Overview

overview

10

Static

static

3

wufuc_v1.0...d4.zip

windows7-x64

1

wufuc/COPYING.txt

windows7-x64

1

wufuc/Donate.url

windows7-x64

6

wufuc/Help...se.url

windows7-x64

1

wufuc/Help...ue.url

windows7-x64

1

wufuc/Rest...rv.reg

windows7-x64

10

wufuc/inst...uc.bat

windows7-x64

1

wufuc/unin...uc.bat

windows7-x64

1

wufuc/version.txt

windows7-x64

1

wufuc/wufu...ub.url

windows7-x64

1

wufuc/wufuc32.dll

windows7-x64

1

wufuc/wufuc64.dll

windows7-x64

1

wufuc/wufu...sk.xml

windows7-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2024 07:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wufuc/uninstall_wufuc.bat

  • Size

    743B

  • MD5

    1997ce4faa7ba7034aeb39520e385ae8

  • SHA1

    f684e417881098ddc7840691fea3ec0af47c974a

  • SHA256

    d37252527c2a8b33bf0d7b26ca0caad2c255dbbdaf41685abb7f7a2bee2b0224

  • SHA512

    e637f2878b59f063e3745e5d31594f3fba2d40d5df84f1cea6b56b0496ab2e548148617787ac3587ed74430d77504f6703bd9c20261ff31ea76d2e2c02dafa37

Score
1/10

Malware Config

Signatures

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\wufuc\uninstall_wufuc.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\system32\fltMC.exe
      fltmc
      2⤵
        PID:972
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        2⤵
          PID:2028
        • C:\Windows\system32\findstr.exe
          findstr " 6\.1\."
          2⤵
            PID:2184
          • C:\Windows\system32\sfc.exe
            sfc /SCANFILE="C:\Windows\System32\wuaueng.dll"
            2⤵
              PID:2864
            • C:\Windows\system32\net.exe
              net start Schedule
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1696
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 start Schedule
                3⤵
                  PID:2372
              • C:\Windows\system32\schtasks.exe
                schtasks /Delete /TN "wufuc.{72EEE38B-9997-42BD-85D3-2DD96DA17307}" /F
                2⤵
                  PID:1636
                • C:\Windows\system32\rundll32.exe
                  rundll32 "C:\Users\Admin\AppData\Local\Temp\wufuc\wufuc64.dll",RUNDLL32_Unload
                  2⤵
                    PID:1596
                  • C:\Windows\system32\reg.exe
                    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe"
                    2⤵
                      PID:2156

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads