ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1

General

Target

ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe
Size

127KB
MD5

9babe52f985b2b4193113d5c260eb195
SHA1

b4b4772d485d7d4192774aca3a9c594f82717adb
SHA256

ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1
SHA512

61f41678334ea638dd3dc02d280739910d4b64cc31289c3f99bf41067bdfee1a9ab2114920b7b162862046b06d59d2bb6168557cc1a4463113a2ad00f526af8b

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

wuug.exe

pid process

1864 wuug.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1584 cmd.exe

pid	process
1584	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe

pid	process
1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe
1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wuug.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\Currentversion\Run	wuug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\{261E7880-0971-876D-8339-B3D3C2EFCBEB} = "C:\\Users\\Admin\\AppData\\Roaming\\W9ow\\wuug.exe"	wuug.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe

description	pid	process	target process
PID 1616 set thread context of 1584	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Privacy	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\647061CC-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

wuug.exe

pid	process
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe
1864	wuug.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe
Token: SeManageVolumePrivilege	1636	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1636 WinMail.exe

pid	process
1636	WinMail.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exewuug.exe

description	pid	process	target process
PID 1616 wrote to memory of 1864	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	wuug.exe
PID 1616 wrote to memory of 1864	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	wuug.exe
PID 1616 wrote to memory of 1864	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	wuug.exe
PID 1616 wrote to memory of 1864	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	wuug.exe
PID 1864 wrote to memory of 1132	1864	wuug.exe	taskhost.exe
PID 1864 wrote to memory of 1132	1864	wuug.exe	taskhost.exe
PID 1864 wrote to memory of 1132	1864	wuug.exe	taskhost.exe
PID 1864 wrote to memory of 1132	1864	wuug.exe	taskhost.exe
PID 1864 wrote to memory of 1132	1864	wuug.exe	taskhost.exe
PID 1864 wrote to memory of 1208	1864	wuug.exe	Dwm.exe
PID 1864 wrote to memory of 1208	1864	wuug.exe	Dwm.exe
PID 1864 wrote to memory of 1208	1864	wuug.exe	Dwm.exe
PID 1864 wrote to memory of 1208	1864	wuug.exe	Dwm.exe
PID 1864 wrote to memory of 1208	1864	wuug.exe	Dwm.exe
PID 1864 wrote to memory of 1272	1864	wuug.exe	Explorer.EXE
PID 1864 wrote to memory of 1272	1864	wuug.exe	Explorer.EXE
PID 1864 wrote to memory of 1272	1864	wuug.exe	Explorer.EXE
PID 1864 wrote to memory of 1272	1864	wuug.exe	Explorer.EXE
PID 1864 wrote to memory of 1272	1864	wuug.exe	Explorer.EXE
PID 1864 wrote to memory of 1616	1864	wuug.exe	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe
PID 1864 wrote to memory of 1616	1864	wuug.exe	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe
PID 1864 wrote to memory of 1616	1864	wuug.exe	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe
PID 1864 wrote to memory of 1616	1864	wuug.exe	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe
PID 1864 wrote to memory of 1616	1864	wuug.exe	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe
PID 1864 wrote to memory of 1636	1864	wuug.exe	WinMail.exe
PID 1864 wrote to memory of 1636	1864	wuug.exe	WinMail.exe
PID 1864 wrote to memory of 1636	1864	wuug.exe	WinMail.exe
PID 1864 wrote to memory of 1636	1864	wuug.exe	WinMail.exe
PID 1864 wrote to memory of 1636	1864	wuug.exe	WinMail.exe
PID 1616 wrote to memory of 1584	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	cmd.exe
PID 1616 wrote to memory of 1584	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	cmd.exe
PID 1616 wrote to memory of 1584	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	cmd.exe
PID 1616 wrote to memory of 1584	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	cmd.exe
PID 1616 wrote to memory of 1584	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	cmd.exe
PID 1616 wrote to memory of 1584	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	cmd.exe
PID 1616 wrote to memory of 1584	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	cmd.exe
PID 1616 wrote to memory of 1584	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	cmd.exe
PID 1616 wrote to memory of 1584	1616	ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe	cmd.exe
PID 1864 wrote to memory of 744	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 744	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 744	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 744	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 744	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 1604	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 1604	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 1604	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 1604	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 1604	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 1432	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 1432	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 1432	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 1432	1864	wuug.exe	DllHost.exe
PID 1864 wrote to memory of 1432	1864	wuug.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe
"C:\Users\Admin\AppData\Local\Temp\ca2ab2eb8249afceb6b9f42bac54fe8635fb5ccbf4e497c35ed700d9dae1c2d1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Roaming\W9ow\wuug.exe
"C:\Users\Admin\AppData\Roaming\W9ow\wuug.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6a3fc047.bat"
3⤵
- Deletes itself
PID:1584

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1208

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6a3fc047.bat
MD5
3cef77b6918d5c415ed3ed70cb99d4db

SHA1
2cc425308ae2f504a53a5e8b0cd7cd56c202fccd

SHA256
f55e5204d9ff248fa6074ab586a623f94a069e6588bb095d831da83bb97fcb7e

SHA512
989b0deb42fea1a7417fa51a863050a701da2c8d42098655097d422817fd851b1bda72b97e2ba52a9623c021698b5cf13a12e2abb8f66355f5d0135c270cf44b

Download Submit
C:\Users\Admin\AppData\Roaming\W9ow\wuug.exe
MD5
46402260669db243ab0d4009915e95f1

SHA1
f9e8e614063b7f79694e8380d04dd1a7cd74c15d

SHA256
4cd2e40b22328007cd729bdd52fcf20353a801dc129cc3a3ba42b07d460d23eb

SHA512
89db8bd80dd83f5689c387b8116fbdaf1721c369d278e19a7800aeb928d5c98532563af699b32b1667a1633216876c4b42a1a9a75390a63e2671015442abd933

Download Submit
C:\Users\Admin\AppData\Roaming\W9ow\wuug.exe
MD5
46402260669db243ab0d4009915e95f1

SHA1
f9e8e614063b7f79694e8380d04dd1a7cd74c15d

SHA256
4cd2e40b22328007cd729bdd52fcf20353a801dc129cc3a3ba42b07d460d23eb

SHA512
89db8bd80dd83f5689c387b8116fbdaf1721c369d278e19a7800aeb928d5c98532563af699b32b1667a1633216876c4b42a1a9a75390a63e2671015442abd933

Download Submit
\Users\Admin\AppData\Roaming\W9ow\wuug.exe
MD5
46402260669db243ab0d4009915e95f1

SHA1
f9e8e614063b7f79694e8380d04dd1a7cd74c15d

SHA256
4cd2e40b22328007cd729bdd52fcf20353a801dc129cc3a3ba42b07d460d23eb

SHA512
89db8bd80dd83f5689c387b8116fbdaf1721c369d278e19a7800aeb928d5c98532563af699b32b1667a1633216876c4b42a1a9a75390a63e2671015442abd933

Download Submit
\Users\Admin\AppData\Roaming\W9ow\wuug.exe
MD5
46402260669db243ab0d4009915e95f1

SHA1
f9e8e614063b7f79694e8380d04dd1a7cd74c15d

SHA256
4cd2e40b22328007cd729bdd52fcf20353a801dc129cc3a3ba42b07d460d23eb

SHA512
89db8bd80dd83f5689c387b8116fbdaf1721c369d278e19a7800aeb928d5c98532563af699b32b1667a1633216876c4b42a1a9a75390a63e2671015442abd933

Download Submit
memory/1584-32-0x0000000000050000-0x0000000000073000-memory.dmp

Filesize
140KB

Download
memory/1584-33-0x0000000000057132-mapping.dmp

Download
memory/1584-35-0x0000000074580000-0x0000000074723000-memory.dmp

Filesize
1.6MB

Download
memory/1584-37-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1604-39-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmp

Filesize
2.5MB

Download
memory/1616-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1616-14-0x0000000002940000-0x0000000002963000-memory.dmp

Filesize
140KB

Download
memory/1616-17-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1616-18-0x00000000745B0000-0x0000000074753000-memory.dmp

Filesize
1.6MB

Download
memory/1616-3-0x0000000001EF0000-0x0000000001F2F000-memory.dmp

Filesize
252KB

Download
memory/1616-4-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1616-5-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1636-19-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/1636-24-0x00000000038D0000-0x0000000003AD0000-memory.dmp

Filesize
2.0MB

Download
memory/1636-26-0x00000000038D0000-0x00000000039D0000-memory.dmp

Filesize
1024KB

Download
memory/1636-27-0x00000000038D0000-0x0000000003AD0000-memory.dmp

Filesize
2.0MB

Download
memory/1636-28-0x00000000039D0000-0x0000000003AD0000-memory.dmp

Filesize
1024KB

Download
memory/1636-31-0x00000000038D0000-0x0000000003AD0000-memory.dmp

Filesize
2.0MB

Download
memory/1636-22-0x00000000038D0000-0x00000000039D0000-memory.dmp

Filesize
1024KB

Download
memory/1636-21-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmp

Filesize
2.5MB

Download
memory/1636-20-0x000007FEF6811000-0x000007FEF6813000-memory.dmp

Filesize
8KB

Download
memory/1864-11-0x0000000001EF0000-0x0000000001F2F000-memory.dmp

Filesize
252KB

Download
memory/1864-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads