Overview

overview

10

Static

static

3

wfc6setup.exe

windows7-x64

10

wfc6setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wfc6setup.exe

  • Size

    3.5MB

  • MD5

    3d853bdadb5374a2787bbbbf7d9c77aa

  • SHA1

    a2179b6c2dee1ff8dbf5a3b2d5dfb490c3677882

  • SHA256

    4fecbca7a9831f0daff57f512abecdd1e9a99813adc0de5a7ce150a485e8a98f

  • SHA512

    097b9d766dd2c3849b2f8ed6b8e8fd1769c7be625a44efb325bde41aeafc7ab2f1e13a31d1319bc40e79b2c960fbe6e7e57415c19d77e18838dc81ced0fdc662

  • SSDEEP

    98304:sBoLHCWxrUBnsdmA/sR04TmVE4kqXf0Fyew7jJz11bB:sCLHCrBns/KPiV/kSIyeM1z7bB

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wfc6setup.exe
    "C:\Users\Admin\AppData\Local\Temp\wfc6setup.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3864
    • \??\c:\users\admin\appdata\local\temp\wfc6setup.exe 
      c:\users\admin\appdata\local\temp\wfc6setup.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1180
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1848
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4924
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3680
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3560
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\wfc6setup.exe 
    Filesize

    3.4MB

    MD5

    c987c099c664b77b1c6d4fe27c5a6ac0

    SHA1

    3c095da99fe50a9cedf626fe0b2cfb300235a6ef

    SHA256

    accb7d4ccd9e6c5c1988c1bfe8015b2e459e52b3f8a965bd086a4746000524e6

    SHA512

    bd0b3ca576e5984d63f7eec9f9283abe8c2eddaf637f934c8d9811ef301f7a1927a78a0ca548f22aa1aa78788f20334f0cb275fa4662935f3a1ddc58014ba6bf

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    bb811c200fff212b7864af6177730790

    SHA1

    5b14d272cd8df4243c7b3f37ce356394df097916

    SHA256

    bbd3cd06c5e08814f1cb1f8482fb44dbbdc772d928637ddf3269c1e6d6a4d4e8

    SHA512

    aae2560ff8ed2d314595c0b1e197e2f5b727d1fa496e1df2ed90209fdeb585130ec6bbc48c2d23681ad9e4d41f1327daeb61c99dd5b9fbb2400be3fc8a1f852b

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    bed1f5fabaec1d483bdba2f31e77843c

    SHA1

    6f0e7524cfa120837666ba321368f91c6b043917

    SHA256

    d20a723f539fe1ba2a7a475f469e5a017498b4ebe7dd7874583851e6a9fad5ce

    SHA512

    48c393759920c06190dbcf11916903ae98acc6df0b6e39a368aba303edc46daf848de5bf851b3da799356e61d5c194998cf8148a6098140594ff9f76c4fc3afa

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    5d25d453681183ae02b63d035d9477e7

    SHA1

    cbba28e945e17c87bdd4754aa17d9d25764dbf49

    SHA256

    3ff3bb6127d71e3e91a04b93396d544e55e9de2d47b35f38706b084c4b1c1d13

    SHA512

    57af7c4e915d9f6702751e32e54e5647c4f43e7abba59aaacd7d9734d2dec07eb2b589216e051df9742335b1ed7bd7e07635eeb9fb39b6042fc0f1a41c26c059

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    7dab8870367e83a9dcdf34ca38aa34df

    SHA1

    445a998f56c27dc78d9ad1256dc9faa32149a26c

    SHA256

    9516703a0b9b8f99639f6ef4c33332ef6599cee891717c35005668eaf33f2586

    SHA512

    f244cfb8a39f2e9e3cb8035ae259ed933f2fd947da872679f2f275d47981e6cd0679539bfd859a768a907f712f61004a2ec469fdadac125fdb8f85c488cbe3e9

    Download Submit

  • memory/1180-55-0x00000253D19E0000-0x00000253D19E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1180-51-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1180-14-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1180-28-0x00000253D0000000-0x00000253D001C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1180-27-0x00000253D1A90000-0x00000253D1B4A000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1180-31-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1180-10-0x00000253B5710000-0x00000253B5A62000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1180-9-0x00007FFE6B873000-0x00007FFE6B875000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1180-60-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1180-59-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1180-58-0x00007FFE6B873000-0x00007FFE6B875000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1180-57-0x00000253D1D50000-0x00000253D1D5E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1180-56-0x00000253D1D80000-0x00000253D1DB8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1848-15-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1848-53-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3560-62-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3680-52-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3864-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3864-54-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4300-50-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4924-61-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download