d530c918de7ee3c8f3eb9cd350f900f923d95f03964fbed19576d48527f24200

General

Target

WindowUpdateBlocker/Wub.exe
Size

776KB
MD5

585c5000d1a851b295ff295389d7aa1a
SHA1

191f4e93781aba9bf81565cece0046ee599c0633
SHA256

15fccf8c018bbbed14664d5a5528cdf087b9032543be2169d78ab25d141d2b2c
SHA512

0ba2bbe8ca98e650d6f683f5700b44c11d30e3a5ef4b323a3a2aaa35f466401d808423cad4d497080c4bc9ec080e9a4f156ede3d651d3a718abe2307bc09a6b4
SSDEEP

12288:EaWzgMg7v3qnCiPErQohh0F4CCJ8lnyKQbv8HzqjqlG:baHMv6Cjrj+nyKQbv8TqjqG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

Wub.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Wub.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "2"	Wub.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\WubLock = "1"	Wub.exe

Sets file execution options in registry 2 TTPs 41 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Wub.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WaaSMedic.exe	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WaaSMedic.exe\Debugger = "/"	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdateAssistant.exe\Debugger = "/"	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\remsh.exe	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\remsh.exe\Debugger = "/"	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SihClient.exe\Debugger = "/"	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upfc.exe	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallAgent.exe	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\remsh.exe	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallAgent.exe	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe\Debugger = "/"	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallAgent.exe\Debugger = "/"	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSnotify.exe	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SihClient.exe	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10UpgraderApp.exe	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SihClient.exe	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WaasMedicAgent.exe	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WaasMedicAgent.exe\Debugger = "/"	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upfc.exe\Debugger = "/"	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotification.exe	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotification.exe\Debugger = "/"	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotificationUx.exe	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotificationUx.exe\Debugger = "/"	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WaaSMedic.exe	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdateAssistant.exe	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UsoClient.exe\Debugger = "/"	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSnotify.exe\Debugger = "/"	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WaasMedicAgent.exe	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotificationUx.exe	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10UpgraderApp.exe	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSnotify.exe	Wub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WubBlockLists = 57006100610053004d0065006400690063002e00650078006500000057006100610073004d0065006400690063004100670065006e0074002e006500780065000000570069006e0064006f00770073003100300055007000670072006100640065002e006500780065000000570069006e0064006f007700730031003000550070006700720061006400650072004100700070002e00650078006500000055007000640061007400650041007300730069007300740061006e0074002e006500780065000000550073006f0043006c00690065006e0074002e006500780065000000720065006d00730068002e00650078006500000045004f0053006e006f0074006900660079002e00650078006500000053006900680043006c00690065006e0074002e00650078006500000075007000660063002e00650078006500000049006e007300740061006c006c004100670065006e0074002e0065007800650000004d00750073004e006f00740069006600690063006100740069006f006e002e0065007800650000004d00750073004e006f00740069006600690063006100740069006f006e00550078002e00650078006500000000000000	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdateAssistant.exe	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upfc.exe	Wub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10UpgraderApp.exe\Debugger = "/"	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UsoClient.exe	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UsoClient.exe	Wub.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotification.exe	Wub.exe

Drops file in System32 directory 2 IoCs

Processes:

Wub.exe

description	ioc	process
File created	C:\Windows\SysWOW64\GroupPolicy\Machine\Registry.pol	Wub.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\Machine\Registry.pol	Wub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Wub.exe

pid process

1552 Wub.exe

pid	process
1552	Wub.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Wub.exe

description	pid	process
Token: SeRestorePrivilege	1552	Wub.exe
Token: SeTakeOwnershipPrivilege	1552	Wub.exe
Token: SeDebugPrivilege	1552	Wub.exe
Token: SeSecurityPrivilege	1552	Wub.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Wub.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWindowsUpdate = "1"	Wub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Wub.exe

C:\Users\Admin\AppData\Local\Temp\WindowUpdateBlocker\Wub.exe
"C:\Users\Admin\AppData\Local\Temp\WindowUpdateBlocker\Wub.exe"
1⤵
- Modifies security service
- Sets file execution options in registry
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1552