514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d

General

Target

514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d.exe
Size

332KB
MD5

01c81da66fd719b96ba3421c90e8c398
SHA1

91624eae0a8a81c00f5e5e4abaa401f4fbb8beac
SHA256

514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d
SHA512

18872dd54f7b708c2212507756ce55ef3002d1fb0cdd329711425ea9a280aecd5e2263255cd970a58148fc1ba6be3855ac0b79f9da0e8499161f385ed2f6f5b6
SSDEEP

6144:bhmkZkgelPgepycU5c10c1mZ+yDE9XFgn7UhT1AAhlTJjnBr6:bhmkZkZhgepFF/mZp41xViqfnF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1756	ucuhnwtcr.exe

Deletes itself 1 IoCs

pid	Process
1044	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1044	cmd.exe
1044	cmd.exe
1756	ucuhnwtcr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1280	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1376	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe
1756	ucuhnwtcr.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1044	576	514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d.exe	26
PID 576 wrote to memory of 1044	576	514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d.exe	26
PID 576 wrote to memory of 1044	576	514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d.exe	26
PID 576 wrote to memory of 1044	576	514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d.exe	26
PID 1044 wrote to memory of 1280	1044	cmd.exe	28
PID 1044 wrote to memory of 1280	1044	cmd.exe	28
PID 1044 wrote to memory of 1280	1044	cmd.exe	28
PID 1044 wrote to memory of 1280	1044	cmd.exe	28
PID 1044 wrote to memory of 1376	1044	cmd.exe	30
PID 1044 wrote to memory of 1376	1044	cmd.exe	30
PID 1044 wrote to memory of 1376	1044	cmd.exe	30
PID 1044 wrote to memory of 1376	1044	cmd.exe	30
PID 1044 wrote to memory of 1756	1044	cmd.exe	31
PID 1044 wrote to memory of 1756	1044	cmd.exe	31
PID 1044 wrote to memory of 1756	1044	cmd.exe	31
PID 1044 wrote to memory of 1756	1044	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d.exe
"C:\Users\Admin\AppData\Local\Temp\514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 576 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d.exe" & start C:\Users\Admin\AppData\Local\UCUHNW~1.EXE -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 576
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:1376
- - C:\Users\Admin\AppData\Local\ucuhnwtcr.exe
    C:\Users\Admin\AppData\Local\UCUHNW~1.EXE -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ucuhnwtcr.exe

Filesize
332KB

MD5
01c81da66fd719b96ba3421c90e8c398

SHA1
91624eae0a8a81c00f5e5e4abaa401f4fbb8beac

SHA256
514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d

SHA512
18872dd54f7b708c2212507756ce55ef3002d1fb0cdd329711425ea9a280aecd5e2263255cd970a58148fc1ba6be3855ac0b79f9da0e8499161f385ed2f6f5b6

Download Submit
C:\Users\Admin\AppData\Local\ucuhnwtcr.exe

Filesize
332KB

MD5
01c81da66fd719b96ba3421c90e8c398

SHA1
91624eae0a8a81c00f5e5e4abaa401f4fbb8beac

SHA256
514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d

SHA512
18872dd54f7b708c2212507756ce55ef3002d1fb0cdd329711425ea9a280aecd5e2263255cd970a58148fc1ba6be3855ac0b79f9da0e8499161f385ed2f6f5b6

Download Submit
\Users\Admin\AppData\Local\ucuhnwtcr.exe

Filesize
332KB

MD5
01c81da66fd719b96ba3421c90e8c398

SHA1
91624eae0a8a81c00f5e5e4abaa401f4fbb8beac

SHA256
514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d

SHA512
18872dd54f7b708c2212507756ce55ef3002d1fb0cdd329711425ea9a280aecd5e2263255cd970a58148fc1ba6be3855ac0b79f9da0e8499161f385ed2f6f5b6

Download Submit
\Users\Admin\AppData\Local\ucuhnwtcr.exe

Filesize
332KB

MD5
01c81da66fd719b96ba3421c90e8c398

SHA1
91624eae0a8a81c00f5e5e4abaa401f4fbb8beac

SHA256
514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d

SHA512
18872dd54f7b708c2212507756ce55ef3002d1fb0cdd329711425ea9a280aecd5e2263255cd970a58148fc1ba6be3855ac0b79f9da0e8499161f385ed2f6f5b6

Download Submit
\Users\Admin\AppData\Local\ucuhnwtcr.exe

Filesize
332KB

MD5
01c81da66fd719b96ba3421c90e8c398

SHA1
91624eae0a8a81c00f5e5e4abaa401f4fbb8beac

SHA256
514372ed158f8c58ab5ab17c66a31238fb9c80cfadb4a927b296677b9f93814d

SHA512
18872dd54f7b708c2212507756ce55ef3002d1fb0cdd329711425ea9a280aecd5e2263255cd970a58148fc1ba6be3855ac0b79f9da0e8499161f385ed2f6f5b6

Download Submit
memory/576-57-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/576-54-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/576-55-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/1756-67-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing