072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af

General

Target

072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe
Size

2.5MB
MD5

0894078d06d457b29171deb42134621e
SHA1

b97d0073e813929c8d8d545231e63fa347b4f73b
SHA256

072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af
SHA512

e69bcb22530c5d091c9b3da03ace62cca664cf6969fc1fc1a1951ff5ede7811fa9778f9c83f5afe7843c703059b742f1b0c2e126f31201dbc4dd30462bb22d8b
SSDEEP

49152:uo+NvMAiTRoQ8Hx6Xk6niMZxA/bKn32ZJuuG0O0wnXx7O7lrf29RVexbPIr3fD:uRpA8x6UpMZcbyM1G0wXxslq9RVUbgrb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1208	UVK_en64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4728-132-0x0000000140000000-0x000000014005B000-memory.dmp	upx
behavioral2/memory/4728-143-0x0000000140000000-0x000000014005B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	UVK_en64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	1208	UVK_en64.exe
Token: SeIncBasePriorityPrivilege	1208	UVK_en64.exe
Token: SeRestorePrivilege	1208	UVK_en64.exe
Token: SeTakeOwnershipPrivilege	1208	UVK_en64.exe
Token: SeDebugPrivilege	1208	UVK_en64.exe
Token: SeSecurityPrivilege	1208	UVK_en64.exe
Token: SeBackupPrivilege	1208	UVK_en64.exe
Token: SeImpersonatePrivilege	1208	UVK_en64.exe
Token: SeSystemProfilePrivilege	1208	UVK_en64.exe
Token: SeAssignPrimaryTokenPrivilege	1208	UVK_en64.exe
Token: 31	1208	UVK_en64.exe
Token: SeTcbPrivilege	1208	UVK_en64.exe
Token: SeIncreaseQuotaPrivilege	1208	UVK_en64.exe
Token: SeShutdownPrivilege	1208	UVK_en64.exe
Token: SeRestorePrivilege	1208	UVK_en64.exe
Token: SeTakeOwnershipPrivilege	1208	UVK_en64.exe
Token: SeDebugPrivilege	1208	UVK_en64.exe
Token: SeSecurityPrivilege	1208	UVK_en64.exe
Token: SeBackupPrivilege	1208	UVK_en64.exe
Token: SeImpersonatePrivilege	1208	UVK_en64.exe
Token: SeSystemProfilePrivilege	1208	UVK_en64.exe
Token: SeAssignPrimaryTokenPrivilege	1208	UVK_en64.exe
Token: 31	1208	UVK_en64.exe
Token: SeTcbPrivilege	1208	UVK_en64.exe
Token: SeIncreaseQuotaPrivilege	1208	UVK_en64.exe
Token: SeShutdownPrivilege	1208	UVK_en64.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4728	072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe
1208	UVK_en64.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 4960	4728	072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe	82
PID 4728 wrote to memory of 4960	4728	072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe	82
PID 4960 wrote to memory of 5108	4960	cmd.exe	84
PID 4960 wrote to memory of 5108	4960	cmd.exe	84
PID 4728 wrote to memory of 3084	4728	072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe	86
PID 4728 wrote to memory of 3084	4728	072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe	86
PID 3084 wrote to memory of 4356	3084	cmd.exe	87
PID 3084 wrote to memory of 4356	3084	cmd.exe	87
PID 4728 wrote to memory of 1208	4728	072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe	88
PID 4728 wrote to memory of 1208	4728	072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe	88

C:\Users\Admin\AppData\Local\Temp\072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe
"C:\Users\Admin\AppData\Local\Temp\072087ec3b8be885fd82335ca0f6a831003679763eb3fd472fab01deb510f0af.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe import "C:\UVK\runfront1.reg" || regedit.exe /s "C:\UVK\runfront1.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\reg.exe
    reg.exe import "C:\UVK\runfront1.reg"
    3⤵
    PID:5108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe import "C:\UVK\runfront2.reg" || regedit.exe /s "C:\UVK\runfront2.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\system32\reg.exe
    reg.exe import "C:\UVK\runfront2.reg"
    3⤵
    PID:4356
- C:\UVK\UVK_en64.exe
  "C:\UVK\UVK_en64.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UVK\UVK_en64.exe

Filesize
3.3MB

MD5
0365cc7d39ab91358e230a017971ed41

SHA1
6e255e79d96d07fdd78ac12b66faa340272b2fdb

SHA256
df57b733a33abcf7c2d2bdd44fcdd75257c85cf381589c383c6363e74594375c

SHA512
dc7ff9a2e9cba05ab04f1afdbf1361bf321550720ed5aa892d27bb8e32e64128d396276a00ffa2db717cb531ea54d02321e2cdba7f0c9061f8f485f53061cc4e

Download Submit
C:\UVK\deflogo.png

Filesize
235KB

MD5
4105b6f89f726438d35b3fdf280beb6c

SHA1
820338bd894dae19013883aef0a6b8f0d53ef025

SHA256
80def2ec31ecf4ca333c02528e6fc966d52c3c9a045494ab66677d402c7c47e8

SHA512
e064d468897cf2eba7f7057d7775b67013474abf2f18aabf07096f02751a6fe841047c65932e9f61ab2c8c4960f9d67dc08320a7fb83713e95e6704284230e83

Download Submit
C:\UVK\runfront1.reg

Filesize
322B

MD5
c008d6ca1e246a8b60411bd92ec0ef12

SHA1
4ca3ca88bcd83fc4c595c2f69b98791dbf0ce9ab

SHA256
69b9bddedcdf01913cb81ac2294c5c5c3121f1155942068e2a467bc84eeef9ee

SHA512
39ef8a8a9244f7a3978ed6a61a0329f6a19ac94597ea407db227d413af11a153e83d545438f31c634e1f52e37ce8d0bfcb9007ebfd0d88b33e4ca35231bc69b0

Download Submit
C:\UVK\runfront2.reg

Filesize
3KB

MD5
35153c4ba2a33f128a43aeeafaed8010

SHA1
780c4156ed072212f0d0b253f6298471bc9334de

SHA256
bfc4517c4014fb0d67d08ad678e2959b4b12463f533caffaec652421a53111ee

SHA512
9329dabba14b531c0dd76849aa53389264deba138cf720b95b1646ffac13b9a5d3b640db1c0f1d9419fe22d7ac5a55ae8002e1af3ff9c38f84954f949442ee96

Download Submit
C:\UVK\uvkres.dll

Filesize
1.5MB

MD5
853cb5e4ec413cb58b6ae9f9ccb6fe7b

SHA1
ee6474c5a05991080fc43efd8d123266fce07dcb

SHA256
4c4bc02c7bec1a685ce77d337d0fe27b47ec1904f45ba60bb409a69720a56685

SHA512
7ed94a91085bfb6f9f774750c22a2357c3385c28f1b54f75419d4f610011d2efa92bcaa17422b59d3a31d7045c18d535afcb9cea9ab57c12dd7cf2c7fbb73e1c

Download Submit
memory/4728-132-0x0000000140000000-0x000000014005B000-memory.dmp

Filesize
364KB

Download
memory/4728-143-0x0000000140000000-0x000000014005B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing