7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521

Analysis

max time kernel
61s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2023 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe
Size

3.1MB
MD5

9e2948c7b20223870119315dc41c6c3a
SHA1

6dc717524ff3d4ee39b53ba71929672ddf4f6521
SHA256

7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521
SHA512

b50ec7e328430c233ea842bdc9394f52af31e9863be8bb1365137fed0aa272ae9c1ae232ef7da4b3f2a72d0ad3334095c00dfd455feb7856980a37571e35d7b1
SSDEEP

98304:6aki/AMWObiEsndKt/cx8QNUor1DNB3a9gpOf:Nj0kB6NNB3a9L

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe

Executes dropped EXE 2 IoCs

pid	Process
4244	vistarun.exe
4120	UFileEncyption.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\UFileEncyption\UFileEncyptionDriver.sys	7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe
File opened for modification	C:\Program Files (x86)\UFileEncyption\UFileEncyption.exe	7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe
File opened for modification	C:\Program Files (x86)\UFileEncyption\UFileSetup.DAT	7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe
File opened for modification	C:\Program Files (x86)\UFileEncyption\vistarun.exe	7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4120	UFileEncyption.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4244	4848	7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe	84
PID 4848 wrote to memory of 4244	4848	7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe	84
PID 4848 wrote to memory of 4244	4848	7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe	84

C:\Users\Admin\AppData\Local\Temp\7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe
"C:\Users\Admin\AppData\Local\Temp\7c5983120636dc330c3ccb186482f2619ba479ad32ad373af758780db02f9521.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files (x86)\UFileEncyption\vistarun.exe
  "C:\Program Files (x86)\UFileEncyption\vistarun.exe" C:\Program Files (x86)\UFileEncyption\UFileEncyption.exe
  2⤵
  - Executes dropped EXE
  PID:4244

C:\Program Files (x86)\UFileEncyption\UFileEncyption.exe
"C:\Program Files (x86)\UFileEncyption\UFileEncyption.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UFileEncyption\UFileEncyption.exe

Filesize
2.7MB

MD5
240333b87a32fde17cf842dff03e729a

SHA1
be2eeda6a1b37c09e906bcd70fab62ad0679463c

SHA256
b022d85d27c9fe9fed9311e0dad76ee5d3fefd5f9d917b51ce02f463a43d2fa1

SHA512
ae2839a31aaa86950f06f3ac27d7f98ad3db7ddb956d5799a0c125f0801fff84383f602b78be1c9a0bb677eb925516081b9542f7320e2dac0866b17a80d140ef

Download Submit
C:\Program Files (x86)\UFileEncyption\UFileEncyption.exe

Filesize
2.7MB

MD5
240333b87a32fde17cf842dff03e729a

SHA1
be2eeda6a1b37c09e906bcd70fab62ad0679463c

SHA256
b022d85d27c9fe9fed9311e0dad76ee5d3fefd5f9d917b51ce02f463a43d2fa1

SHA512
ae2839a31aaa86950f06f3ac27d7f98ad3db7ddb956d5799a0c125f0801fff84383f602b78be1c9a0bb677eb925516081b9542f7320e2dac0866b17a80d140ef

Download Submit
C:\Program Files (x86)\UFileEncyption\vistarun.exe

Filesize
104KB

MD5
2df17bd8b4ec5f191ad40f59cdf1ae04

SHA1
3485969961501230c4fb3c3d4b874265b0d7578b

SHA256
14e51c804de4c45c6ad0b17e487773e3aaf3cd526d0a4783e117320e6bf3e59e

SHA512
ca2652c60161d18cdf1446701d0bf92725828053841fed2304300695b554364bba04cd0b9b616e6b8a820ca314bab066bee652ca3ff6314bccdfa0e026e30b61

Download Submit
C:\Program Files (x86)\UFileEncyption\vistarun.exe

Filesize
104KB

MD5
2df17bd8b4ec5f191ad40f59cdf1ae04

SHA1
3485969961501230c4fb3c3d4b874265b0d7578b

SHA256
14e51c804de4c45c6ad0b17e487773e3aaf3cd526d0a4783e117320e6bf3e59e

SHA512
ca2652c60161d18cdf1446701d0bf92725828053841fed2304300695b554364bba04cd0b9b616e6b8a820ca314bab066bee652ca3ff6314bccdfa0e026e30b61

Download Submit
C:\Program Files (x86)\UFileEncyption\vistarun.exe

Filesize
104KB

MD5
2df17bd8b4ec5f191ad40f59cdf1ae04

SHA1
3485969961501230c4fb3c3d4b874265b0d7578b

SHA256
14e51c804de4c45c6ad0b17e487773e3aaf3cd526d0a4783e117320e6bf3e59e

SHA512
ca2652c60161d18cdf1446701d0bf92725828053841fed2304300695b554364bba04cd0b9b616e6b8a820ca314bab066bee652ca3ff6314bccdfa0e026e30b61

Download Submit