e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4

Analysis

max time kernel
152s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe
Size

321KB
MD5

0e8ff9932f8f00edf322ea26d8d94f52
SHA1

51b7770e12872aa9f3441637ff6dbb3b32bd0166
SHA256

e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4
SHA512

541807b9f45bc67f1eac79bf04375c04b0ee4fbf5b619914bc563ce21c6590ae9c7a96a3602a6d6171e3c3c9bc2521ff37aa539042e79ee35d1a776f8bc3d854
SSDEEP

6144:U/38eZNr4x2EwrIFAwKpbLNjZTXDs+DY+6QrTakwTg9RPtT:U/hZNkwIFAwuBjZ7maaZg9R

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2044	wuor.exe

Deletes itself 1 IoCs

pid	Process
1696	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	wuor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Ukzy\\wuor.exe"	wuor.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 1696	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	28

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe
2044	wuor.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe
2044	wuor.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2044	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	27
PID 848 wrote to memory of 2044	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	27
PID 848 wrote to memory of 2044	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	27
PID 848 wrote to memory of 2044	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	27
PID 2044 wrote to memory of 1260	2044	wuor.exe	9
PID 2044 wrote to memory of 1260	2044	wuor.exe	9
PID 2044 wrote to memory of 1260	2044	wuor.exe	9
PID 2044 wrote to memory of 1260	2044	wuor.exe	9
PID 2044 wrote to memory of 1260	2044	wuor.exe	9
PID 2044 wrote to memory of 1336	2044	wuor.exe	1
PID 2044 wrote to memory of 1336	2044	wuor.exe	1
PID 2044 wrote to memory of 1336	2044	wuor.exe	1
PID 2044 wrote to memory of 1336	2044	wuor.exe	1
PID 2044 wrote to memory of 1336	2044	wuor.exe	1
PID 2044 wrote to memory of 1412	2044	wuor.exe	8
PID 2044 wrote to memory of 1412	2044	wuor.exe	8
PID 2044 wrote to memory of 1412	2044	wuor.exe	8
PID 2044 wrote to memory of 1412	2044	wuor.exe	8
PID 2044 wrote to memory of 1412	2044	wuor.exe	8
PID 2044 wrote to memory of 848	2044	wuor.exe	5
PID 2044 wrote to memory of 848	2044	wuor.exe	5
PID 2044 wrote to memory of 848	2044	wuor.exe	5
PID 2044 wrote to memory of 848	2044	wuor.exe	5
PID 2044 wrote to memory of 848	2044	wuor.exe	5
PID 848 wrote to memory of 1696	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	28
PID 848 wrote to memory of 1696	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	28
PID 848 wrote to memory of 1696	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	28
PID 848 wrote to memory of 1696	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	28
PID 848 wrote to memory of 1696	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	28
PID 848 wrote to memory of 1696	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	28
PID 848 wrote to memory of 1696	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	28
PID 848 wrote to memory of 1696	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	28
PID 848 wrote to memory of 1696	848	e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe	28
PID 2044 wrote to memory of 1676	2044	wuor.exe	30
PID 2044 wrote to memory of 1676	2044	wuor.exe	30
PID 2044 wrote to memory of 1676	2044	wuor.exe	30
PID 2044 wrote to memory of 1676	2044	wuor.exe	30
PID 2044 wrote to memory of 1676	2044	wuor.exe	30
PID 2044 wrote to memory of 976	2044	wuor.exe	31
PID 2044 wrote to memory of 976	2044	wuor.exe	31
PID 2044 wrote to memory of 976	2044	wuor.exe	31
PID 2044 wrote to memory of 976	2044	wuor.exe	31
PID 2044 wrote to memory of 976	2044	wuor.exe	31

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe
"C:\Users\Admin\AppData\Local\Temp\e94cd09d1977559579b795b7a37119ef95f10d75354868747c314676c23e61f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Roaming\Ukzy\wuor.exe
  "C:\Users\Admin\AppData\Roaming\Ukzy\wuor.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp343d1a72.bat"
  2⤵
  - Deletes itself
  PID:1696

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1676

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp343d1a72.bat

Filesize
307B

MD5
e3ea78ab236473727c9d186c26936a62

SHA1
22880f4c80750104aec24897e9c639fe97a8caf6

SHA256
befb7264006a672f7bd928c51d138f9fa108a6831a99993beb9d1c0299ad313f

SHA512
fa7d172cec8d1ca61c8fdbbcc2c055612e0e28ee4aef89528766d24efa2d42cee0451942d83c032f28933531e6a6af7ea64ee03e6319919c25f96b5fa9780bf6

Download Submit
C:\Users\Admin\AppData\Roaming\Ukzy\wuor.exe

Filesize
321KB

MD5
9527f72a32c3a26523767f372b3ae4fb

SHA1
81d43f6e95828180085f09326214adc9fd6365b7

SHA256
8646a5bc62ecdcfdd47e8cc68997ea007b62e93a3a24b2cee3fa7ef5d5ff25ea

SHA512
38db6989ce41b43ec16b1c4b1a6df9e3d0e1e2b65e66380e7fa4038039080bc09a088e068fee5b95399eae3484014793b2cb7b68ae876922f7e80a071115bdda

Download Submit
C:\Users\Admin\AppData\Roaming\Ukzy\wuor.exe

Filesize
321KB

MD5
9527f72a32c3a26523767f372b3ae4fb

SHA1
81d43f6e95828180085f09326214adc9fd6365b7

SHA256
8646a5bc62ecdcfdd47e8cc68997ea007b62e93a3a24b2cee3fa7ef5d5ff25ea

SHA512
38db6989ce41b43ec16b1c4b1a6df9e3d0e1e2b65e66380e7fa4038039080bc09a088e068fee5b95399eae3484014793b2cb7b68ae876922f7e80a071115bdda

Download Submit
\Users\Admin\AppData\Roaming\Ukzy\wuor.exe

Filesize
321KB

MD5
9527f72a32c3a26523767f372b3ae4fb

SHA1
81d43f6e95828180085f09326214adc9fd6365b7

SHA256
8646a5bc62ecdcfdd47e8cc68997ea007b62e93a3a24b2cee3fa7ef5d5ff25ea

SHA512
38db6989ce41b43ec16b1c4b1a6df9e3d0e1e2b65e66380e7fa4038039080bc09a088e068fee5b95399eae3484014793b2cb7b68ae876922f7e80a071115bdda

Download Submit
memory/848-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/848-82-0x0000000001D30000-0x0000000001D77000-memory.dmp

Filesize
284KB

Download
memory/848-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/848-102-0x0000000001D30000-0x0000000001D77000-memory.dmp

Filesize
284KB

Download
memory/848-101-0x00000000002F0000-0x0000000000340000-memory.dmp

Filesize
320KB

Download
memory/848-85-0x0000000001D30000-0x0000000001D77000-memory.dmp

Filesize
284KB

Download
memory/848-100-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/848-84-0x0000000001D30000-0x0000000001D77000-memory.dmp

Filesize
284KB

Download
memory/848-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/848-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/848-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/848-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/848-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/848-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/848-86-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/848-83-0x0000000001D30000-0x0000000001D77000-memory.dmp

Filesize
284KB

Download
memory/976-126-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/976-127-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/976-128-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/976-125-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1260-64-0x0000000001DF0000-0x0000000001E37000-memory.dmp

Filesize
284KB

Download
memory/1260-65-0x0000000001DF0000-0x0000000001E37000-memory.dmp

Filesize
284KB

Download
memory/1260-62-0x0000000001DF0000-0x0000000001E37000-memory.dmp

Filesize
284KB

Download
memory/1260-66-0x0000000001DF0000-0x0000000001E37000-memory.dmp

Filesize
284KB

Download
memory/1260-67-0x0000000001DF0000-0x0000000001E37000-memory.dmp

Filesize
284KB

Download
memory/1336-71-0x00000000019C0000-0x0000000001A07000-memory.dmp

Filesize
284KB

Download
memory/1336-70-0x00000000019C0000-0x0000000001A07000-memory.dmp

Filesize
284KB

Download
memory/1336-72-0x00000000019C0000-0x0000000001A07000-memory.dmp

Filesize
284KB

Download
memory/1336-73-0x00000000019C0000-0x0000000001A07000-memory.dmp

Filesize
284KB

Download
memory/1412-77-0x0000000002660000-0x00000000026A7000-memory.dmp

Filesize
284KB

Download
memory/1412-78-0x0000000002660000-0x00000000026A7000-memory.dmp

Filesize
284KB

Download
memory/1412-79-0x0000000002660000-0x00000000026A7000-memory.dmp

Filesize
284KB

Download
memory/1412-76-0x0000000002660000-0x00000000026A7000-memory.dmp

Filesize
284KB

Download
memory/1676-122-0x0000000003A80000-0x0000000003AC7000-memory.dmp

Filesize
284KB

Download
memory/1676-121-0x0000000003A80000-0x0000000003AC7000-memory.dmp

Filesize
284KB

Download
memory/1676-120-0x0000000003A80000-0x0000000003AC7000-memory.dmp

Filesize
284KB

Download
memory/1676-119-0x0000000003A80000-0x0000000003AC7000-memory.dmp

Filesize
284KB

Download
memory/1696-94-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1696-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1696-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1696-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1696-112-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1696-97-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1696-96-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1696-98-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1696-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1696-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1696-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1696-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2044-116-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2044-115-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2044-114-0x0000000000230000-0x0000000000280000-memory.dmp

Filesize
320KB

Download
memory/2044-113-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2044-129-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download