2b119ee66db938a37c5bccb33231d6191f4133f85d7821b528da472ad956f074

Resubmissions

12-02-2025 18:35

250212-w8q7caslem 10

21-11-2024 17:22

241121-vxkpratckb

Analysis

max time kernel
90s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1732209192.0855865_wild things.exe
Size

8.2MB
MD5

8ed8ec80c361562570763ffe7ad288e0
SHA1

35b0d6ea2db03fef08242cdfb917be7d16ec6838
SHA256

2b119ee66db938a37c5bccb33231d6191f4133f85d7821b528da472ad956f074
SHA512

830ddd06b08d36991c732106ea51f52b28d7452d5a0c0d212b0820d918bc0ec3660f4bcf65e3357d13d937b987f39dffdc6cfea7120ac8a0b78a6b98e6a0a694
SSDEEP

196608:IMyy89Q/hEuO1DYBy/el2lGkQCvhw2db/dd+iK2wR/zkx:IMyvS/aJZjQCvhw6b/dd+iKzo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
396	Pi.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1168	tasklist.exe
4892	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\JoelMetallic	1732209192.0855865_wild things.exe
File opened for modification	C:\Windows\BlinkSamples	1732209192.0855865_wild things.exe
File opened for modification	C:\Windows\WhoClassifieds	1732209192.0855865_wild things.exe
File opened for modification	C:\Windows\DramaticMuseums	1732209192.0855865_wild things.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1732209192.0855865_wild things.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pi.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
396	Pi.com
396	Pi.com
396	Pi.com
396	Pi.com
396	Pi.com
396	Pi.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	tasklist.exe
Token: SeDebugPrivilege	4892	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
396	Pi.com
396	Pi.com
396	Pi.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
396	Pi.com
396	Pi.com
396	Pi.com

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 1792	4936	1732209192.0855865_wild things.exe	79
PID 4936 wrote to memory of 1792	4936	1732209192.0855865_wild things.exe	79
PID 4936 wrote to memory of 1792	4936	1732209192.0855865_wild things.exe	79
PID 1792 wrote to memory of 1168	1792	cmd.exe	82
PID 1792 wrote to memory of 1168	1792	cmd.exe	82
PID 1792 wrote to memory of 1168	1792	cmd.exe	82
PID 1792 wrote to memory of 4780	1792	cmd.exe	83
PID 1792 wrote to memory of 4780	1792	cmd.exe	83
PID 1792 wrote to memory of 4780	1792	cmd.exe	83
PID 1792 wrote to memory of 4892	1792	cmd.exe	85
PID 1792 wrote to memory of 4892	1792	cmd.exe	85
PID 1792 wrote to memory of 4892	1792	cmd.exe	85
PID 1792 wrote to memory of 2764	1792	cmd.exe	86
PID 1792 wrote to memory of 2764	1792	cmd.exe	86
PID 1792 wrote to memory of 2764	1792	cmd.exe	86
PID 1792 wrote to memory of 3904	1792	cmd.exe	87
PID 1792 wrote to memory of 3904	1792	cmd.exe	87
PID 1792 wrote to memory of 3904	1792	cmd.exe	87
PID 1792 wrote to memory of 2508	1792	cmd.exe	88
PID 1792 wrote to memory of 2508	1792	cmd.exe	88
PID 1792 wrote to memory of 2508	1792	cmd.exe	88
PID 1792 wrote to memory of 396	1792	cmd.exe	89
PID 1792 wrote to memory of 396	1792	cmd.exe	89
PID 1792 wrote to memory of 396	1792	cmd.exe	89
PID 1792 wrote to memory of 1404	1792	cmd.exe	90
PID 1792 wrote to memory of 1404	1792	cmd.exe	90
PID 1792 wrote to memory of 1404	1792	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\1732209192.0855865_wild things.exe
"C:\Users\Admin\AppData\Local\Temp\1732209192.0855865_wild things.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Isa Isa.cmd & Isa.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4780
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 828360
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Quotations + ..\Anywhere + ..\Philippines + ..\Logo + ..\Tend + ..\Cats + ..\Heading H
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
- - C:\Users\Admin\AppData\Local\Temp\828360\Pi.com
    Pi.com H
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:396
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\828360\H

Filesize
482KB

MD5
8b4a78f31c40fc571423c552bf0cae1d

SHA1
0e4925632684ca7388d3b7175b44e15777641139

SHA256
ed892414409b97fa3166b7437b525c3b2680a2c208aa83427629000fd7b2f5b5

SHA512
7446c5dfac78c561d892d44214fcf858b1e04698d6173627a91a2c5d7ddef49ab9fa92eab57c3ee00c3aea3ce042815913b24238e39b816ae0d3eda4149e3d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anywhere

Filesize
50KB

MD5
67c3fcd9a38aba1a98577d1186e8bbfc

SHA1
ebceb2a87281b1470f562b2901ca1d77750d14cf

SHA256
d36d5e643f23bbd930141872e08bef58595b2be7609a32a395189ab8054db236

SHA512
229a343db009a23712ca34b7ab5ff878efe2db81748b12e994eb6fd5d646309e588075112f463c78f6671d066c3a7ce66ac63df9bcd33f85ac7ac647827f8570

Download Submit
C:\Users\Admin\AppData\Local\Temp\Attorney

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cats

Filesize
63KB

MD5
ea5c89dd537a62728bcadc009aa5b53c

SHA1
033d97b0a2f2810f2783afc75a6978f201f8994e

SHA256
89ada33323d76010a8ae61ba6b4c86f81234ba3c4b490532596340bf84a0615e

SHA512
73be3cf62dd3a20f5eeb93e161d6034bb48c6d2889fe7341d9c3b3c966cb876f62e31c522c19159672236d1b45f2631c75adc0a59af0cbd9ccd65d813df3d0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heading

Filesize
21KB

MD5
dadb73ce0f9f3dad7c066ea65da0cb2c

SHA1
88b44ca9a9f5871ff4b4c550f77a154d007540c6

SHA256
d87ee58ee911cdbcf6b475925bc54032e3f7691482a4bdf18b14ff3ae7b49cda

SHA512
0ce21472e79444cf91c042de660f49600b94a002b58094a04fd758d1e860ff2ae96a4b852de9d43bef354241936c801f2123b8aee69be2613a361681f579256b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Isa

Filesize
16KB

MD5
4a1a95ed26ea66e0a162d032447aa648

SHA1
5b59d22d93d0fb81d9bc983f1f1631427146a3d0

SHA256
81d61b734aaa38c9e1d583adde74adf886677ccdd5a4639dc3869009eeaf0636

SHA512
9271093605f0659cac3e57f185e357c118ddf3f3451d1435b20737a90d9f166ed0dc2a65980355f9523db126f81c7533cf4442881ceef7a8b27c245871fc9b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logo

Filesize
99KB

MD5
814e480f68eab55dcb6dd345cac703be

SHA1
0cefd9d169ed4886cb5febaed08693fc0810e5e5

SHA256
9b04c17f2e2dbb96002171a4764078136e781b18235c7dca76ceb8b64d0a1995

SHA512
160e8d0d6ff2bcd169c60c2125d282f8365ad6d2de7e32f0f0a032545d3b30e9c28947b3050b121a67c8ff000fae910d4b7284a33386dabed69fadc32e968477

Download Submit
C:\Users\Admin\AppData\Local\Temp\Philippines

Filesize
84KB

MD5
129319c5104061fad23ca8fc69aef7f8

SHA1
4689b931bfc6593293b10ea932ae9c4efeace48c

SHA256
3d6fe29912246b53cc8e43638dc0bb0df1262b795de5b7c278acfa141d6daa19

SHA512
37248143c9f226ba7a4d4d86b80c84947efca98715846c537da23b785db740a23730c025417f4633a357fc633843b26eb3026559088448e6094f08a0ad3359f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quotations

Filesize
85KB

MD5
df219d8a3829e1b0a0a25585706c02ba

SHA1
4270c6a44756c35a37407df46d2151c0b0cc1e97

SHA256
571bb92b9963c269efccef5ec5fb183d1627113db4fb7718fa8213c3caa17616

SHA512
ff9c954ce6d9467d292112db053c5d48d16f1f21a2f0b03555ff4286c2c5c6ee82d5e910cdbe2c7fd7bab04377c52b6d23eed7cbfb45ff66118fd09ade87b5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tend

Filesize
80KB

MD5
c89cd02f460cbd6ed782290edc673e54

SHA1
0cdd6a693b36691b3687f58d1e3277f2da813075

SHA256
05410606846ee34da9660c6241cda1704f2159ae3bbcdac199ecbb3ab31ddd2f

SHA512
025a1af74f67eefe9c747712532752c02d0787fc88a1690a96bb39cfc805df5c5018bf41627084d2a9e95b458a60dc2818835390754834b0ba891015df1ab413

Download Submit
memory/396-404-0x0000000003CF0000-0x0000000003D4B000-memory.dmp

Filesize
364KB

Download
memory/396-403-0x0000000003CF0000-0x0000000003D4B000-memory.dmp

Filesize
364KB

Download
memory/396-405-0x0000000003CF0000-0x0000000003D4B000-memory.dmp

Filesize
364KB

Download
memory/396-408-0x0000000003CF0000-0x0000000003D4B000-memory.dmp

Filesize
364KB

Download
memory/396-407-0x0000000003CF0000-0x0000000003D4B000-memory.dmp

Filesize
364KB

Download
memory/396-406-0x0000000003CF0000-0x0000000003D4B000-memory.dmp

Filesize
364KB

Download