Overview
overview
10Static
static
10VSNKLGuzoF...2).exe
windows7-x64
3VSNKLGuzoF...2).exe
windows10-2004-x64
3VSNKLGuzoF...5w.exe
windows7-x64
3VSNKLGuzoF...5w.exe
windows10-2004-x64
3VideoCodeCX.exe
windows7-x64
10VideoCodeCX.exe
windows10-2004-x64
10WcsPlugInS...ex.exe
windows7-x64
5WcsPlugInS...ex.exe
windows10-2004-x64
7WinLocker Builder.exe
windows7-x64
5WinLocker Builder.exe
windows10-2004-x64
5WinLocker_Builder.exe
windows7-x64
5WinLocker_Builder.exe
windows10-2004-x64
5_003E0000.exe.vir.exe
windows7-x64
9_003E0000.exe.vir.exe
windows10-2004-x64
7vmem02.exe
windows7-x64
3vmem02.exe
windows10-2004-x64
3w8i9eHkHOwWwQlX.exe
windows7-x64
3w8i9eHkHOwWwQlX.exe
windows10-2004-x64
3wpbt0.exe
windows7-x64
10wpbt0.exe
windows10-2004-x64
10xpiofrbtkzhr.exe
windows7-x64
xpiofrbtkzhr.exe
windows10-2004-x64
xxx_video (2).exe
windows7-x64
7xxx_video (2).exe
windows10-2004-x64
7xxx_video.exe
windows7-x64
5xxx_video.exe
windows10-2004-x64
5xxx_video_...vi.exe
windows7-x64
10xxx_video_...vi.exe
windows10-2004-x64
5xxx_video_...ir.exe
windows7-x64
10xxx_video_...ir.exe
windows10-2004-x64
5xxx_video_...ir.exe
windows7-x64
10xxx_video_...ir.exe
windows10-2004-x64
10Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:48
Behavioral task
behavioral1
Sample
VSNKLGuzoFJgFHyEI15w (2).exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
VSNKLGuzoFJgFHyEI15w (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
VSNKLGuzoFJgFHyEI15w.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
VSNKLGuzoFJgFHyEI15w.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
VideoCodeCX.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
VideoCodeCX.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
WcsPlugInService.ex.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
WcsPlugInService.ex.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
WinLocker Builder.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
WinLocker Builder.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
WinLocker_Builder.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
WinLocker_Builder.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
_003E0000.exe.vir.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
_003E0000.exe.vir.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
vmem02.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
vmem02.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
w8i9eHkHOwWwQlX.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
w8i9eHkHOwWwQlX.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
wpbt0.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
wpbt0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
xpiofrbtkzhr.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
xpiofrbtkzhr.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
xxx_video (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
xxx_video (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
xxx_video.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
xxx_video.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
xxx_video_26726.avi.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
xxx_video_26726.avi.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
xxx_video_35942.avi.exe.vir.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
xxx_video_35942.avi.exe.vir.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
xxx_video_35942.avi_unpacked_.exe.vir.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
xxx_video_35942.avi_unpacked_.exe.vir.exe
Resource
win10v2004-20241007-en
General
-
Target
WcsPlugInService.ex.exe
-
Size
113KB
-
MD5
f9a974c8ed6793c226101c10af7542db
-
SHA1
5719e5b45721af9ac9652332f2001d984e1d9a45
-
SHA256
8f0c20eab317c9416ad6dd602013528dca8ee1467b111019fe6704ff8da6a241
-
SHA512
1f00ca5c9fdb1ca8fe6d9b9728da6b3aac57b72e17e528ec37e77cdf6ae1cd52384b0ae8256e2f74f88ba87c9e90c575a0a8ebf729f894590fe71d5e6ce608d3
-
SSDEEP
3072:pxuZMpyk7A79E6rdAXpRCxv/sqJ5SjTOaiZl7ObWlx+T:pYf79JAXKxHs0S3OaiZ1Oiv
Malware Config
Signatures
-
resource yara_rule behavioral7/memory/1628-0-0x0000000000FF0000-0x0000000001029000-memory.dmp upx behavioral7/memory/1628-12-0x0000000000FF0000-0x0000000001029000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 1636 1732 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WcsPlugInService.ex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1628 WcsPlugInService.ex.exe 1628 WcsPlugInService.ex.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1732 1628 WcsPlugInService.ex.exe 30 PID 1628 wrote to memory of 1732 1628 WcsPlugInService.ex.exe 30 PID 1628 wrote to memory of 1732 1628 WcsPlugInService.ex.exe 30 PID 1628 wrote to memory of 1732 1628 WcsPlugInService.ex.exe 30 PID 1628 wrote to memory of 1732 1628 WcsPlugInService.ex.exe 30 PID 1628 wrote to memory of 1732 1628 WcsPlugInService.ex.exe 30 PID 1628 wrote to memory of 1732 1628 WcsPlugInService.ex.exe 30 PID 1732 wrote to memory of 1636 1732 msiexec.exe 31 PID 1732 wrote to memory of 1636 1732 msiexec.exe 31 PID 1732 wrote to memory of 1636 1732 msiexec.exe 31 PID 1732 wrote to memory of 1636 1732 msiexec.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe"C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 2683⤵
- Program crash
PID:1636
-
-