035a82de22713080aa43c483c1c1cef63b827bd575a0486996f3a70ce5477e49

Analysis

max time kernel
120s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Immortal Woofer.exe
Size

151.1MB
MD5

b3a420741d0c3ef020daa5332bcba7b6
SHA1

fab88334908bd6ac99ae2e98c7aa7b7412ebfc7d
SHA256

035a82de22713080aa43c483c1c1cef63b827bd575a0486996f3a70ce5477e49
SHA512

12b7af549557e9b705d4a11bdc023dcd2cab2dcb8673bb359a2ccfa284567f17fa9e97142352f416bc2b0edf198e56d900c69644198822fb16205fc98282f8e6
SSDEEP

786432:UPKYRuO3mOTgbr/skQsh/SgaNkbks5GoE3yKZ1fX36n:UPKCuO3mSgfkCKqksYoE3ySA

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Immortal Woofer.exe

Executes dropped EXE 1 IoCs

pid	Process
1356	LOADER_HERE.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\IME\serial_checker.bat	Immortal Woofer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Immortal Woofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Immortal Woofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Immortal Woofer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2760	WMIC.exe
Token: SeSecurityPrivilege	2760	WMIC.exe
Token: SeTakeOwnershipPrivilege	2760	WMIC.exe
Token: SeLoadDriverPrivilege	2760	WMIC.exe
Token: SeSystemProfilePrivilege	2760	WMIC.exe
Token: SeSystemtimePrivilege	2760	WMIC.exe
Token: SeProfSingleProcessPrivilege	2760	WMIC.exe
Token: SeIncBasePriorityPrivilege	2760	WMIC.exe
Token: SeCreatePagefilePrivilege	2760	WMIC.exe
Token: SeBackupPrivilege	2760	WMIC.exe
Token: SeRestorePrivilege	2760	WMIC.exe
Token: SeShutdownPrivilege	2760	WMIC.exe
Token: SeDebugPrivilege	2760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2760	WMIC.exe
Token: SeRemoteShutdownPrivilege	2760	WMIC.exe
Token: SeUndockPrivilege	2760	WMIC.exe
Token: SeManageVolumePrivilege	2760	WMIC.exe
Token: 33	2760	WMIC.exe
Token: 34	2760	WMIC.exe
Token: 35	2760	WMIC.exe
Token: 36	2760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2760	WMIC.exe
Token: SeSecurityPrivilege	2760	WMIC.exe
Token: SeTakeOwnershipPrivilege	2760	WMIC.exe
Token: SeLoadDriverPrivilege	2760	WMIC.exe
Token: SeSystemProfilePrivilege	2760	WMIC.exe
Token: SeSystemtimePrivilege	2760	WMIC.exe
Token: SeProfSingleProcessPrivilege	2760	WMIC.exe
Token: SeIncBasePriorityPrivilege	2760	WMIC.exe
Token: SeCreatePagefilePrivilege	2760	WMIC.exe
Token: SeBackupPrivilege	2760	WMIC.exe
Token: SeRestorePrivilege	2760	WMIC.exe
Token: SeShutdownPrivilege	2760	WMIC.exe
Token: SeDebugPrivilege	2760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2760	WMIC.exe
Token: SeRemoteShutdownPrivilege	2760	WMIC.exe
Token: SeUndockPrivilege	2760	WMIC.exe
Token: SeManageVolumePrivilege	2760	WMIC.exe
Token: 33	2760	WMIC.exe
Token: 34	2760	WMIC.exe
Token: 35	2760	WMIC.exe
Token: 36	2760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	960	WMIC.exe
Token: SeSecurityPrivilege	960	WMIC.exe
Token: SeTakeOwnershipPrivilege	960	WMIC.exe
Token: SeLoadDriverPrivilege	960	WMIC.exe
Token: SeSystemProfilePrivilege	960	WMIC.exe
Token: SeSystemtimePrivilege	960	WMIC.exe
Token: SeProfSingleProcessPrivilege	960	WMIC.exe
Token: SeIncBasePriorityPrivilege	960	WMIC.exe
Token: SeCreatePagefilePrivilege	960	WMIC.exe
Token: SeBackupPrivilege	960	WMIC.exe
Token: SeRestorePrivilege	960	WMIC.exe
Token: SeShutdownPrivilege	960	WMIC.exe
Token: SeDebugPrivilege	960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	960	WMIC.exe
Token: SeRemoteShutdownPrivilege	960	WMIC.exe
Token: SeUndockPrivilege	960	WMIC.exe
Token: SeManageVolumePrivilege	960	WMIC.exe
Token: 33	960	WMIC.exe
Token: 34	960	WMIC.exe
Token: 35	960	WMIC.exe
Token: 36	960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	960	WMIC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 1356	3256	Immortal Woofer.exe	96
PID 3256 wrote to memory of 1356	3256	Immortal Woofer.exe	96
PID 3256 wrote to memory of 3324	3256	Immortal Woofer.exe	98
PID 3256 wrote to memory of 3324	3256	Immortal Woofer.exe	98
PID 3324 wrote to memory of 2760	3324	cmd.exe	100
PID 3324 wrote to memory of 2760	3324	cmd.exe	100
PID 3324 wrote to memory of 960	3324	cmd.exe	101
PID 3324 wrote to memory of 960	3324	cmd.exe	101
PID 3324 wrote to memory of 2824	3324	cmd.exe	102
PID 3324 wrote to memory of 2824	3324	cmd.exe	102
PID 3324 wrote to memory of 4108	3324	cmd.exe	103
PID 3324 wrote to memory of 4108	3324	cmd.exe	103
PID 3324 wrote to memory of 2980	3324	cmd.exe	104
PID 3324 wrote to memory of 2980	3324	cmd.exe	104
PID 3324 wrote to memory of 1960	3324	cmd.exe	105
PID 3324 wrote to memory of 1960	3324	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\Immortal Woofer.exe
"C:\Users\Admin\AppData\Local\Temp\Immortal Woofer.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe" C:\Users\Admin\AppData\Local\Temp\gay.sys
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\IME\serial_checker.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get model, serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:2824
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:4108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:2980
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe

Filesize
534KB

MD5
cd4d08af76e7614f46bc853cf82cebc6

SHA1
94e75dac14976227c1c33ae48866e820db52aa1a

SHA256
f03d6b156974af96b66b3913bbcdf49609720f37f2e69c4222c2d0920f442f58

SHA512
b24396f3973156d8aef58203a0bcf1d542362e8591509e054488d6562fcf60e3cd628db0252a45ead220b4c7e82f065092e8a6145fcbfc399b4ca86f17084d99

Download Submit
C:\Windows\IME\serial_checker.bat

Filesize
456B

MD5
cafc57aca6d10f9dcdc9d3aec9a35b72

SHA1
2e0e30ac79878b3d4d326f00735aaa7ff4b4a3df

SHA256
1c63492020872da13d2b35aa8eb02517376e1a7391bfaa1584d828bd5aa916ad

SHA512
d0e14f1eb2077b455f0a42a60b37c625badae4084734ce0e050e992a7b759d969c6d86e2be49ae20712c70c2453cb9efd3de8cb8124f0b489826f8f80f93fb95

Download Submit
memory/1356-7-0x00007FF6E7F40000-0x00007FF6E7FF3000-memory.dmp

Filesize
716KB

Download
memory/1356-9-0x00007FF6E7F40000-0x00007FF6E7FF3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads