Overview

overview

10

Static

static

10

foo/0044d6...f7.exe

windows7-x64

1

foo/0044d6...f7.exe

windows10-2004-x64

3

foo/034e4c...a9.exe

windows7-x64

4

foo/034e4c...a9.exe

windows10-2004-x64

4

foo/035fa2...72.exe

windows7-x64

6

foo/035fa2...72.exe

windows10-2004-x64

6

foo/04884a...1b.exe

windows7-x64

7

foo/04884a...1b.exe

windows10-2004-x64

7

foo/06ed82...59.exe

windows7-x64

7

foo/06ed82...59.exe

windows10-2004-x64

7

foo/07470b...68.exe

windows7-x64

7

foo/07470b...68.exe

windows10-2004-x64

7

foo/078adb...c0.exe

windows7-x64

10

foo/078adb...c0.exe

windows10-2004-x64

10

foo/09e5c8...b4.exe

windows7-x64

3

foo/09e5c8...b4.exe

windows10-2004-x64

3

foo/0becfe...f4.exe

windows7-x64

10

foo/0becfe...f4.exe

windows10-2004-x64

10

foo/1a78d3...a3.exe

windows7-x64

5

foo/1a78d3...a3.exe

windows10-2004-x64

7

foo/1ffe82...a6.exe

windows7-x64

10

foo/1ffe82...a6.exe

windows10-2004-x64

10

foo/255028...e1.dll

windows7-x64

3

foo/255028...e1.dll

windows10-2004-x64

3

foo/27601d...cc.exe

windows7-x64

7

foo/27601d...cc.exe

windows10-2004-x64

7

foo/27f911...49.exe

windows7-x64

10

foo/27f911...49.exe

windows10-2004-x64

10

foo/28408c...c5.exe

windows7-x64

10

foo/28408c...c5.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    124s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    foo/27601d095e5b3761d9289584415a73cc.exe

  • Size

    565KB

  • MD5

    27601d095e5b3761d9289584415a73cc

  • SHA1

    9570f23b5abe2ef46a23ded17adb2fb6c203a201

  • SHA256

    749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4

  • SHA512

    066263bf8f11d48b4e3715b8962686e0ca32aa8647b642a193b5331513538a44bb49edad5ef6a08ae6cc6401504fadc7adf38efb07c9ae9560e947aac443e0e7

  • SSDEEP

    12288:REqmA0wfzInoQJUi1KHvQtzDNfo1arLaLRvs+Jkp/eH:RHmSyo+Ui13zZCI7+up/eH

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 13 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\foo\27601d095e5b3761d9289584415a73cc.exe
    "C:\Users\Admin\AppData\Local\Temp\foo\27601d095e5b3761d9289584415a73cc.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Program Files (x86)\HPWombat\WombatStarter.exe
      "C:\Program Files (x86)\HPWombat\WombatStarter.exe" "install_and_start_srv" "C:\Users\Admin\AppData\Local\Temp\foo\27601d095e5b3761d9289584415a73cc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2532
    • C:\Program Files (x86)\HPWombat\WombatStarter.exe
      "C:\Program Files (x86)\HPWombat\WombatStarter.exe" "write_patch_str_to_reg" "C:\Users\Admin\AppData\Local\Temp\foo\27601d095e5b3761d9289584415a73cc.exe" "HKLM" Software\HPWombat "jeromu"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2588
  • C:\Program Files (x86)\HPWombat\HPWombatSrv.exe
    "C:\Program Files (x86)\HPWombat\HPWombatSrv.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\HPWombat\HPWombatSrv.exe
    Filesize

    2.4MB

    MD5

    bac2e4856879885af0251cb4cbb3d521

    SHA1

    a8d3f6492e20e775c84f16a8ca6683a2c1aabc2d

    SHA256

    18dd7fe65140120d10004e475effb1ce386d8f280094429f4654882120899d73

    SHA512

    5d550a67764a54145808a12953435a5dd75d1bea8200f2872e288f1eb9f8c0b798db539289950b2c42a0cac4a55689fc65427d1c97afdf83a10881a74d7a1935

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firеfох.lnk
    Filesize

    1KB

    MD5

    35bd6063a561ad015bcd563d19f8b4da

    SHA1

    6ba50ce4dbbd1247b5a638f725118310503e136a

    SHA256

    37fc3f46607e4652d3731f5c93612cb92754ed6b24f8877f0ecac3fc95b41976

    SHA512

    7ae551ea865ea94e4a4b1e2b5c90bd8268d04168fde046e5b70e4b2c79255dc82e315321c677794a698d82f4fc17329afb018d76cc01e02c568428d105af21ac

