7698b685acfb273d1590fabe8f3495f2056691a5871296a50b1c5ed1339aa577

General

Target

c1bc798ea23f3724ec785dcb80ef5157.dll
Size

49KB
MD5

c1bc798ea23f3724ec785dcb80ef5157
SHA1

39a62d515ef9243ebbe258c6c216117fac708b18
SHA256

7698b685acfb273d1590fabe8f3495f2056691a5871296a50b1c5ed1339aa577
SHA512

a87ba8d95525e813b0170cd00687cf617fca23d46aaadc7752556e2501320a8191165fa5dbc77c060264e8606cfccc755a1af93f3772d4835c35ac018c555e42
SSDEEP

768:4vc89QoqCl28iydf60EUsn3Q1lwf2hekL9/w4Xk+lZW+4V:Y/Qpc/Zf6wsEVCX+lQnV

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuhqif\Parameters\ServiceDll = "%SystemRoot%\\System32\\wuhqif.dll"	PCB~1.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	PCB~1.exe
2884	PCB~1.exe

Loads dropped DLL 6 IoCs

pid	Process
2872	rundll32.exe
2872	rundll32.exe
2572	PCB~1.exe
2572	PCB~1.exe
2884	PCB~1.exe
2820	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PCB~1.exe	rundll32.exe
File created	C:\Windows\SysWOW64\wuhqif.dll	PCB~1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2688	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2572	PCB~1.exe
2572	PCB~1.exe
2884	PCB~1.exe
2884	PCB~1.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2872	2996	rundll32.exe	27
PID 2996 wrote to memory of 2872	2996	rundll32.exe	27
PID 2996 wrote to memory of 2872	2996	rundll32.exe	27
PID 2996 wrote to memory of 2872	2996	rundll32.exe	27
PID 2996 wrote to memory of 2872	2996	rundll32.exe	27
PID 2996 wrote to memory of 2872	2996	rundll32.exe	27
PID 2996 wrote to memory of 2872	2996	rundll32.exe	27
PID 2872 wrote to memory of 2572	2872	rundll32.exe	28
PID 2872 wrote to memory of 2572	2872	rundll32.exe	28
PID 2872 wrote to memory of 2572	2872	rundll32.exe	28
PID 2872 wrote to memory of 2572	2872	rundll32.exe	28
PID 2872 wrote to memory of 2500	2872	rundll32.exe	29
PID 2872 wrote to memory of 2500	2872	rundll32.exe	29
PID 2872 wrote to memory of 2500	2872	rundll32.exe	29
PID 2872 wrote to memory of 2500	2872	rundll32.exe	29
PID 2872 wrote to memory of 2736	2872	rundll32.exe	30
PID 2872 wrote to memory of 2736	2872	rundll32.exe	30
PID 2872 wrote to memory of 2736	2872	rundll32.exe	30
PID 2872 wrote to memory of 2736	2872	rundll32.exe	30
PID 2572 wrote to memory of 2884	2572	PCB~1.exe	33
PID 2572 wrote to memory of 2884	2572	PCB~1.exe	33
PID 2572 wrote to memory of 2884	2572	PCB~1.exe	33
PID 2572 wrote to memory of 2884	2572	PCB~1.exe	33
PID 2736 wrote to memory of 2688	2736	cmd.exe	34
PID 2736 wrote to memory of 2688	2736	cmd.exe	34
PID 2736 wrote to memory of 2688	2736	cmd.exe	34
PID 2736 wrote to memory of 2688	2736	cmd.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1bc798ea23f3724ec785dcb80ef5157.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1bc798ea23f3724ec785dcb80ef5157.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\PCB~1.exe
    C:\Windows\system32\PCB~1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\PCB~1.exe
      "C:\Windows\SysWOW64\PCB~1.exe" TWO
      4⤵
      Sets DLL path for service in the registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c erase /f /q C:\Windows\system32\PCB~1.exe
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im cmd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im cmd.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k wuhqif
1⤵
- Loads dropped DLL
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\PCB~1.exe

Filesize
29KB

MD5
b44e9d14dec09425c1c3b762d21f31a2

SHA1
8118759754b0be281ec8bab3734061db3bc1ab44

SHA256
a9603e8836952ee6b5e1e1b49812c9e4c5911a2502bfc01d5c5d63d36ee7142f

SHA512
e60349a06386f0f7607b39045416efeff8afa078e8cda058b0fb90cc750935c532557a1bb2d4b05b1efec0fe2163f29f6a524f3b0f444b0327d5d1a9b6455e8f

Download Submit
\Windows\SysWOW64\wuhqif.dll

Filesize
20KB

MD5
202d44e495800906823944e401fec7a8

SHA1
5d17d1531123fc37c1a2743ff1960130e858b899

SHA256
8665bcd79fbb5ce63a29c330fe6286018283aae119cdd164f5fe940384c1c71b

SHA512
a4072816afcadfb2f781946c43f013c6fa18d109e8fbe97cfaf9ee4e97962d2052bd38fdc45e28d955383d8d194987ef519fc1f3a99aef63f153b2487fbdc2da

Download Submit
memory/2572-10-0x0000000000410000-0x0000000000419000-memory.dmp

Filesize
36KB

Download
memory/2572-11-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2572-16-0x0000000001F90000-0x0000000001F99000-memory.dmp

Filesize
36KB

Download
memory/2572-18-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2872-2-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download
memory/2872-9-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download
memory/2872-15-0x0000000000350000-0x0000000000369000-memory.dmp

Filesize
100KB

Download
memory/2884-20-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2884-28-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads