Overview
overview
10Static
static
7WezoAutoUP.exe
windows7-x64
7WezoAutoUP.exe
windows10-2004-x64
7culclientUp.exe
windows7-x64
7culclientUp.exe
windows10-2004-x64
7software.exe
windows7-x64
10software.exe
windows10-2004-x64
10vncDbnt.exe
windows7-x64
8vncDbnt.exe
windows10-2004-x64
8wzoptup.exe
windows7-x64
7wzoptup.exe
windows10-2004-x64
7Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 00:56
Behavioral task
behavioral1
Sample
WezoAutoUP.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
WezoAutoUP.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
culclientUp.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
culclientUp.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
software.exe
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
software.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
vncDbnt.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
vncDbnt.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
wzoptup.exe
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
wzoptup.exe
Resource
win10v2004-20240704-en
General
-
Target
vncDbnt.exe
-
Size
329KB
-
MD5
3597cd93701c4505d035a34271e0b931
-
SHA1
63b311fd5f0d98166273e22ca8fb16c219d3ba07
-
SHA256
acd89e772ca1bc9d3c69cff7430fa4bb921d4468d6115c57cade092944572eb3
-
SHA512
32175d64523038c480a21f609a036c1ed206a1b45eb986da6d20b8e2e1924aefe1eb93d66c1bcd03334e8c126df40d272f0e4e02397ed16db167d3994738a6a3
-
SSDEEP
6144:J68oipnnK9jqXEX52Ums+Tbxzbx9SmIqQyPodMUf8Dkzel6R8zHe1IX:ffnnK9zABs+TbFx9SXOPCf8DkqAR8zHN
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral8/memory/3680-0-0x0000000000400000-0x00000000004D0000-memory.dmp upx behavioral8/memory/3680-1-0x0000000000400000-0x00000000004D0000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral8/memory/3680-1-0x0000000000400000-0x00000000004D0000-memory.dmp autoit_exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 940 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
vncDbnt.exepid process 3680 vncDbnt.exe 3680 vncDbnt.exe 3680 vncDbnt.exe 3680 vncDbnt.exe 3680 vncDbnt.exe 3680 vncDbnt.exe 3680 vncDbnt.exe 3680 vncDbnt.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
vncDbnt.execmd.exedescription pid process target process PID 3680 wrote to memory of 4868 3680 vncDbnt.exe cmd.exe PID 3680 wrote to memory of 4868 3680 vncDbnt.exe cmd.exe PID 3680 wrote to memory of 4868 3680 vncDbnt.exe cmd.exe PID 4868 wrote to memory of 940 4868 cmd.exe sc.exe PID 4868 wrote to memory of 940 4868 cmd.exe sc.exe PID 4868 wrote to memory of 940 4868 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe"C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete DBNTser2⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\sc.exesc delete DBNTser3⤵
- Launches sc.exe
PID:940
-
-