6580ba559132e13759f8450b811b42f0b04aa14a75bcddb1efc9227d5baf1e9a

General

Target

WiiBackupManager_Build73.zip
Size

7.2MB
MD5

b57b36543a4096321d946e59ad87e0c5
SHA1

a604e4ed10d1b6da86a94ec35128a5494432506e
SHA256

6580ba559132e13759f8450b811b42f0b04aa14a75bcddb1efc9227d5baf1e9a
SHA512

ea30141d9f960a61844a6c5c4dcb806babefdba4adbc519d04659a1e9d85d7019bf428555ed8fa14c2e2bd4afd0075747c42a0e1d6f3c08f5fbca2713e168e40
SSDEEP

196608:hZfN+iDR79YZP4T0GK1VH1gViL40shIYwioyo0:XN+aR79YZP44GK1iiL40Qwio0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

WiiBackupManager_Win64.exeWiiBackupManager_Win32.exe

pid process

2892 WiiBackupManager_Win64.exe
2372 WiiBackupManager_Win32.exe
Loads dropped DLL 1 IoCs

Processes:

7zFM.exe

pid process

2284 7zFM.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

WiiBackupManager_Win32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WiiBackupManager_Win32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7zFM.exe

pid process

2284 7zFM.exe
2284 7zFM.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2284 7zFM.exe

pid	process
2892	WiiBackupManager_Win64.exe
2372	WiiBackupManager_Win32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WiiBackupManager_Win32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	2284	7zFM.exe
Token: 35	2284	7zFM.exe
Token: SeSecurityPrivilege	2284	7zFM.exe
Token: SeSecurityPrivilege	2284	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exeWiiBackupManager_Win64.exe

pid	process
2284	7zFM.exe
2284	7zFM.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe
2892	WiiBackupManager_Win64.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7zFM.exe

description	pid	process	target process
PID 2284 wrote to memory of 2892	2284	7zFM.exe	WiiBackupManager_Win64.exe
PID 2284 wrote to memory of 2892	2284	7zFM.exe	WiiBackupManager_Win64.exe
PID 2284 wrote to memory of 2892	2284	7zFM.exe	WiiBackupManager_Win64.exe
PID 2284 wrote to memory of 2372	2284	7zFM.exe	WiiBackupManager_Win32.exe
PID 2284 wrote to memory of 2372	2284	7zFM.exe	WiiBackupManager_Win32.exe
PID 2284 wrote to memory of 2372	2284	7zFM.exe	WiiBackupManager_Win32.exe
PID 2284 wrote to memory of 2372	2284	7zFM.exe	WiiBackupManager_Win32.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WiiBackupManager_Build73.zip"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\7zOCE8340B6\WiiBackupManager_Win64.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE8340B6\WiiBackupManager_Win64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\7zOCE89BFE6\WiiBackupManager_Win32.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE89BFE6\WiiBackupManager_Win32.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOCE8340B6\settings.ini

Filesize
2KB

MD5
6d6988f87dc5fd27c07c72af685b8355

SHA1
c373a476ad9e205a9ad0a44b42eafad925c9af7b

SHA256
ab022888e5cc0a379a8c2aeaea6f5fca5b3ef7e494cb557b2e55be90c0f21540

SHA512
de816fe379bb32930d07dd58f2db76d960dde0cc09a2385faa5e8898da7b32deecc3cfa7d025066a17cf668ccc22cbbf9c826f08bf772b97ebea237e24290565

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCE89BFE6\WiiBackupManager_Win32.exe

Filesize
5.1MB

MD5
c4a9cc2fce5019b49604bba379d98669

SHA1
b8082876c1b6c917c3000115afb16b7d7c13c427

SHA256
d7df55fcd9edfec382a86027af8fcf3930a9861f28bf8927f7c17983ce9eded1

SHA512
f5fbab3f61e33e914ee2ffc11f02b98be00b891f4dd26e85a9b38f3d7f048f6c6a3637e9472bf175c03147d9b19d58aa7df82ef939e459ae35dbe812d07818fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCE89BFE6\settings.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zOCE8340B6\WiiBackupManager_Win64.exe

Filesize
7.5MB

MD5
253bb67c0e1d15bd853d8bc246d950be

SHA1
bdfe87d29457a8ddd9830df3e115d70c899b1aa4

SHA256
4977338857a0febf812741e52362a43ae7ed39839772c764c5094c2ced037ad8

SHA512
a8d72df08a80ac2285fac116dc42ee6cd9281cd55f750691cd058a4821aaf6b8c150bd9b07f723066614d602c17bf33552a1b6eb41b6d29a87cfd014f1dae46e

Download Submit
memory/2372-247-0x0000000000400000-0x00000000009C5000-memory.dmp

Filesize
5.8MB

Download
memory/2892-121-0x0000000000400000-0x0000000000C22000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads