Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-05-2021 02:08
Static task
static1
Behavioral task
behavioral1
Sample
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe
Resource
win10v20210408
General
-
Target
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe
-
Size
80KB
-
MD5
5f51794e198a21c1dd6b0f2eb6482e0f
-
SHA1
6ac7ffc7d6e149a62235f286eefc64385ba0277a
-
SHA256
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137
-
SHA512
807b64c3cfc704b0c8d22c225b2dac377a2dc4cd4a5d402f62fdc9be7dd1ae6da0981d9210e20f93ef0e8075e3e395faa988a35ad5b429725104afbf10ba357f
Malware Config
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\UlF.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\UlF.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\UlF.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\UlF.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
UlF.exepid process 1804 UlF.exe -
Loads dropped DLL 2 IoCs
Processes:
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exepid process 1028 76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe 1028 76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe -
Drops file in Program Files directory 64 IoCs
Processes:
UlF.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe UlF.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE UlF.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe UlF.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe UlF.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe UlF.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe UlF.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe UlF.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe UlF.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe UlF.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe UlF.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe UlF.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe UlF.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe UlF.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE UlF.exe File opened for modification C:\Program Files\7-Zip\7z.exe UlF.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUMFBCB.tmp\GoogleUpdateSetup.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE UlF.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe UlF.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe UlF.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe UlF.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe UlF.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE UlF.exe File opened for modification C:\Program Files\7-Zip\7zG.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe UlF.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe UlF.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe UlF.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe UlF.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe UlF.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{A290E22C-E339-4EA1-B140-FE44A71CE551}\89.0.4389.114_chrome_installer.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE UlF.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe UlF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE UlF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exeUlF.exedescription pid process target process PID 1028 wrote to memory of 1804 1028 76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe UlF.exe PID 1028 wrote to memory of 1804 1028 76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe UlF.exe PID 1028 wrote to memory of 1804 1028 76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe UlF.exe PID 1028 wrote to memory of 1804 1028 76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe UlF.exe PID 1804 wrote to memory of 1408 1804 UlF.exe cmd.exe PID 1804 wrote to memory of 1408 1804 UlF.exe cmd.exe PID 1804 wrote to memory of 1408 1804 UlF.exe cmd.exe PID 1804 wrote to memory of 1408 1804 UlF.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe"C:\Users\Admin\AppData\Local\Temp\76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UlF.exeC:\Users\Admin\AppData\Local\Temp\UlF.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5a894376.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5a894376.batMD5
f752814c9be2938d792d82031ade794d
SHA1c57a5a1c2f4192c9fa82edfce60716804fdfed6e
SHA256e13286d6f706cc67d9a21efccaaa9005eb74b343b1546c61921764088c46de99
SHA512bb1c13ef44e97b4321ae2b14ebc844683f6fe5fc4e7a034ddc01f81898ac5d52e5deffdef5efb1005ab233fc18742ff89186804e892d4d706f0e362bd9f3c6f1
-
C:\Users\Admin\AppData\Local\Temp\UlF.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\UlF.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\UlF.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\UlF.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/1408-66-0x0000000000000000-mapping.dmp
-
memory/1804-62-0x0000000000000000-mapping.dmp
-
memory/1804-64-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB