Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
09/07/2020, 13:49
Static task
static1
Behavioral task
behavioral1
Sample
ubb.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ubb.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
ubb.exe
-
Size
457KB
-
MD5
45c06eab307690b796dd9c1a3c7f8eb6
-
SHA1
1192c39f0357ce3ff44e524e2e7bc53978b693ed
-
SHA256
38ac4538725c959e9c2b280e4838ed511a2d4d4339a2be5ba91fe1fb5ec76545
-
SHA512
0ee5802e9d9d7e2d1630e1b80380abc5878dacad311fa01c03085ac580ab8d7799928cc4157857e948e01d13f57f530fcdff182aa078615d09ca675200393df1
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 760 RegSvcs.exe 760 RegSvcs.exe 760 RegSvcs.exe 1096 help.exe 1096 help.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1448 wrote to memory of 760 1448 ubb.exe 24 PID 1448 wrote to memory of 760 1448 ubb.exe 24 PID 1448 wrote to memory of 760 1448 ubb.exe 24 PID 1448 wrote to memory of 760 1448 ubb.exe 24 PID 1448 wrote to memory of 760 1448 ubb.exe 24 PID 1448 wrote to memory of 760 1448 ubb.exe 24 PID 1448 wrote to memory of 760 1448 ubb.exe 24 PID 1448 wrote to memory of 760 1448 ubb.exe 24 PID 1448 wrote to memory of 760 1448 ubb.exe 24 PID 1448 wrote to memory of 760 1448 ubb.exe 24 PID 1312 wrote to memory of 1096 1312 Explorer.EXE 25 PID 1312 wrote to memory of 1096 1312 Explorer.EXE 25 PID 1312 wrote to memory of 1096 1312 Explorer.EXE 25 PID 1312 wrote to memory of 1096 1312 Explorer.EXE 25 PID 1096 wrote to memory of 1532 1096 help.exe 26 PID 1096 wrote to memory of 1532 1096 help.exe 26 PID 1096 wrote to memory of 1532 1096 help.exe 26 PID 1096 wrote to memory of 1532 1096 help.exe 26 -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1448 set thread context of 760 1448 ubb.exe 24 PID 760 set thread context of 1312 760 RegSvcs.exe 20 PID 1096 set thread context of 1312 1096 help.exe 20 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1448 ubb.exe Token: SeDebugPrivilege 760 RegSvcs.exe Token: SeDebugPrivilege 1096 help.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 760 RegSvcs.exe 760 RegSvcs.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe 1096 help.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\ubb.exe"C:\Users\Admin\AppData\Local\Temp\ubb.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1096 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1532
-
-