b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361

General

Target

b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe
Size

128KB
MD5

5ff1dfa3e99499031ce8b416633c8cc0
SHA1

c5788fa88c87094e2eb2dbc58308a35da89967e5
SHA256

b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361
SHA512

4bf288184df11390f5b06ec922c3ecf2b23f17fd8854a720c87d1cb15eebb6edfbcc729b3bdcc678b8dbb4e199cd75a6b9a0219b7a60a2b50493e3f0b9f515a2
SSDEEP

1536:idusiAhgIuFQFvHwd6PXOYb7gXWgWKsEHTINeG0h/E:Susiqg/FQByYb7gvsEzM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exewuixea.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wuixea.exe

Executes dropped EXE 1 IoCs

Processes:

wuixea.exe

pid process

1972 wuixea.exe

pid	process
1972	wuixea.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wuixea.exeb19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /X"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /P"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /T"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /Q"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /p"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /w"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /r"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /e"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /u"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /j"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /F"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /Y"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /M"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /n"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /G"	wuixea.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /V"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /W"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /O"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /k"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /D"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /z"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /I"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /L"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /x"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /B"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /g"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /S"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /C"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /y"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /h"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /o"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /i"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /m"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /l"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /A"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /Z"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /N"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /R"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /I"	b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /a"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /U"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /s"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /K"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /J"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /H"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /c"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /E"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /q"	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /b"	wuixea.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	wuixea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuixea = "C:\\Users\\Admin\\wuixea.exe /v"	wuixea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exewuixea.exe

pid	process
1656	b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe
1656	b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe
1972	wuixea.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exewuixea.exe

pid process

1656 b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe
1972 wuixea.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe

description	pid	process	target process
PID 1656 wrote to memory of 1972	1656	b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe	wuixea.exe
PID 1656 wrote to memory of 1972	1656	b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe	wuixea.exe
PID 1656 wrote to memory of 1972	1656	b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe	wuixea.exe

C:\Users\Admin\AppData\Local\Temp\b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe
"C:\Users\Admin\AppData\Local\Temp\b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\wuixea.exe
"C:\Users\Admin\wuixea.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wuixea.exe

Filesize
128KB

MD5
84899af438ce566ef311adcb741736f6

SHA1
d8d62372a9c415976cd9931e1ea06b36cb0e3fa8

SHA256
ab53b699b1933ca2637a9174de96b89c814cc7f99983b24bc4328ae53fea0bde

SHA512
59fe644e859bf81bfe94b8a2f2cc509c1c0efb35a7ac3334a00421c07a145601f6209370c5140170dc4dbd3ae62a95a2ee952b8c733816ce7599d13bbae6db3f

Download Submit
C:\Users\Admin\wuixea.exe

Filesize
128KB

MD5
84899af438ce566ef311adcb741736f6

SHA1
d8d62372a9c415976cd9931e1ea06b36cb0e3fa8

SHA256
ab53b699b1933ca2637a9174de96b89c814cc7f99983b24bc4328ae53fea0bde

SHA512
59fe644e859bf81bfe94b8a2f2cc509c1c0efb35a7ac3334a00421c07a145601f6209370c5140170dc4dbd3ae62a95a2ee952b8c733816ce7599d13bbae6db3f

Download Submit
memory/1656-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1656-135-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1972-136-0x0000000000000000-mapping.dmp

Download
memory/1972-141-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1972-142-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads