be140690fd1dc3adefa0d6669de51c016d009d3b1bd73313a7d8cab2665cc42c

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 15:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

WhatsApp-win8.exe
Size

2.8MB
MD5

6835069cc939ed7b02c499a2574acf8c
SHA1

df0a3d636fdc219f9dde29dc4eb683442563aabc
SHA256

be140690fd1dc3adefa0d6669de51c016d009d3b1bd73313a7d8cab2665cc42c
SHA512

f6275d9a29eeb7289bf077b7436d97e14836355ff76002d7ae61025a8c03df440e801de742cdd412bdf8031c8d88584958ec98287bc2a4c8331a64bc1b7d89c2
SSDEEP

49152:jV9joZnbCvivTLM4tB5HfzhovA/nGFDll1+KAP7bCCB7VVgLZR:B9joZnbCa15VucQt+u4gLL

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\anim.gif	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\img\logo-offer.png	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\vid-14.txt	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\img\master-logo.png	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\last-page.html	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\anim.gif	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\gtec.vbs	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\icons.ico	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\gtec.vbs	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\img\log-game.png	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\last-page.html	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\img	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\mhE5DGn.exe	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\start.hta	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\icon.ico	mshta.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\gam-page.html	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\icon.ico	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\icon.png	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\img\master-logo.png	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\start.hta	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\gam-page.html	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\img\log-game.png	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\img\DirectX-9-001-min.png	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\img\logo-offer.png	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\setup.exe	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\__tmp_rar_sfx_access_check_259430021	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\gteb.vbs	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\img\DirectX-9-001-min.png	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\icon.ico	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\icon.png	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\ya-page.html	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\icons.ico	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\mhE5DGn.exe	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\setup.exe	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\vid-14.txt	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\ya-page.html	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\gtea.vbs	WhatsApp-win8.exe
File opened for modification	C:\Program Files (x86)\WhatsApp-win8\gtea.vbs	WhatsApp-win8.exe
File created	C:\Program Files (x86)\WhatsApp-win8\gteb.vbs	WhatsApp-win8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WhatsApp-win8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2900	2408	WhatsApp-win8.exe	30
PID 2408 wrote to memory of 2900	2408	WhatsApp-win8.exe	30
PID 2408 wrote to memory of 2900	2408	WhatsApp-win8.exe	30
PID 2408 wrote to memory of 2900	2408	WhatsApp-win8.exe	30
PID 2408 wrote to memory of 2900	2408	WhatsApp-win8.exe	30
PID 2408 wrote to memory of 2900	2408	WhatsApp-win8.exe	30
PID 2408 wrote to memory of 2900	2408	WhatsApp-win8.exe	30

C:\Users\Admin\AppData\Local\Temp\WhatsApp-win8.exe
"C:\Users\Admin\AppData\Local\Temp\WhatsApp-win8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\WhatsApp-win8\start.hta"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WhatsApp-win8\icon.ico

Filesize
105KB

MD5
c987932e92cc5e1d661858cb6c3ad487

SHA1
18a3ff5f316b8380b599e0728c114871f6bedddc

SHA256
74fa8ed3bdece00a0af48a6903b726a1208cfe9d14baf70586ea9c9755c3aac8

SHA512
a5bf7348db7395ae2f0cc0dea6590a50f1cff5de5b4697516171eaae7b29f6b1f2b071a362006d76a009c05fc7aaada859093976bacf48f6c7d392a899a04858

Download Submit
C:\Program Files (x86)\WhatsApp-win8\img\master-logo.png

Filesize
31KB

MD5
fcbe684b2c8944506b3b15b3dc460ac2

SHA1
a752852e143f811c0693a1763472152014171793

SHA256
1ad898de89db555ea34c1eaa0fa5756613012d424da3c8e3e93009f8ce885490

SHA512
43bd8bc86b31164dfcf690c9e60455b1ba567cac77110956581cacfe0b76eeb119b24642bc7c38b97a26ca830b75481ada590516f7cab762af174d7040fb5295

Download Submit
C:\Program Files (x86)\WhatsApp-win8\start.hta

Filesize
3KB

MD5
f44b4a1b4b47f2107ff2a33c303f79a1

SHA1
94f9b5d5ab2425da5c537c0378380d2af7ba4770

SHA256
d4c44a1b86a179c82cef99a19d346081f816f318c20355719ba43c3e87ff7fc7

SHA512
32515c42d8cc3d1248c9f559cddd53429750ae7b3823910cef1c5cbcc73f2774bd88320c5f93f8d25bd8b337885c3528332fa7b3b645b5403a941267af7f939d

Download Submit