cb579db4ee631b9b731e9862c2d68059c26302fc08725ec1e498f7f93f89dafc

General

Target

cb579db4ee631b9b731e9862c.exe
Size

1.3MB
MD5

f74f771085775e4faeea3298f29aaf53
SHA1

e1259f331219d6cdbed4de7167950cd1937f97c2
SHA256

cb579db4ee631b9b731e9862c2d68059c26302fc08725ec1e498f7f93f89dafc
SHA512

b86d15d010efbcfa23f8452c49de1111bba9741fde6a1bbb682a24c6b7395e7e4979c964cd311d8e4e7d35aeef7862b5c7a88a02a7132528ed82ce7cdc145983
SSDEEP

24576:qJlh9bDwqBVJxUc3jLDbK5859AJlh9bDwqBVJxUc3jLDbK580:qJhBVJxUSvW585aJhBVJxUSvW580

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Wub.exe

Executes dropped EXE 1 IoCs

pid	Process
2372	Wub.exe

Loads dropped DLL 4 IoCs

pid	Process
2352	cb579db4ee631b9b731e9862c.exe
2352	cb579db4ee631b9b731e9862c.exe
2352	cb579db4ee631b9b731e9862c.exe
2352	cb579db4ee631b9b731e9862c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2372	Wub.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2372	2352	cb579db4ee631b9b731e9862c.exe	29
PID 2352 wrote to memory of 2372	2352	cb579db4ee631b9b731e9862c.exe	29
PID 2352 wrote to memory of 2372	2352	cb579db4ee631b9b731e9862c.exe	29
PID 2352 wrote to memory of 2372	2352	cb579db4ee631b9b731e9862c.exe	29
PID 2352 wrote to memory of 2372	2352	cb579db4ee631b9b731e9862c.exe	29
PID 2352 wrote to memory of 2372	2352	cb579db4ee631b9b731e9862c.exe	29
PID 2352 wrote to memory of 2372	2352	cb579db4ee631b9b731e9862c.exe	29

C:\Users\Admin\AppData\Local\Temp\cb579db4ee631b9b731e9862c.exe
"C:\Users\Admin\AppData\Local\Temp\cb579db4ee631b9b731e9862c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wub.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wub.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wub.exe

Filesize
724KB

MD5
e2a9b4527cbb6755a23b9988b58f0f9c

SHA1
10664199a6af04dffa8c26c5c13c12910e66aa47

SHA256
9834978cf80815691e698ce6e7fb6c9bf6f74dca2a0a10f41dcbdb1776cbee68

SHA512
86f5074ae5037ad4089bcb8dbf262ffd61e817e99e7a040f6be79bf434baea3a58206e837c249039b8b57f9620a4c2e72d89a13a986ebbd39f6329b48b81a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wub.exe

Filesize
724KB

MD5
e2a9b4527cbb6755a23b9988b58f0f9c

SHA1
10664199a6af04dffa8c26c5c13c12910e66aa47

SHA256
9834978cf80815691e698ce6e7fb6c9bf6f74dca2a0a10f41dcbdb1776cbee68

SHA512
86f5074ae5037ad4089bcb8dbf262ffd61e817e99e7a040f6be79bf434baea3a58206e837c249039b8b57f9620a4c2e72d89a13a986ebbd39f6329b48b81a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wub.exe

Filesize
724KB

MD5
e2a9b4527cbb6755a23b9988b58f0f9c

SHA1
10664199a6af04dffa8c26c5c13c12910e66aa47

SHA256
9834978cf80815691e698ce6e7fb6c9bf6f74dca2a0a10f41dcbdb1776cbee68

SHA512
86f5074ae5037ad4089bcb8dbf262ffd61e817e99e7a040f6be79bf434baea3a58206e837c249039b8b57f9620a4c2e72d89a13a986ebbd39f6329b48b81a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wub.ini

Filesize
1014B

MD5
3c45955017e01bc6b5f5c281303b91e7

SHA1
6507098147c3f05ae971f363d324e0309b726247

SHA256
99254edb592c91ee2f4af1dac11e2333d062b3f826e68d93cf4b9a04a09e2d96

SHA512
efad6b47de3231e0f2458fe66f7591c8984f4fa7f4b8b70412e0761408686fe078fa69dde0c1f736d27c9dbfd77ec074e3444be244e2b6072fb9794cd64a1532

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Wub.exe

Filesize
724KB

MD5
e2a9b4527cbb6755a23b9988b58f0f9c

SHA1
10664199a6af04dffa8c26c5c13c12910e66aa47

SHA256
9834978cf80815691e698ce6e7fb6c9bf6f74dca2a0a10f41dcbdb1776cbee68

SHA512
86f5074ae5037ad4089bcb8dbf262ffd61e817e99e7a040f6be79bf434baea3a58206e837c249039b8b57f9620a4c2e72d89a13a986ebbd39f6329b48b81a37a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Wub.exe

Filesize
724KB

MD5
e2a9b4527cbb6755a23b9988b58f0f9c

SHA1
10664199a6af04dffa8c26c5c13c12910e66aa47

SHA256
9834978cf80815691e698ce6e7fb6c9bf6f74dca2a0a10f41dcbdb1776cbee68

SHA512
86f5074ae5037ad4089bcb8dbf262ffd61e817e99e7a040f6be79bf434baea3a58206e837c249039b8b57f9620a4c2e72d89a13a986ebbd39f6329b48b81a37a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Wub.exe

Filesize
724KB

MD5
e2a9b4527cbb6755a23b9988b58f0f9c

SHA1
10664199a6af04dffa8c26c5c13c12910e66aa47

SHA256
9834978cf80815691e698ce6e7fb6c9bf6f74dca2a0a10f41dcbdb1776cbee68

SHA512
86f5074ae5037ad4089bcb8dbf262ffd61e817e99e7a040f6be79bf434baea3a58206e837c249039b8b57f9620a4c2e72d89a13a986ebbd39f6329b48b81a37a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Wub.exe

Filesize
724KB

MD5
e2a9b4527cbb6755a23b9988b58f0f9c

SHA1
10664199a6af04dffa8c26c5c13c12910e66aa47

SHA256
9834978cf80815691e698ce6e7fb6c9bf6f74dca2a0a10f41dcbdb1776cbee68

SHA512
86f5074ae5037ad4089bcb8dbf262ffd61e817e99e7a040f6be79bf434baea3a58206e837c249039b8b57f9620a4c2e72d89a13a986ebbd39f6329b48b81a37a

Download Submit

Analysis

Sharing