdeac73aeb9b4fe1f22eaeffcdd1c0f73a6701763727d5b09775666f82b678404e4924

Download Submit
\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\ffmpeg.dll

Filesize
2.5MB

MD5
d5f66050a5172d9af14e199186387a26

SHA1
ec5a13c4ef26931cbcbd60fdf66a45e1d18ab1db

SHA256
c24915b1446c87712480da828f6d734c5f31800238a49b5fab2ce4da8ad53bf9

SHA512
6006b69fe9930c9bd42b83d23e43a0d1f824db8ec3b9b9c295216827928edc7372540a1e156570809b1923c0df871880d3bff35f70df923f5f6bc4b36bdc4387

Download Submit
\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\libEGL.dll

Filesize
356KB

MD5
7096608398917d60d61309979ecca86c

SHA1
7709f42fbee2946536534e36fd5275614ef64748

SHA256
b3912ebeebfe340ab16104b472187747b33132a61e7def9d4b7760545114ed0a

SHA512
7da258e9791687348572fa04ffbb4bb9aefd50d160d7512174c99a52b0639fb50674e19570e9569c4fb61580c772c5914f7cb0483855aaf95f27511d9d45f13e

Download Submit
\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\libGLESv2.dll

Filesize
6.6MB

MD5
371be34a87ff4bdb8a5988f2a2d17cf9

SHA1
afacbd14adb0c55489cdedbc79e84603057d2409

SHA256
6669c79e34ce090c3b2b51967c47d0892738c7aa1e2865cdbc44727da80b9314

SHA512
cadcc25628f6d1589ae0533eca47aee1241def747d1703d5b2f907b1f945c350f2f353416c33b381521c539edd3cd6f95a88958b902d6c8896916a3b9b0583cf

Download Submit
\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node

Filesize
493KB

MD5
49748bd51fc6a11dbf846dceff3987de

SHA1
805538e60bd3795c16f00df91079d9b1449ceeb2

SHA256
ab091baea8c8196a69d32891d2c381d4305aacc65c3b5cf2290b7a1cc89fcef7

SHA512
e4201647638cdaf8483c37ec39b9f0569d3967ba65634fc56a2e18de1d8056ee303655c23b9cc99d639c223501735f454a79e54fd5e8676d9f2e95ea5cea189d

Download Submit
\Users\Admin\AppData\Local\WhatsApp\app-2.2326.10\squirrel.exe

Filesize
2.3MB

MD5
33253de621a8087416d1a4935c340453

SHA1
dc5fd6e36a3fcdfb5008194c404b4a286a706c80

SHA256
9183c46196d369e42042bb2cffd0b3167dcc97d9c270f95dc4dbdd7d22df877a

SHA512
0f37029f3d04eefc1befa4696f1730d3a009c5e549f428f35344a3ff90ae2a41a1768ef5f285936851fc63871762565c6c4e203e8fe9d02516abd5948a07eb2c

Download Submit
memory/640-115-0x0000000000840000-0x0000000000A90000-memory.dmp

Filesize
2.3MB

Download
memory/1464-192-0x0000000000BA0000-0x0000000000D64000-memory.dmp

Filesize
1.8MB

Download
memory/2220-144-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/2692-122-0x00000000043D0000-0x00000000043DA000-memory.dmp

Filesize
40KB

Download
memory/2692-123-0x00000000043D0000-0x00000000043DA000-memory.dmp

Filesize
40KB

Download
memory/2692-10-0x0000000000C00000-0x0000000000DC4000-memory.dmp

Filesize
1.8MB

Download
memory/2692-215-0x00000000043D0000-0x00000000043DA000-memory.dmp

Filesize
40KB

Download