Overview

overview

10

Static

static

10

foo/0044d6...f7.exe

windows7-x64

1

foo/0044d6...f7.exe

windows10-2004-x64

3

foo/034e4c...a9.exe

windows7-x64

4

foo/034e4c...a9.exe

windows10-2004-x64

4

foo/035fa2...72.exe

windows7-x64

6

foo/035fa2...72.exe

windows10-2004-x64

6

foo/04884a...1b.exe

windows7-x64

7

foo/04884a...1b.exe

windows10-2004-x64

7

foo/06ed82...59.exe

windows7-x64

7

foo/06ed82...59.exe

windows10-2004-x64

7

foo/07470b...68.exe

windows7-x64

7

foo/07470b...68.exe

windows10-2004-x64

7

foo/078adb...c0.exe

windows7-x64

10

foo/078adb...c0.exe

windows10-2004-x64

10

foo/09e5c8...b4.exe

windows7-x64

3

foo/09e5c8...b4.exe

windows10-2004-x64

3

foo/0becfe...f4.exe

windows7-x64

10

foo/0becfe...f4.exe

windows10-2004-x64

10

foo/1a78d3...a3.exe

windows7-x64

5

foo/1a78d3...a3.exe

windows10-2004-x64

7

foo/1ffe82...a6.exe

windows7-x64

10

foo/1ffe82...a6.exe

windows10-2004-x64

10

foo/255028...e1.dll

windows7-x64

3

foo/255028...e1.dll

windows10-2004-x64

3

foo/27601d...cc.exe

windows7-x64

7

foo/27601d...cc.exe

windows10-2004-x64

7

foo/27f911...49.exe

windows7-x64

10

foo/27f911...49.exe

windows10-2004-x64

10

foo/28408c...c5.exe

windows7-x64

10

foo/28408c...c5.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    foo/27601d095e5b3761d9289584415a73cc.exe

  • Size

    565KB

  • MD5

    27601d095e5b3761d9289584415a73cc

  • SHA1

    9570f23b5abe2ef46a23ded17adb2fb6c203a201

  • SHA256

    749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4

  • SHA512

    066263bf8f11d48b4e3715b8962686e0ca32aa8647b642a193b5331513538a44bb49edad5ef6a08ae6cc6401504fadc7adf38efb07c9ae9560e947aac443e0e7

  • SSDEEP

    12288:REqmA0wfzInoQJUi1KHvQtzDNfo1arLaLRvs+Jkp/eH:RHmSyo+Ui13zZCI7+up/eH

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\foo\27601d095e5b3761d9289584415a73cc.exe
    "C:\Users\Admin\AppData\Local\Temp\foo\27601d095e5b3761d9289584415a73cc.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Program Files (x86)\HPWombat\WombatStarter.exe
      "C:\Program Files (x86)\HPWombat\WombatStarter.exe" "install_and_start_srv" "C:\Users\Admin\AppData\Local\Temp\foo\27601d095e5b3761d9289584415a73cc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3956
    • C:\Program Files (x86)\HPWombat\WombatStarter.exe
      "C:\Program Files (x86)\HPWombat\WombatStarter.exe" "write_patch_str_to_reg" "C:\Users\Admin\AppData\Local\Temp\foo\27601d095e5b3761d9289584415a73cc.exe" "HKLM" Software\HPWombat "jeromu"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3752
  • C:\Program Files (x86)\HPWombat\HPWombatSrv.exe
    "C:\Program Files (x86)\HPWombat\HPWombatSrv.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:3436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\HPWombat\HPWombatSrv.exe
    Filesize

    2.4MB

    MD5

    bac2e4856879885af0251cb4cbb3d521

    SHA1

    a8d3f6492e20e775c84f16a8ca6683a2c1aabc2d

    SHA256

    18dd7fe65140120d10004e475effb1ce386d8f280094429f4654882120899d73

    SHA512

    5d550a67764a54145808a12953435a5dd75d1bea8200f2872e288f1eb9f8c0b798db539289950b2c42a0cac4a55689fc65427d1c97afdf83a10881a74d7a1935

    Download Submit

  • C:\Program Files (x86)\HPWombat\WombatStarter.exe
    Filesize

    1.3MB

    MD5

    d23253f3a323a0a7c8ecfb08e1e0aa74

    SHA1

    497bbf7fa1655f7fd921239a00d46c32acebf59d

    SHA256

    78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

    SHA512

    cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firеfох.lnk
    Filesize

    2KB

    MD5

    011775df388c3f177e507dad060197d1

    SHA1

    8957b51506e75c7fca7817ab1d76b2fa6f6189d6

    SHA256

    9c73ae85388adb7adc7d2e4a3fff4c4853b20435fd01097486afbf5099813999

    SHA512

    b8b2ab9c15753db4b1396cf27c3b1a2a60e6dbf9cc687de771ecd8791f504b7fe3fcee265186c9c031675e162f7d84011636b940f5301a53bbf11e15f4e80e56

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk
    Filesize

    2KB

    MD5

    b366cfdee7903640f10470f870f213a6

    SHA1

    a9d93346857d327cdc85efc8500299a07175b301

    SHA256

    4c1f9f4a09a28048e8476e956c9a4032ccc7bb1c9eb5188dcc1bb297e5d5c5a9

    SHA512

    5942160be6be90d48bc4f86d96abe61231f1aeefcc251eba766b112045c55df53e87e1b488a44ce8c682342e8489bc406f94faa639afcc9c75f905a7362ba6b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\inetc.dll
    Filesize

    24KB

    MD5

    0f70de5c22874df2323f937f7b588bd4

    SHA1

    ed306624cd687d9e506c7ecd2ac97b7aaf556ff6

    SHA256

    7f5429361e0195d599ee05643e26985490b2ad85a08943e561898db3b365997b

    SHA512

    9cc23c1c5fbd07d991adf002fcdfdc3118b5d3648ac2387ef255ddd1377e1f94926f6e466ffe61657858df8e50179f52d647c75637beb2cd833b4ee6e5dc556e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firеfох.lnk
    Filesize

    2KB

    MD5

    67c9e5c4ae60bfb6cd31fa5624cbc3b2

    SHA1

    35c6431447f3b635d04f3204f232557b37c8ca13

    SHA256

    d52f973dd2e654238737b198d4624231da102bd40764bd07c73434fd43c00fd0

    SHA512

    182adc6460472a9d5e886bc095d94928182440d655dfc87cbe9c2253b4fb7ff52d95c6ee49520c5a64dc4edb59772f6dca49840de9b76c54ada4b4c127c11c70

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооglе Сhrоmе.lnk
    Filesize

    2KB

    MD5

    ad84639109123778c808d4867853f9d8

    SHA1

    5371cbe48576c0abe911ec61df68b308538690f6

    SHA256

    6261c3889dfbc6355aa7e1e78a3c158b31e4c4f8df499c6f09b4a3a72a6146ea

    SHA512

    c4948e99bca0ed7d45a08d962e5b97d9d1b8fb4146ef53a69ac599abc3589500abee2118d534a11130bb2891eb4a6cdc58e607ddbe2e408f471c6d1cfd843b92

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnеt Ехрlоrеr.lnk
    Filesize

    2KB

    MD5

    b43e530bc507da9a7913afbf3f117e19

    SHA1

    f2954c39c2d2cc97cc1e2a8ed6b7baa692cbb557

    SHA256

    a31316c3ed73f06ab0ae78e387913d3eb81c5fe3606d74a271b6372dbd9df417

    SHA512

    7fd5f8d7f8ace9052a5ec4eb35168bb30e9a6aa21eb1daa3817b2484561a20da0a505c86edf8d7219085f50cb156e1f8fa97807f840105fb943e9b7b54316d6a

    Download Submit

  • C:\Users\Public\Desktop\Firеfох.lnk
    Filesize

    2KB

    MD5

    5b599ba1ca749dfe7f088a3670d1a4db

    SHA1

    5fb3e4b5ff9e0253d9f0e97b622d63b7e9e06f3f

    SHA256

    b756e508f2374c4b50eee81567d0135adfd2db915899a2c7c67f5a13c9009c5a

    SHA512

    cef0903409fec597c198ed5ad2765fef8559201dc5df5d8a1914c1c911a36ad5080b17838a3cadcd2e99f6ff73f33dedafc04dca99383ac4173dfef66447970d

    Download Submit

  • C:\Users\Public\Desktop\Gооglе Сhrоmе.lnk
    Filesize

    2KB

    MD5

    23de66f4d6b142328a6d1ad4b9c6d13b

    SHA1

    8a7a9d78b22b18c87b60ae22d830f534127eab21

    SHA256

    8df52f37babbe3de36244688afc277ae48980fcec3c3362ed90eac353e579373

    SHA512

    f01363ee2bbdbd6b7593608de4264dbfed18c94f6cdd148563828b6ce060505918bbafa9d99d9ddd33e6e70a7f31d9607dd4d71a37a340f1e4e79b0a273a62b2

    Download Submit