ba2563e06801d3c7360c5ba2459cc24456f301e546489393d86b97ab82d7c0c2

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wub/Wub.exe
Size

791KB
MD5

82aff8883099cf75462057c4e47e88ac
SHA1

68e2939f59b3869e9bd3ecc4aca3947649631bf8
SHA256

aac1123f17f8569a36bf93876cea30e15103fd2379b401a79129a2a6e7285ac2
SHA512

212ac940a1f8bdd805813c279d471efc53b858bc35c5edad182dfde3c29c37854618a507a0a0839e5a383d1ba4fe317c0b3c8275d023c86ecfa36f221560b96d
SSDEEP

12288:ZaWzgMg7v3qnCiWErQohh0F4YCJ8lnyTQrv2HzAMI3u18:4aHMv6CWrj8nyTQrv2TAMI3ua

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

Wub.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Wub.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Wub.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Wub.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Wub.exe

pid process

1644 Wub.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Wub.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wub.exe

pid	process
1644	Wub.exe

C:\Users\Admin\AppData\Local\Temp\Wub\Wub.exe
"C:\Users\Admin\AppData\Local\Temp\Wub\Wub.exe"
1⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1j6y4h4t.tmp

Filesize
20KB

MD5
2db4c5aa3664b87ccc47acdb9720a13d

SHA1
6cbfe623cf640a1c028dc585c06eeb76a6337bd3

SHA256
f846d2dcfbbd5f32431f9a377328f663109e4a636dbb2cb039bb51480c8e87af

SHA512
c03df33918de644d4feea76ffffbb6af55f645615c84a282c00f6c635567c936cf10111076809a2d4ff7701dccef437aa346245fdf54a52cacda991b52620498

Download Submit