d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e

General

Target

d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe
Size

204KB
MD5

224dd766971943b87b43245213b53d06
SHA1

71c4aab34dea69e98e5f0e4c2a089f17cb7caf60
SHA256

d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e
SHA512

8d65e169aea8cc5afb97b7600acf5392c6c0166229654da12819ababd610350b7c6466cd146df61954ff5f05b4d313966c1a467f5eec3ad0a8a04a9149018eb0
SSDEEP

1536:a89dYHQ4zxHwxUDdxNy3tQ9CW5EZWHakMwP9W6uXNi9f1AWa11GBPIdRONd+w6Et:DyHQ290tQ9nLHbB9W+k9ZJgImCtcr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exewuuivur.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wuuivur.exe

Executes dropped EXE 1 IoCs

Processes:

wuuivur.exe

pid process

2192 wuuivur.exe

pid	process
2192	wuuivur.exe

Loads dropped DLL 2 IoCs

Processes:

d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe

pid	process
2008	d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe
2008	d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wuuivur.exed0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /h"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /o"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /f"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /a"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /d"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /b"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /v"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /i"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /z"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /p"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /w"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /u"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /j"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /s"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /x"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /l"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /q"	d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /k"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /n"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /t"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /q"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /g"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /r"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /c"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /m"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /y"	wuuivur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuuivur = "C:\\Users\\Admin\\wuuivur.exe /e"	wuuivur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exewuuivur.exe

pid	process
2008	d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe
2192	wuuivur.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exewuuivur.exe

pid process

2008 d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe
2192 wuuivur.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe

description	pid	process	target process
PID 2008 wrote to memory of 2192	2008	d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe	wuuivur.exe
PID 2008 wrote to memory of 2192	2008	d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe	wuuivur.exe
PID 2008 wrote to memory of 2192	2008	d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe	wuuivur.exe
PID 2008 wrote to memory of 2192	2008	d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe	wuuivur.exe

C:\Users\Admin\AppData\Local\Temp\d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe
"C:\Users\Admin\AppData\Local\Temp\d0593d23c899cab5903c78a8d4ca2c0d67552cc9a5f9fda1d4d8ff9b981e4e0e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\wuuivur.exe
"C:\Users\Admin\wuuivur.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\wuuivur.exe
Filesize
204KB

MD5
25c6978f6205f1ef72e3d14065e96881

SHA1
f576fd0074a9419d2b8cc7362af54b4bbf6ac733

SHA256
d85e4b594af7b405de484e166ffd6579b1e712308142dc36d1491ef01db01174

SHA512
21d4fc198d9b9e8564fc39998bd23af65261f45388cd7649dc93727e81eb649c74f2265cc878673af68aebb4db8c063de64bcdc652932922fc73d01cb41f9273

Download Submit
memory/2008-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2008-9-0x0000000002F60000-0x0000000002F9D000-memory.dmp

Filesize
244KB

Download
memory/2008-15-0x0000000002F60000-0x0000000002F9D000-memory.dmp

Filesize
244KB

Download
memory/2008-19-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2192-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads