e37e702b4d93bd70a885e46ef20ec5d2d7129255fc12e747bb7a7687e29bb520

General

Target

UTES_v2.exe
Size

9.9MB
MD5

6647145d121243aa0afa229377a1d1d1
SHA1

9edc3153a277748103d1a4188f446c0e4e526103
SHA256

e37e702b4d93bd70a885e46ef20ec5d2d7129255fc12e747bb7a7687e29bb520
SHA512

675ae196b05657a0fcf28749fdcff383351272a1bf02bffc1d52d6d4928f855f167ace2b914b686282483f60cdd26d80f787370445fc784605b568c30bb4b2d2
SSDEEP

196608:Zy5x+pMmmd6dp40+pkssG1lhuNrmBr4/4dS/cj1BL5LvBI:gSpMmmM4PksEMrqISkj1BL5LJI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	UTES_v2.exe

Executes dropped EXE 1 IoCs

pid	Process
4628	utes.exe

Loads dropped DLL 2 IoCs

pid	Process
4628	utes.exe
4628	utes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	utes.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	utes.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	utes.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	utes.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	utes.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	utes.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	utes.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	utes.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	utes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	utes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	utes.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	utes.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	utes.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	utes.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	utes.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	utes.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	utes.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	utes.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	utes.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	utes.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4628	utes.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	utes.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4628	utes.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 4628	1744	UTES_v2.exe	80
PID 1744 wrote to memory of 4628	1744	UTES_v2.exe	80
PID 1744 wrote to memory of 4628	1744	UTES_v2.exe	80

C:\Users\Admin\AppData\Local\Temp\UTES_v2.exe
"C:\Users\Admin\AppData\Local\Temp\UTES_v2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\utes.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\utes.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Data.dat

Filesize
9.2MB

MD5
ba18715f5efdd20e64f9b31b223a0978

SHA1
13e6cc6c1e203673db1a4fbe1f0c6f509ad0bf3d

SHA256
1590385cabff35627f4b93f81d2b6adb004115d49883c56348886608986d528b

SHA512
4a414216e06c47acba0947e10e7ab1cca2d7498c9ff2cf18fc96f0006c1a19f94d6b02bc665aa6d76a4d8058307cca4299bd0b94b76d7d21852b0044aae13369

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DotNetZip.dll

Filesize
446KB

MD5
2ac40da17c4ac9df4a8701faf3913a52

SHA1
f5518fd34d920546bafa8d648aa8feeca3179b93

SHA256
46bf5f182875f53994b6bee810570f85b2b39643c27ebbee77ce554b1e3b6ed4

SHA512
80025e7f79839138b7365071265bcc6d791a3fac48cecd7d170be79a46016c3fcef928676e666f6798a18c534310e5e27bf7f2896214dc615f0913f5f2798f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DotNetZip.dll

Filesize
446KB

MD5
2ac40da17c4ac9df4a8701faf3913a52

SHA1
f5518fd34d920546bafa8d648aa8feeca3179b93

SHA256
46bf5f182875f53994b6bee810570f85b2b39643c27ebbee77ce554b1e3b6ed4

SHA512
80025e7f79839138b7365071265bcc6d791a3fac48cecd7d170be79a46016c3fcef928676e666f6798a18c534310e5e27bf7f2896214dc615f0913f5f2798f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DotNetZip.dll

Filesize
446KB

MD5
2ac40da17c4ac9df4a8701faf3913a52

SHA1
f5518fd34d920546bafa8d648aa8feeca3179b93

SHA256
46bf5f182875f53994b6bee810570f85b2b39643c27ebbee77ce554b1e3b6ed4

SHA512
80025e7f79839138b7365071265bcc6d791a3fac48cecd7d170be79a46016c3fcef928676e666f6798a18c534310e5e27bf7f2896214dc615f0913f5f2798f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\utes.exe

Filesize
78KB

MD5
6ce964c6ce942e6f3ced8436b8e8a4b6

SHA1
f20e9ef54ef0d4469a354b53bcdc8cd62349b9c3

SHA256
03470192783afcf409dfdf125cbd359c88bd83c5e22d5a24d3386bd3500031c7

SHA512
07a79bbb5ca451965f53f5e498192006b00f624625701a7f87bde8e1eaa96f32f46182109a7e38baa243d3959431b0eadd079b54fdae673532d71d330db9a0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\utes.exe

Filesize
78KB

MD5
6ce964c6ce942e6f3ced8436b8e8a4b6

SHA1
f20e9ef54ef0d4469a354b53bcdc8cd62349b9c3

SHA256
03470192783afcf409dfdf125cbd359c88bd83c5e22d5a24d3386bd3500031c7

SHA512
07a79bbb5ca451965f53f5e498192006b00f624625701a7f87bde8e1eaa96f32f46182109a7e38baa243d3959431b0eadd079b54fdae673532d71d330db9a0e8

Download Submit
memory/4628-135-0x0000000000CD0000-0x0000000000CEC000-memory.dmp

Filesize
112KB

Download
memory/4628-139-0x0000000003110000-0x000000000311A000-memory.dmp

Filesize
40KB

Download
memory/4628-140-0x0000000005770000-0x00000000057C6000-memory.dmp

Filesize
344KB

Download
memory/4628-138-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/4628-144-0x0000000008000000-0x0000000008076000-memory.dmp

Filesize
472KB

Download
memory/4628-137-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/4628-136-0x0000000005590000-0x000000000562C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing