Managed XDR

wsus.exe (FlawedAmmyy, Hupigon) — malware analysis report

File info

Filename
wsus.exe
File type
PE32 executable (GUI) Intel 80386, for MS Windows
File size
691 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
0404b58423f58076b9c03e3a0bd470004eb3a455
SHA256
ffb8abde677e93327264affbb1b52a10f4d0ea80a3b1d0d99d76b1598e7c51e3
MD5
10eb9bfe4da24ee34ce04f92240f7bba

Malwares

  • FlawedAmmyy
  • Hupigon

Signatures

Execution

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1574.011 persistence_services: Modifies Services registry key
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
no_graphical_activity: No graphic activity

Related reports

Managed XDR