Analysis
-
max time kernel
26s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-05-2021 02:08
Static task
static1
Behavioral task
behavioral1
Sample
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe
Resource
win10v20210408
General
-
Target
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe
-
Size
80KB
-
MD5
5f51794e198a21c1dd6b0f2eb6482e0f
-
SHA1
6ac7ffc7d6e149a62235f286eefc64385ba0277a
-
SHA256
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137
-
SHA512
807b64c3cfc704b0c8d22c225b2dac377a2dc4cd4a5d402f62fdc9be7dd1ae6da0981d9210e20f93ef0e8075e3e395faa988a35ad5b429725104afbf10ba357f
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\UlF.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\UlF.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
UlF.exepid process 2656 UlF.exe -
Drops file in Program Files directory 64 IoCs
Processes:
UlF.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe UlF.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe UlF.exe File opened for modification C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe UlF.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe UlF.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe UlF.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe UlF.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.exe UlF.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe UlF.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe UlF.exe File opened for modification C:\Program Files\Windows Defender\MSASCuiL.exe UlF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe UlF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe UlF.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe UlF.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe UlF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe UlF.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE UlF.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe UlF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe UlF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe UlF.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe UlF.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe UlF.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe UlF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe UlF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\MessagingApplication.exe UlF.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe UlF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe UlF.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe UlF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Solitaire.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe UlF.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe UlF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe UlF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.exe UlF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe UlF.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe UlF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE UlF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubTaskHost.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe UlF.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe UlF.exe File opened for modification C:\Program Files\Windows Defender\MsMpEng.exe UlF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE UlF.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe UlF.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe UlF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe UlF.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe UlF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe UlF.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe UlF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe UlF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe UlF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exeUlF.exedescription pid process target process PID 3928 wrote to memory of 2656 3928 76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe UlF.exe PID 3928 wrote to memory of 2656 3928 76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe UlF.exe PID 3928 wrote to memory of 2656 3928 76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe UlF.exe PID 2656 wrote to memory of 1172 2656 UlF.exe cmd.exe PID 2656 wrote to memory of 1172 2656 UlF.exe cmd.exe PID 2656 wrote to memory of 1172 2656 UlF.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe"C:\Users\Admin\AppData\Local\Temp\76f4794e4bd1067b2a1449fc3ffdf444130a9d0a893294b674c182251cfa9137.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UlF.exeC:\Users\Admin\AppData\Local\Temp\UlF.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\654a742c.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\654a742c.batMD5
dd107b5e9f8daf4eb009a30286d6f1ae
SHA1d8fb4e57ff72156de4bf787908f1cf7959dff456
SHA2561da0c17faf1a3e647d2279636fd5482fe61841b494df0997be2a48ae11c43089
SHA512f67eb0c9a7d9f8105db54a1f9b60cdc519f9f3666d521424f2d48b64921dd3df279bba257883c7de4979fb1d442d675c74fdc2e0efa045df2ad44c7e694a8533
-
C:\Users\Admin\AppData\Local\Temp\UlF.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\UlF.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/1172-117-0x0000000000000000-mapping.dmp
-
memory/2656-114-0x0000000000000000-mapping.dmp