Overview

overview

1

Static

static

1

wuuhosdeployment.dll

windows7-x64

1

wuuhosdeployment.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    127s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-04-2023 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wuuhosdeployment.dll

  • Size

    353KB

  • MD5

    fdef5c119f6376b0429b41dcfc3e8030

  • SHA1

    9187c717bf0d23fd1ad12c46a6e2f5415d1b96e7

  • SHA256

    39ce065436c0f93e61de1c23fca2e4e2b0f4a686aa38fcd4bb1afd753a415ab9

  • SHA512

    6171c0a835e32a465cab6f71d12832e75e7d5cee38128e29dac064a8a3b10cfd0f7a0d9f1c0a033a93f761cf6247a762eb12a2efcec3b46cfd68ff4b4ad88078

  • SSDEEP

    6144:JtOfTQXkDWydEFMS/JJS7ytwXpVUrNoV5/cZ2hwpUwbVILSUe:JsfsXkDWyy1g7OwXQ0F8NiuV6s

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\wuuhosdeployment.dll,#1
    1⤵
      PID:920
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1920.0.816862075\651418182" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14038c05-eae4-456c-b74e-a7b310d3cd4d} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" 1292 10df5558 gpu
          3⤵
            PID:1556
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1920.1.1712590680\1932750741" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 20971 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a8c25d0-6f63-4d0c-831e-298e424bc15d} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" 1496 4139b58 socket
            3⤵
              PID:1788
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1920.2.1471493003\1859905902" -childID 1 -isForBrowser -prefsHandle 1840 -prefMapHandle 1980 -prefsLen 21054 -prefMapSize 232675 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f126dbf-fe57-41ba-8596-5f63c2c0b623} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" 1852 197c6558 tab
              3⤵
                PID:1296
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1920.3.603152564\493199538" -childID 2 -isForBrowser -prefsHandle 760 -prefMapHandle 1636 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {676096c7-bff4-45e7-8f33-b25b35525e2c} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" 604 d71658 tab
                3⤵
                  PID:1544
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1920.4.460842804\1282982985" -childID 3 -isForBrowser -prefsHandle 2852 -prefMapHandle 2848 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd03bbf1-d1a0-4b49-b42f-67295bd39a9c} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" 2864 199f6a58 tab
                  3⤵
                    PID:1316
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1920.5.1747258535\908822912" -childID 4 -isForBrowser -prefsHandle 3632 -prefMapHandle 2880 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa1d169f-1d4d-4c0a-b5d7-91a9cf5384d0} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" 3696 d66b58 tab
                    3⤵
                      PID:2424
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1920.6.1246034804\1495122112" -childID 5 -isForBrowser -prefsHandle 3796 -prefMapHandle 3800 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6437a736-6492-467f-b85b-b7ee948ce808} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" 3696 1d84b158 tab
                      3⤵
                        PID:2432
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1920.7.1484750503\525586973" -childID 6 -isForBrowser -prefsHandle 3208 -prefMapHandle 3972 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9c5cef5-a486-4465-ba19-cab87bc5c8fe} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" 4068 1d84c058 tab
                        3⤵
                          PID:2644
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1920.8.1406931475\1417160723" -childID 7 -isForBrowser -prefsHandle 4228 -prefMapHandle 4236 -prefsLen 26721 -prefMapSize 232675 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64c6f9fb-9190-4768-83d7-229953aab468} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" 4204 1103da58 tab
                          3⤵
                            PID:2364

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\81ei91hh.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        143KB

                        MD5

                        2a6d21f5ce930f271d9492e4f2ec5c4c

                        SHA1

                        df732a4b941c3f2143c846719ff2f9ea7a5520f7

                        SHA256

                        caed489f9b30c954ede28977d67af1be89fdcea2bef80c32771e81f0a8223ee6

                        SHA512

                        d8f0b868725ea41618f92d20d788cbb9d70e653256d1b9787ef243f66b20139bdd81680bac65d8ca6877d8ef76728297504e38236676796499bef183ccef4189

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        287079c0a70882ef8bb416820d8184ad

                        SHA1

                        67f9835b12c37eee8e6d0e00dbc303d8f7d9a772

                        SHA256

                        cdce500c9efcf5aaa92013a70429d0fb43331c7f28472a7186f8079e510b91b1

                        SHA512

                        05048711b5b6c658a6f7c522d33e0260b25f7ba970bd129adba232d68c82ca018fee195022a880972204f5d4566cbb89f2d4063741b0df1aafa8e8bf7d5795b8

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        ce3d1775b5aeca974056e5be467dfcf5

                        SHA1

                        30b2793b946e47c00539c24ccbe14537af2850dd

                        SHA256

                        6738dee38fc96ef8581800eda4dad3f67b44538415e3e82117d50d21470d6303

                        SHA512

                        a773418aa235dbdfbf2e7ea082b928bc3465de4bec9003cc093e20ec2145ccc19052fb8f206e2210c199383480e07dc801f32665fc478b44970592a5ae4b1e9b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\sessionstore.jsonlz4
                        Filesize

                        993B

                        MD5

                        75b1725a836003b2f499e916068cee92

                        SHA1

                        7b96e12cdb5890a2a40de24588f7b81ff9eef58f

                        SHA256

                        f1cb0878500d5c2b9ba11abd13f3334fa2d52f75525b428bf5dff4b0bba35470

                        SHA512

                        54ac4fd51532d589fe4a01e7f57db0bcb109c65a0160c4f44e7f8a96005f5b4c799722f6a8ad2f851642edc70c9c70c5a7722264e3bd6b7a14b7d7180f055328

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        cf9020ee402ce6db9091d306843edeb9

                        SHA1

                        558a53acc3b3c4db3f1996e6554d9591a5e5c844

                        SHA256

                        7e3b904b5cf6c75124b44ef095a284348336b88d2764ef1dec2c2233290bb63b

                        SHA512

                        77114e5907bb54ac392dfe8165499c71109ea2f5f65bbdfc4f65d347d5f7a28c6902f8db6698e7790d804ff311d6b461a8628b2e57d9d1cb73958b63bdb9c8f6

                        Download Submit