c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca

General

Target

c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe
Size

140KB
MD5

3457874a25fd377a91fe67b7dd546664
SHA1

86f2c7999384408b1ccdc2996716a639e0e18620
SHA256

c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca
SHA512

4c0fa3e4359ac38f0c58fc3b914df46f15ed29448ceb89171393a5772eec1f1e603135843b3a0a5cbc660da0bafdf76e3c422486e47710632be66522cd5f75c9
SSDEEP

3072:Qa8+c3vu3XuIcN6/xbccM3hDL8fyUha5fJiwt:Qai/uuIcNmL08dhaRJiW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exewuuofek.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wuuofek.exe

Executes dropped EXE 1 IoCs

Processes:

wuuofek.exe

pid process

1316 wuuofek.exe

pid	process
1316	wuuofek.exe

Loads dropped DLL 2 IoCs

Processes:

c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe

pid	process
1676	c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe
1676	c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wuuofek.exec49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /D"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /a"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /t"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /B"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /G"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /E"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /f"	wuuofek.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /K"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /H"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /b"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /W"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /k"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /p"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /m"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /L"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /x"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /z"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /d"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /w"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /v"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /Y"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /J"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /r"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /Q"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /F"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /Z"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /P"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /C"	wuuofek.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /l"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /O"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /M"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /I"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /i"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /U"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /u"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /c"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /e"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /N"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /y"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /g"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /G"	c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /R"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /A"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /j"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /S"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /T"	wuuofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuofek = "C:\\Users\\Admin\\wuuofek.exe /X"	wuuofek.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exewuuofek.exe

pid	process
1676	c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe
1316	wuuofek.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exewuuofek.exe

pid process

1676 c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe
1316 wuuofek.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe

description	pid	process	target process
PID 1676 wrote to memory of 1316	1676	c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe	wuuofek.exe
PID 1676 wrote to memory of 1316	1676	c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe	wuuofek.exe
PID 1676 wrote to memory of 1316	1676	c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe	wuuofek.exe
PID 1676 wrote to memory of 1316	1676	c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe	wuuofek.exe

C:\Users\Admin\AppData\Local\Temp\c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe
"C:\Users\Admin\AppData\Local\Temp\c49a8a525df6a94c46f3b164edf93df432d786f82acc7801bbb5cbf51f0f3fca.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\wuuofek.exe
"C:\Users\Admin\wuuofek.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wuuofek.exe

Filesize
140KB

MD5
2c8b6c14a3c9c827d23759482a1065b8

SHA1
de3076456cd4012d5f9e8967765aee3e370d6634

SHA256
92b92b8aadd8eb19ab18de7e5622506fb59a86b55a991d992c359f2e8f8f0a68

SHA512
a32c2bf72103409352e59b51ee561694a9e099eacf4e156d31b19523f2d211a1ed64ef89c801d48412b787c8b98a1467a429372bc50f6f53ee9df9ac0611a058

Download Submit
C:\Users\Admin\wuuofek.exe

Filesize
140KB

MD5
2c8b6c14a3c9c827d23759482a1065b8

SHA1
de3076456cd4012d5f9e8967765aee3e370d6634

SHA256
92b92b8aadd8eb19ab18de7e5622506fb59a86b55a991d992c359f2e8f8f0a68

SHA512
a32c2bf72103409352e59b51ee561694a9e099eacf4e156d31b19523f2d211a1ed64ef89c801d48412b787c8b98a1467a429372bc50f6f53ee9df9ac0611a058

Download Submit
\Users\Admin\wuuofek.exe

Filesize
140KB

MD5
2c8b6c14a3c9c827d23759482a1065b8

SHA1
de3076456cd4012d5f9e8967765aee3e370d6634

SHA256
92b92b8aadd8eb19ab18de7e5622506fb59a86b55a991d992c359f2e8f8f0a68

SHA512
a32c2bf72103409352e59b51ee561694a9e099eacf4e156d31b19523f2d211a1ed64ef89c801d48412b787c8b98a1467a429372bc50f6f53ee9df9ac0611a058

Download Submit
\Users\Admin\wuuofek.exe

Filesize
140KB

MD5
2c8b6c14a3c9c827d23759482a1065b8

SHA1
de3076456cd4012d5f9e8967765aee3e370d6634

SHA256
92b92b8aadd8eb19ab18de7e5622506fb59a86b55a991d992c359f2e8f8f0a68

SHA512
a32c2bf72103409352e59b51ee561694a9e099eacf4e156d31b19523f2d211a1ed64ef89c801d48412b787c8b98a1467a429372bc50f6f53ee9df9ac0611a058

Download Submit
memory/1316-59-0x0000000000000000-mapping.dmp

Download
memory/1676-56-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads