943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb

Analysis

max time kernel
187s
max time network
62s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe
Size

124KB
MD5

453c7c22f70ca1a8f39a308b1bc8a250
SHA1

4f0f13f43bb9c5924ebde4f96dcf581cf2d0def9
SHA256

943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb
SHA512

afae49c34583d21d8e084b168ab8a0259d377bc03851ba3dd20532f97ddebc93f897b4ff60384a09e009de2e7cbb2c7de7a19cc0ca3a76432b7cbf993c18686a
SSDEEP

1536:9nJ9pdA+ZU0GgAYu0P1kNmwldCMhdu8KWP/nTn8nBP9VeMNeG0h/E:j9p2AU0GgA89gM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wuuiq.exe

Executes dropped EXE 1 IoCs

pid	Process
1056	wuuiq.exe

Loads dropped DLL 2 IoCs

pid	Process
1764	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe
1764	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /o"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /p"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /W"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /w"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /t"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /O"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /g"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /Q"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /C"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /T"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /b"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /a"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /F"	wuuiq.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /e"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /R"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /D"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /l"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /L"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /K"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /x"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /I"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /z"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /Z"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /c"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /X"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /N"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /A"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /B"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /S"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /r"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /v"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /P"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /k"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /E"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /Y"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /i"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /m"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /q"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /u"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /d"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /j"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /U"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /n"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /h"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /V"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /z"	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /y"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /M"	wuuiq.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /G"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /J"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /f"	wuuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuiq = "C:\\Users\\Admin\\wuuiq.exe /H"	wuuiq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe
1056	wuuiq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1764	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe
1056	wuuiq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1056	1764	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe	27
PID 1764 wrote to memory of 1056	1764	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe	27
PID 1764 wrote to memory of 1056	1764	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe	27
PID 1764 wrote to memory of 1056	1764	943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe	27

C:\Users\Admin\AppData\Local\Temp\943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe
"C:\Users\Admin\AppData\Local\Temp\943665f250a49a53dbc426361798c8010f7e429dbb02aa8e56bc304488527dbb.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\wuuiq.exe
  "C:\Users\Admin\wuuiq.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wuuiq.exe

Filesize
124KB

MD5
e89a4e9d22a96fee03034d82cc67928c

SHA1
2e35bd007e9fc9b1401692b5f03d5f08740d37f6

SHA256
c21f9f529801dfd6389379495d4f3f797620cb7bc1959e3c7398884124fcf54e

SHA512
890a48cc64eb6b955ba7d369fb0bdba5a3dc01863854ed36b34c108bea51dab971c99e53fbe47678a5e630a1c62cbd7c0d447573f21ed9b82a7e9a55b406c9f4

Download Submit
C:\Users\Admin\wuuiq.exe

Filesize
124KB

MD5
e89a4e9d22a96fee03034d82cc67928c

SHA1
2e35bd007e9fc9b1401692b5f03d5f08740d37f6

SHA256
c21f9f529801dfd6389379495d4f3f797620cb7bc1959e3c7398884124fcf54e

SHA512
890a48cc64eb6b955ba7d369fb0bdba5a3dc01863854ed36b34c108bea51dab971c99e53fbe47678a5e630a1c62cbd7c0d447573f21ed9b82a7e9a55b406c9f4

Download Submit
\Users\Admin\wuuiq.exe

Filesize
124KB

MD5
e89a4e9d22a96fee03034d82cc67928c

SHA1
2e35bd007e9fc9b1401692b5f03d5f08740d37f6

SHA256
c21f9f529801dfd6389379495d4f3f797620cb7bc1959e3c7398884124fcf54e

SHA512
890a48cc64eb6b955ba7d369fb0bdba5a3dc01863854ed36b34c108bea51dab971c99e53fbe47678a5e630a1c62cbd7c0d447573f21ed9b82a7e9a55b406c9f4

Download Submit
\Users\Admin\wuuiq.exe

Filesize
124KB

MD5
e89a4e9d22a96fee03034d82cc67928c

SHA1
2e35bd007e9fc9b1401692b5f03d5f08740d37f6

SHA256
c21f9f529801dfd6389379495d4f3f797620cb7bc1959e3c7398884124fcf54e

SHA512
890a48cc64eb6b955ba7d369fb0bdba5a3dc01863854ed36b34c108bea51dab971c99e53fbe47678a5e630a1c62cbd7c0d447573f21ed9b82a7e9a55b406c9f4

Download Submit
memory/1764-56-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download