Overview

overview

8

Static

static

3

UDWoof 2.1...01.zip

windows7-x64

1

UDWoof 2.1...01.zip

windows10-2004-x64

1

UDWoof 2.1...s).bat

windows7-x64

8

UDWoof 2.1...s).bat

windows10-2004-x64

8

UDWoof 2.1...E).txt

windows7-x64

1

UDWoof 2.1...E).txt

windows10-2004-x64

1

UDWoof 2.1...er.exe

windows7-x64

UDWoof 2.1...er.exe

windows10-2004-x64

Analysis

  • max time kernel
    74s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2023, 16:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    UDWoof 2.1.1/DeepClean (dels some files).bat

  • Size

    902KB

  • MD5

    602ac0bd731b2615933dde1442e96ff7

  • SHA1

    586be9b5bb086aa301eea7df5ee998390756b912

  • SHA256

    97c781dfaa813232a8d13f7dcdfd1490f355ab85823b2cd73b9dd259d3a1ad07

  • SHA512

    d5cee12b3c99cae442808c463636faa0f96cdae24d6caff13fd5e27a40f74ce58cd15f43430d5ebd15d968588d491dee17bb31b3f7c19ed7d55e2882a25d30eb

  • SSDEEP

    3072:kOW9mafKzoz3g8gzRnvplYSc5mzozEzoz6zozn:5ykyuykyn

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 40 IoCs
    evasion
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\UDWoof 2.1.1\DeepClean (dels some files).bat"
    1⤵
    • Deletes itself
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im epicgameslauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1944
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1176
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:452
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:636
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im UnrealCEFSubProcess.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1616
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im CEFProcess.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1792
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BEService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BEServices.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1800
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BattleEye.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1372
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im smartscreen.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:112
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im smartscreen.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:932
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnf.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:628
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im DNF.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1664
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im CrossProxy.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tensafe_1.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TenSafe_1.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tensafe_2.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tencentdl.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TenioDL.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:900
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im uishell.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1832
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BackgroundDownloader.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:292
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im conime.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im QQDL.EXE
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1092
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im qqlogin.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnfchina.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1276
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnfchinatest.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1652
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnf.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1956
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im txplatform.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:996
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TXPlatform.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginWebHelperService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1312
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Origin.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1872
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginClientService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginER.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1116
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginThinSetupInternal.exe
      2⤵
      • Kills process with taskkill
      PID:1364
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginLegacyCLI.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Agent.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1600
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Client.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1796
    • C:\Windows\system32\sc.exe
      Sc stop EasyAntiCheat
      2⤵
      • Launches sc.exe
      PID:1392
    • C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {29840-28796-3455-1173} /f
      2⤵
      • Modifies registry key
      PID:1736
    • C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29603-11640-7980-4073} /f
      2⤵
      • Modifies registry key
      PID:1356
    • C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 16855-24212-29687-10092 /f
      2⤵
      • Modifies registry key
      PID:1520
    • C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 20192-31998-1893-25441 /f
      2⤵
      • Modifies registry key
      PID:292
    • C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      2⤵
        PID:808
      • C:\Windows\system32\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
        2⤵
          PID:1388
        • C:\Windows\system32\reg.exe
          reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
          2⤵
            PID:556
          • C:\Windows\system32\reg.exe
            reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
            2⤵
              PID:1532
            • C:\Windows\system32\reg.exe
              reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
              2⤵
                PID:1108
              • C:\Windows\system32\reg.exe
                reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
                2⤵
                  PID:1556
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                1⤵
                  PID:1792
                • C:\Windows\system32\AUDIODG.EXE
                  C:\Windows\system32\AUDIODG.EXE 0x51c
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:996
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe"
                  1⤵
                  • Enumerates system info in registry
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1128
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5a49758,0x7fef5a49768,0x7fef5a49778
                    2⤵
                      PID:1056
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1324,i,13347655819034139230,7708087085657837546,131072 /prefetch:2
                      2⤵
                        PID:1820
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 --field-trial-handle=1324,i,13347655819034139230,7708087085657837546,131072 /prefetch:8
                        2⤵
                          PID:1528
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1324,i,13347655819034139230,7708087085657837546,131072 /prefetch:8
                          2⤵
                            PID:1520
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1324,i,13347655819034139230,7708087085657837546,131072 /prefetch:1
                            2⤵
                              PID:1256
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1324,i,13347655819034139230,7708087085657837546,131072 /prefetch:1
                              2⤵
                                PID:1976
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3716 --field-trial-handle=1324,i,13347655819034139230,7708087085657837546,131072 /prefetch:2
                                2⤵
                                  PID:2184
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1196 --field-trial-handle=1324,i,13347655819034139230,7708087085657837546,131072 /prefetch:1
                                  2⤵
                                    PID:2316
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3932 --field-trial-handle=1324,i,13347655819034139230,7708087085657837546,131072 /prefetch:8
                                    2⤵
                                      PID:2340
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4048 --field-trial-handle=1324,i,13347655819034139230,7708087085657837546,131072 /prefetch:8
                                      2⤵
                                        PID:2348
                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                      1⤵
                                        PID:1784
                                      • C:\Windows\System32\rundll32.exe
                                        "C:\Windows\System32\rundll32.exe" shell32.dll,Options_RunDLL 1
                                        1⤵
                                          PID:2568

                                        Network

                                              MITRE ATT&CK Enterprise v6

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                                Filesize

                                                264KB

                                                MD5

                                                f50f89a0a91564d0b8a211f8921aa7de

                                                SHA1

                                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                SHA256

                                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                SHA512

                                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                Filesize

                                                4KB

                                                MD5

                                                deb1de7af10d0e462dd54825a6172586

                                                SHA1

                                                7c74a5901859af1d9b13f04cb823edffe2da396a

                                                SHA256

                                                acd74a17b36d4b23492954f1e460d74a894ccd36735529cafcf16151b683811e

                                                SHA512

                                                d5a6b29e3737a8399fa7df7c13511a57c857675cc1db3ad887add0897dfb72cf10e499fb7979da052cc736671a45e40c7005e90aec1f9862a4a401abf1674194

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                Filesize

                                                4KB

                                                MD5

                                                2ca1d8c896a0c2a4613ef783a32930c5

                                                SHA1

                                                7c7addf3b4ea11115f38b8a57f9bc18c37cb5e4c

                                                SHA256

                                                c14d0d9d9625b8af50c087d4fee221671891d50facfab46d9eec47e0345363bd

                                                SHA512

                                                d8a1d81bec81ac256d1e4c8bc45ba8ba2ebc273b87e6690d207e7f349336eebc6a344354dcaa78f7230b9c343bfa8a867e0e186feb3d32b33eecc16371ee01a7

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ef0c68f4-345f-4ada-9b6f-4e8839ed677a.tmp
                                                Filesize

                                                4KB

                                                MD5

                                                b06a2dfa6c6671037bfdaf90f8c2af33

                                                SHA1

                                                c6b23539b7f62a88b2f84f613c2851fa469202b1

                                                SHA256

                                                10f5648eab6a4b9954d68443bd5086e40659aa3efbe3075bb581edfe2cfc9392

                                                SHA512

                                                091e7e71d4e8019c171f565ccc20909cce33c6d9d7938d68d34d989f8da83365531aeb3e871e188ff0014ac0d612dc8cac81e553706aa7624eae633bad20f687

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000004.dbtmp
                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                Download Submit