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk
    Filesize

    1KB

    MD5

    075cce33e5b9021a3b2c980e4834166f

    SHA1

    890480d71a652e81593661b42767084b369f91c2

    SHA256

    cfe88e1f889997f3c65116644786da7e83e5cb545d533bbe0300c4b7cc727c6c

    SHA512

    af29a79f7b8ffd93a0c52219d943e147a94bef65abae2c36d596ead29ea506060e4e9b09600adc8661de16c525d55a31c91d633fbf1d29e4483996273f3be742

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооglе Сhrоmе.lnk
    Filesize

    2KB

    MD5

    b9d6f634543a509daf4baf7193736d7b

    SHA1

    8856ba024a44c39737111dae84e1dc121990edd7

    SHA256

    1fe24d28bf663495a86fd5244f1d8794a07155212c1bc3e68bc5e1816d5ea843

    SHA512

    b5d67b54e31c494a49a9960c2d365af7005ec8734bfef7996d6d155d3894840254cad19b7250e28f3e318609fb01ad8a966bccec422d862068a86d4a053ad0a3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Intеrnеt Ехрlоrеr.lnk
    Filesize

    1KB

    MD5

    437968550cae0e72ce66b13cf3dd9f99

    SHA1

    7d8f6fb157e8305a511007715627d72b05b0fca3

    SHA256

    8c588e1b47951680c7e0e1c22c369fcf3cbba2d9a825bf06a6cb6869984c9a94

    SHA512

    046d42415ca557709391aef0fe95fe63b24621e3292c26e3ab6764c578d333478ffbe65e61ada2250f3c799b85326d6258395e1e0317ff8ebf205a55258a9867

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Intеrnеt Ехрlоrеr (Nо Аdd-оns).lnk
    Filesize

    2KB

    MD5

    387fe4555fffb7b85e3b506077917fab

    SHA1

    457076fbbcb873edccba6d139401863ac298fd90

    SHA256

    b37c83e616dc86b7746b78250f25ca3442acff810bfb7a724afc74b94b3099d3

    SHA512

    0d4e966050930298d948075432cb2ab59e81ae9d382a9489994004ba28510b1d65d0d763fcc427330a75fe95b84167a11ce4939f68666acbeb2335544c196019

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intеrnеt Ехрlоrеr.lnk
    Filesize

    2KB

    MD5

    10248b48a514f37dbf4a62ce4a38d555

    SHA1

    57ecf64257fa645981033acd180aea1d6f21b2c9

    SHA256

    bd38dc543adbeac40775965dacb591d6ac2382a24edd99b7b091e547d9758fdb

    SHA512

    b016e8902aff1a4f9fe698df792f86d37e903d53d218b6ab44b3193db7c992ed3eef685d919e649435eb4f5723547ffba47d5fb0cfbdbf9e12343d9c0a911e70

    Download Submit

  • C:\Users\Public\Desktop\Firеfох.lnk
    Filesize

    1KB

    MD5

    7bb3af462004ba82592ce6ae32626b1b

    SHA1

    f26e083c0c097c1fe5dc3a9b44ed73ac3f0d6a21

    SHA256

    12ef0b9ddcabfe85d8134c98012f270c78f129bcc49940b92c09a149532dcd1c

    SHA512

    d8b8d287bec0952491262f2fdc4db7704e68fdccf90856fe7245a79e30e18be4c121687a63be3ca4d3493e4d9081235851d7c987c162eb163fdec05e95e0ff9e

    Download Submit

  • C:\Users\Public\Desktop\Gооglе Сhrоmе.lnk
    Filesize

    1KB

    MD5

    2c41db46c366f974c1eb249531005fab

    SHA1

    fb39130715f9478db18a310b969b79669a7ae906

    SHA256

    ebfd317940a0c941f6c4747f3cae40e304566ecb5d92aa4babb3aed80bf18210

    SHA512

    a745a24783c225a02e7198bc68f8e13502a4970f15272b45c10ce09428027f1f5683e530714319e2d52937d7dab49e575143912f717e393c1b782094ca60b1ce

    Download Submit

  • \Program Files (x86)\HPWombat\WombatStarter.exe
    Filesize

    1.3MB

    MD5

    d23253f3a323a0a7c8ecfb08e1e0aa74

    SHA1

    497bbf7fa1655f7fd921239a00d46c32acebf59d

    SHA256

    78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

    SHA512

    cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nseE42A.tmp\inetc.dll
    Filesize

    24KB

    MD5

    0f70de5c22874df2323f937f7b588bd4

    SHA1

    ed306624cd687d9e506c7ecd2ac97b7aaf556ff6

    SHA256

    7f5429361e0195d599ee05643e26985490b2ad85a08943e561898db3b365997b

    SHA512

    9cc23c1c5fbd07d991adf002fcdfdc3118b5d3648ac2387ef255ddd1377e1f94926f6e466ffe61657858df8e50179f52d647c75637beb2cd833b4ee6e5dc556e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nseE42A.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

    Download Submit