cf9ad4a41c8958ef4c82b4447c76a444f2c6d71eb73dc59e73be05d889e0a713

General

Target

WeMod-9.7.0.exe
Size

118.3MB
MD5

6435e124fd689303deb2147ed6b5fc8f
SHA1

ec62cc78ab662203c4808dec7e7978a5b5d37323
SHA256

cf9ad4a41c8958ef4c82b4447c76a444f2c6d71eb73dc59e73be05d889e0a713
SHA512

33c0644733a2594dcfc8c59d41132a819e64588021aaf0bd70887afa3dee103e4622cc39da9b1f31b54f14206b37695207efb16063ecfac4598bc981452bf2c1
SSDEEP

3145728:j8oAgD2JQ5H3ry8W/3irQ9QMacIKhDPFMTSp6HpCqQ6KjY2I:jF9J5zFMDNtP2g6HpCH6oA

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2292	Update.exe
2812	Squirrel.exe
1344	WeMod.exe
2840	WeMod.exe

Loads dropped DLL 3 IoCs

pid	Process
3036	WeMod-9.7.0.exe
2292	Update.exe
2292	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeMod-9.7.0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	WeMod-9.7.0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2292	Update.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2292	3036	WeMod-9.7.0.exe	31
PID 3036 wrote to memory of 2292	3036	WeMod-9.7.0.exe	31
PID 3036 wrote to memory of 2292	3036	WeMod-9.7.0.exe	31
PID 3036 wrote to memory of 2292	3036	WeMod-9.7.0.exe	31
PID 2292 wrote to memory of 2812	2292	Update.exe	32
PID 2292 wrote to memory of 2812	2292	Update.exe	32
PID 2292 wrote to memory of 2812	2292	Update.exe	32

C:\Users\Admin\AppData\Local\Temp\WeMod-9.7.0.exe
"C:\Users\Admin\AppData\Local\Temp\WeMod-9.7.0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\Squirrel.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe" --squirrel-install 9.7.0
    3⤵
    - Executes dropped EXE
    PID:1344
- - C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe
    "C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\WeMod.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
76B

MD5
6064234dc967f51b0389d434aad3a879

SHA1
f9bee77196a36be1560925b4ceb05a613243f7a7

SHA256
9203a73e16d55099e88ed50c8d948bd9f8412bf3e4ac3b9bdc96719bd627d3a0

SHA512
8f221c23abfe6cf68e80401947208d7d07e5651a5443d16decbf5773f28f89006210c4b1bac5a26b41b160630fd6cc16a909100ea39f7aafc631e8bc450e8347

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
cf6fbcbc1ff6007ef79fbd5a627d79cf

SHA1
57ee99cad3f0bd5632a709078dcb0afdf91efbee

SHA256
85b55f7da5a008707e197cf9fbcdd7ac53b286cbb2c54a3ecb9c360e033d07c8

SHA512
956a0b6110471bebb948f5ad22562a0e76a80ca6cdce22073e5bbcb4723bb1c4f3e37c800e252ba71172c467bdfdbb50150827a7dfb8e829c39063469dd0db39

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
21KB

MD5
1d0394cf33c9bdf438c3b05fe4b8c617

SHA1
8b04090dc8ae8982247575680988a6fc037f61fc

SHA256
4762c5c406920b9b28f567859d3eef8623b6484166e43b33c7a04cd0f0684dfe

SHA512
7c3e92906159a6cb5ed1dde26d5ead5e4bb6f24219bf070c45c787851f17ed329e8074a634dd964026b691c8b0f568c66aa736ad0e04df0fa32306f565bcb95b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
24KB

MD5
e2fc5f7c4e479982f270a6d9daeaa7b9

SHA1
e6b2f2c381d64b588d80fc2d7754515972ca48ec

SHA256
9be0f7268db367235d785653b7da1cec8374bee92c42732299f7193f430edb1c

SHA512
42d657ac14903eccaa037e1b8e554b2f3a2ca1066dc23ca7f32f3fcc0da8714ad1c0f2cd295b1f65a9a9f4f7bda2bab2d1991cf07bf72c5b829668d2b92cfd5e

Download Submit
C:\Users\Admin\AppData\Local\WeMod\app-9.7.0\squirrel.exe

Filesize
1.8MB

MD5
0a0885335047729ac72be42e0772a836

SHA1
946d9d40d2d60238c225b9c1a28af25faf27410e

SHA256
4be10958f8c53ebcf94622cdac1200ca97947aa365e346c8611818145a3f6c91

SHA512
fec4b79894241e438ba4e12f099398a67f6e2714d0331dbb44d55b6b4af267c1da36c9571b650b3ddafc9b3e2fddefe140bc1394da29af5ea7f69d7887f3d77c

Download Submit
memory/2292-9-0x0000000001260000-0x0000000001436000-memory.dmp

Filesize
1.8MB

Download
memory/2292-135-0x0000000001190000-0x000000000119A000-memory.dmp

Filesize
40KB

Download
memory/2292-134-0x0000000001190000-0x000000000119A000-memory.dmp

Filesize
40KB

Download
memory/2292-136-0x0000000001190000-0x000000000119A000-memory.dmp

Filesize
40KB

Download
memory/2812-118-0x0000000000FE0000-0x00000000011BC000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing