dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7

General

Target

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Size

1.1MB
MD5

63262d885b2d4bfd0418721df73dbb30
SHA1

55025d3677a63e50000e3ffbb98bfabf8c73b4ba
SHA256

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7
SHA512

2d43c3bb56102ebd07563d14b6c41f9101585e7519b190fe5ef50e9c7571fc56f7e3e43d77958ad944eb976976976406f71df6abf4165a039117c4db0e0c9293
SSDEEP

24576:ujmzp9dKb9R3n9Owg+3P5WV3CVZ9glt6Uqk5Dyw+m4eFAUWss0l:ujmVTSy+3PcV3K9qt6NkWJeFA3sh

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

wwtask.exewwtask.exe

pid process

1444 wwtask.exe
1344 wwtask.exe

pid	process
1444	wwtask.exe
1344	wwtask.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetworkAgent\ImagePath = "C:\\Windows\\SysWOW64\\wwtask.exe -service"	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

wwtask.exe

description ioc process

File opened for modification \??\PhysicalDrive0 wwtask.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	wwtask.exe

Drops file in System32 directory 6 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wwtask.exe	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
File opened for modification	C:\Windows\SysWOW64\wwtask.exe	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
File opened for modification	C:\Windows\SysWOW64\wwtask.exe	wwtask.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wwtask.exe
File created	C:\Windows\SysWOW64\actt0.dep	wwtask.exe
File opened for modification	C:\Windows\SysWOW64\actt0.dep	wwtask.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exewwtask.exe

pid process

1628 dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1444 wwtask.exe
1344 wwtask.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wwtask.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wwtask.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wwtask.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	wwtask.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exewwtask.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wwtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wwtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wwtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wwtask.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

wwtask.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wwtask.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wwtask.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wwtask.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wwtask.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wwtask.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wwtask.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exewwtask.exe

pid	process
1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1444	wwtask.exe
1444	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wwtask.exe

pid process

1344 wwtask.exe

pid	process
1344	wwtask.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exewwtask.exe

description	pid	process
Token: SeTcbPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeDebugPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeCreateTokenPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeAssignPrimaryTokenPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeLockMemoryPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeIncreaseQuotaPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeMachineAccountPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeSecurityPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeTakeOwnershipPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeLoadDriverPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeSystemProfilePrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeSystemtimePrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeProfSingleProcessPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeIncBasePriorityPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeCreatePagefilePrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeCreatePermanentPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeBackupPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeRestorePrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeShutdownPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeAuditPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeSystemEnvironmentPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeChangeNotifyPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeRemoteShutdownPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeUndockPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeSyncAgentPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeEnableDelegationPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: 33	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeIncBasePriorityPrivilege	1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeTcbPrivilege	1444	wwtask.exe
Token: SeDebugPrivilege	1444	wwtask.exe
Token: SeCreateTokenPrivilege	1444	wwtask.exe
Token: SeAssignPrimaryTokenPrivilege	1444	wwtask.exe
Token: SeLockMemoryPrivilege	1444	wwtask.exe
Token: SeIncreaseQuotaPrivilege	1444	wwtask.exe
Token: SeMachineAccountPrivilege	1444	wwtask.exe
Token: SeSecurityPrivilege	1444	wwtask.exe
Token: SeTakeOwnershipPrivilege	1444	wwtask.exe
Token: SeLoadDriverPrivilege	1444	wwtask.exe
Token: SeSystemProfilePrivilege	1444	wwtask.exe
Token: SeSystemtimePrivilege	1444	wwtask.exe
Token: SeProfSingleProcessPrivilege	1444	wwtask.exe
Token: SeIncBasePriorityPrivilege	1444	wwtask.exe
Token: SeCreatePagefilePrivilege	1444	wwtask.exe
Token: SeCreatePermanentPrivilege	1444	wwtask.exe
Token: SeBackupPrivilege	1444	wwtask.exe
Token: SeRestorePrivilege	1444	wwtask.exe
Token: SeShutdownPrivilege	1444	wwtask.exe
Token: SeAuditPrivilege	1444	wwtask.exe
Token: SeSystemEnvironmentPrivilege	1444	wwtask.exe
Token: SeChangeNotifyPrivilege	1444	wwtask.exe
Token: SeRemoteShutdownPrivilege	1444	wwtask.exe
Token: SeUndockPrivilege	1444	wwtask.exe
Token: SeSyncAgentPrivilege	1444	wwtask.exe
Token: SeEnableDelegationPrivilege	1444	wwtask.exe
Token: 33	1444	wwtask.exe
Token: SeIncBasePriorityPrivilege	1444	wwtask.exe
Token: SeDebugPrivilege	1444	wwtask.exe
Token: SeTcbPrivilege	1344	wwtask.exe
Token: SeDebugPrivilege	1344	wwtask.exe
Token: SeCreateTokenPrivilege	1344	wwtask.exe
Token: SeAssignPrimaryTokenPrivilege	1344	wwtask.exe
Token: SeLockMemoryPrivilege	1344	wwtask.exe
Token: SeIncreaseQuotaPrivilege	1344	wwtask.exe
Token: SeMachineAccountPrivilege	1344	wwtask.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exewwtask.exe

pid	process
1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1444	wwtask.exe
1444	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exe

pid	process
1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1628	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1344	wwtask.exe
1344	wwtask.exe
1344	wwtask.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wwtask.exe

description	pid	process	target process
PID 1444 wrote to memory of 1344	1444	wwtask.exe	wwtask.exe
PID 1444 wrote to memory of 1344	1444	wwtask.exe	wwtask.exe
PID 1444 wrote to memory of 1344	1444	wwtask.exe	wwtask.exe
PID 1444 wrote to memory of 1344	1444	wwtask.exe	wwtask.exe

C:\Users\Admin\AppData\Local\Temp\dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
"C:\Users\Admin\AppData\Local\Temp\dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1628

C:\Windows\SysWOW64\wwtask.exe
C:\Windows\SysWOW64\wwtask.exe -service
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\wwtask.exe
C:\Windows\SysWOW64\wwtask.exe nn
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wwtask.exe
Filesize
1.1MB

MD5
63262d885b2d4bfd0418721df73dbb30

SHA1
55025d3677a63e50000e3ffbb98bfabf8c73b4ba

SHA256
dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7

SHA512
2d43c3bb56102ebd07563d14b6c41f9101585e7519b190fe5ef50e9c7571fc56f7e3e43d77958ad944eb976976976406f71df6abf4165a039117c4db0e0c9293

Download Submit
C:\Windows\SysWOW64\wwtask.exe
Filesize
1.1MB

MD5
63262d885b2d4bfd0418721df73dbb30

SHA1
55025d3677a63e50000e3ffbb98bfabf8c73b4ba

SHA256
dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7

SHA512
2d43c3bb56102ebd07563d14b6c41f9101585e7519b190fe5ef50e9c7571fc56f7e3e43d77958ad944eb976976976406f71df6abf4165a039117c4db0e0c9293

Download Submit
C:\Windows\SysWOW64\wwtask.exe
Filesize
1.1MB

MD5
63262d885b2d4bfd0418721df73dbb30

SHA1
55025d3677a63e50000e3ffbb98bfabf8c73b4ba

SHA256
dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7

SHA512
2d43c3bb56102ebd07563d14b6c41f9101585e7519b190fe5ef50e9c7571fc56f7e3e43d77958ad944eb976976976406f71df6abf4165a039117c4db0e0c9293

Download Submit
memory/1344-70-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download
memory/1344-69-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1344-67-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download
memory/1344-66-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1344-61-0x0000000000000000-mapping.dmp

Download
memory/1444-65-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1444-59-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1444-60-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1628-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1628-62-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1628-56-0x00000000003B0000-0x00000000003B3000-memory.dmp

Filesize
12KB

Download
memory/1628-55-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads