0f6b398bf5f91af3ec82ad6a7417ec3dd71f7f220409d5c327b63a4c7334e844

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
02/07/2023, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.5MB
MD5

09f16ecc21bd2d570fd6c6411128b714
SHA1

71dd57498b1989e7c61e1c4865f306e5d5e222f2
SHA256

0f6b398bf5f91af3ec82ad6a7417ec3dd71f7f220409d5c327b63a4c7334e844
SHA512

2b89d3c3e6722da0c7acfb8468aebfe112fadda93f71708e48035b9bb0ea35120a0eb1d04c80c4d2c4a2004f866f71d8a072f1f8ebc567d2813b243ac21488e1
SSDEEP

49152:KBrY2fc7XyDjhZ0j5Jl34KZbGiJyXoogg:ArncjyDNajHZbGi4

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation	UClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation	UClient_new.exe

Executes dropped EXE 3 IoCs

pid	Process
4972	UClient.exe
1900	UClient_new.exe
644	UClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UClient = "C:\\Users\\Admin\\Desktop\\UClient.exe /s"	UClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\UBrowserIE.exe = "11000"	UClient.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\uclient\shell\open\command	UClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\uclient\shell\open	UClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\.esc\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\UClient.exe"	UClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\uclient	UClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\uclient\ = "URL:uclient protocol handler"	UClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\.esc\DefaultIcon	UClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\.esc\ = "uclient"	UClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\.escr	UClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\.escr\ = "uclient"	UClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\.escr\DefaultIcon	UClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\uclient\URL Protocol	UClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\uclient\shell	UClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\.esc	UClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\.escr\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\UClient.exe"	UClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\uclient\DefaultIcon	UClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\uclient\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\UClient.exe"	UClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\uclient\shell\open\command\ = "C:\\Users\\Admin\\Desktop\\UClient.exe \"%1\""	UClient.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4404	tmp.exe
4404	tmp.exe
4972	UClient.exe
4972	UClient.exe
1900	UClient_new.exe
1900	UClient_new.exe
1900	UClient_new.exe
1900	UClient_new.exe
644	UClient.exe
644	UClient.exe
644	UClient.exe
644	UClient.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4972	UClient.exe
4972	UClient.exe
644	UClient.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4972	UClient.exe
4972	UClient.exe
644	UClient.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 4972	4404	tmp.exe	85
PID 4404 wrote to memory of 4972	4404	tmp.exe	85
PID 4404 wrote to memory of 4972	4404	tmp.exe	85
PID 4972 wrote to memory of 1900	4972	UClient.exe	95
PID 4972 wrote to memory of 1900	4972	UClient.exe	95
PID 4972 wrote to memory of 1900	4972	UClient.exe	95
PID 1900 wrote to memory of 644	1900	UClient_new.exe	96
PID 1900 wrote to memory of 644	1900	UClient_new.exe	96
PID 1900 wrote to memory of 644	1900	UClient_new.exe	96

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\Desktop\UClient.exe
  "C:\Users\Admin\Desktop\UClient.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\uclient\temp\UClient_new.exe
    "C:\Users\Admin\AppData\Local\uclient\temp\UClient_new.exe" /d C:\Users\Admin\Desktop\UClient.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Users\Admin\Desktop\UClient.exe
      "C:\Users\Admin\Desktop\UClient.exe" /t 1900
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\UClient\procid

Filesize
4B

MD5
9fdb62f932adf55af2c0e09e55861964

SHA1
259e58e1899790724f5bde68f6c687293fce64d1

SHA256
e41d64db5703c6440b5c714d57251a845bc0bd241480b41a4e7fd3e052f85a82

SHA512
0272e80f4c075448b6aa75310cdd70f67421ad086e67940347c84d7556d714afa123e2aa1b70945b77e59ae38cdfc463b5a3ab965def6bf1d397893abeac8300

Download Submit
C:\Users\Admin\AppData\Local\UClient\procid

Filesize
3B

MD5
8c7bbbba95c1025975e548cee86dfadc

SHA1
4c8596c838c9d498b000d5fab25d2c2ea657588e

SHA256
87e50b28705900bb064d1e9df1bd6cf55a7efa01cc16c6cf0703f491a1f13d44

SHA512
7f234757b3a95fb34399585d70fa988d771cc95b92b7d77ec58259390ec1935acdcbe5e3136a3325406fd494eec7204b3abb165214fe3d4922a72b4a743b0a22

Download Submit
C:\Users\Admin\AppData\Local\uclient\UClient.db

Filesize
28KB

MD5
8ae98b8e870cf44006373ce943c18571

SHA1
553153810bc46edb92e6c79d9af369e22bbebcd8

SHA256
dda9ef7105ff40509b9558d4be90fc73a6f892a2e30ac585b54480bd23c3816e

SHA512
5926afba56b344a78026fa267ed95c3ad9bd3bf583e472413ddd8638b7c46604391c25a89c96922a3b42f3c4ed6688096d0d5c9ef128959428e89fdb482a07a7

Download Submit
C:\Users\Admin\AppData\Local\uclient\appgroup.xml

Filesize
79B

MD5
8258c3fb494764b7e4d1dfa6f98b5249

SHA1
7aec9fe45652ff692e8f4d83e0b5141e5d8bf6ef

SHA256
27b2f8bab527c849aaa7b7742614e64bfe7bc72efe34bc020df20019f19258d3

SHA512
05570f3ea08aabade658bb85e9d1236f8615aba4604edb19893298b1e3cdd25f4cda0057e9152ac3daa38f9716bab038005ccbae61cb414efdfa748f4c211f95

Download Submit
C:\Users\Admin\AppData\Local\uclient\apporder.xml

Filesize
79B

MD5
bac02ebf3111d51121a9d094e148a690

SHA1
04f08111791d2057c858c88bfc7ebbe1e2bd2328

SHA256
b3126694d4041c8d808d33aa9ae6e8199798ceb40b527e27dc5846bed21a5d5b

SHA512
eaa3a03134106717d81d86940ecca68fa1f01f7173b4f7656a0af16b03e0fdc5668bae874071559ac8e38f882af8243e11581fb576cec20fe42492881b0903a0

Download Submit
C:\Users\Admin\AppData\Local\uclient\apps\UClient_Agent\app.esc

Filesize
762B

MD5
d0665abc978ac86f11570ea527ca89ae

SHA1
115415f4e3b7e9fe2e3c8ff97877865c044f8afd

SHA256
18f7154fb3890ee495b691f67a9c2f6aeac0484303d3a0aa70abd3a7665a9337

SHA512
847f1c2446ec49963cacb37643520c7c41840f90f56a7ad5ba4369b4a3a3e5d2c0c3fdadabc0951eb01b51b991aa67fbd7e07c068ca3786424e0d22b57b452c7

Download Submit
C:\Users\Admin\AppData\Local\uclient\apps\ubrowser\app.esc

Filesize
1KB

MD5
291a0a842babcd20b20cd66f4a3e57b4

SHA1
f719e66c4ae88c814a3d08c7af5d55f8d2bbb403

SHA256
e56578d66998a8964516fe14283ff26d569edd1fe74c1eaaf40dc14ba8fd36ed

SHA512
9fe88d2bc82211859c6f89450aad61a9e040647e0c64e6e6fe7f429fa81ac93898e2fde0fb6283eb7d3d706839eb088131a3b6726fcb237fa40e7f47e690337a

Download Submit
C:\Users\Admin\AppData\Local\uclient\log\main.log

Filesize
241B

MD5
b9f28d399b86c5f9d43a89522daaed1a

SHA1
7479c14ab4429030bb25e91a5657d825166bc1f2

SHA256
8c159c42c7e59d75986a034fb38cb0a8b1d5decaf802cd4ad4517e8d5f59fde0

SHA512
dbd2be9fba51fbc9efb645a18105c505f52a71937aabc9344b7608e80edbae342467078a050ee7ae688dbcf04d707d1642377973a0b9c3c845db851470e2a82e

Download Submit
C:\Users\Admin\AppData\Local\uclient\log\main.log

Filesize
2KB

MD5
4ae3d3a6675d82716bd26a9e3b885b87

SHA1
8a7f9d119ab20501b9e205bdbf4d86d2df46cc3d

SHA256
6ffec43d60ba92177d374b050071c7947595a69465c1eb543dbbf4bd60ffa77f

SHA512
25bfe859375569bd77269b5504c51f034bea22e77ec2800895e73bcb4a4a89c4e1880ac6047bb57e195d4b57a99cbf2b68d60e43f626ec686fbc6a6ea4cee43a

Download Submit
C:\Users\Admin\AppData\Local\uclient\log\main.log

Filesize
4KB

MD5
c57bfde0f44a1338c2be482490e367d0

SHA1
1fc288276fcb04ed0df2aaae5613c5745e67a8b9

SHA256
5ad1b04131f6490bf835322c8425dff51b0059aa9e0e0b1d08963bdbe039c39c

SHA512
d394314b8ef167a7ae6d6a6549aa4d782f40e68188239b50108bab3389d915f06238a6538c61c13d2a19e15ec9c7a51b574372e03475f1ec93b23631b50946f6

Download Submit
C:\Users\Admin\AppData\Local\uclient\setting.cfg

Filesize
15B

MD5
16ee1f8ca34fc082903e32fce6025244

SHA1
9552628f52690d025b6f49011971eecc4b1b58a7

SHA256
81ad6a1a0fb68aac9c5066dbc3e9f8e8fcac4cb8b634935043cdc58f914dd133

SHA512
bb15cba4c1b4b2339fb1fe94a9d805c0bd02d413e2d0a9da5522295610da21bbb7c3ccbc6044b84e5ddb465434c1cde24c9a8cdcbc1fb09c787e32d3c2e6a902

Download Submit
C:\Users\Admin\AppData\Local\uclient\temp\UClient_new.exe

Filesize
6.6MB

MD5
35e7c4b4062e78cd42451c4bb4d78176

SHA1
4bb7f98325714354a29a2ded751ded67d8ba718e

SHA256
dc723e1fb4c3c89da65c762127b59f5740a332fdd697b419c3f2cdb64cde207f

SHA512
3fd0d906e021681dc6e5fc1f407b9f813ccecef94cd9b67c5839d9a5f2442657627c1113aede49a4870afc49bc1cc97c130728978f33fc76d75d4f957a5a1118

Download Submit
C:\Users\Admin\AppData\Local\uclient\temp\UClient_new.exe

Filesize
6.6MB

MD5
35e7c4b4062e78cd42451c4bb4d78176

SHA1
4bb7f98325714354a29a2ded751ded67d8ba718e

SHA256
dc723e1fb4c3c89da65c762127b59f5740a332fdd697b419c3f2cdb64cde207f

SHA512
3fd0d906e021681dc6e5fc1f407b9f813ccecef94cd9b67c5839d9a5f2442657627c1113aede49a4870afc49bc1cc97c130728978f33fc76d75d4f957a5a1118

Download Submit
C:\Users\Admin\AppData\Local\uclient\temp\UClient_new.exe

Filesize
6.6MB

MD5
35e7c4b4062e78cd42451c4bb4d78176

SHA1
4bb7f98325714354a29a2ded751ded67d8ba718e

SHA256
dc723e1fb4c3c89da65c762127b59f5740a332fdd697b419c3f2cdb64cde207f

SHA512
3fd0d906e021681dc6e5fc1f407b9f813ccecef94cd9b67c5839d9a5f2442657627c1113aede49a4870afc49bc1cc97c130728978f33fc76d75d4f957a5a1118

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UClient\UClient.lnk

Filesize
619B

MD5
cd7b2ff267f3088c6d5a0a7a765bce86

SHA1
de267dd4a883d3d67afcb21049af94aa45ccf2d5

SHA256
9450912c460ed134b30eca5bee9c441bbc5bf1eff18a277eb55f9540b6129678

SHA512
28b7a0a6d601ceb19d0f4f7bbfde75ff47efb989c13de7267700e865db1ca2c6bab8302b28e5142ae2549730d0159fee37fae55b8b7f83b819a5054bcf5ef6f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UClient\卸载UClient.lnk

Filesize
621B

MD5
ffcdf6eb64c16dfcce0b1c5baf2dfff6

SHA1
eebcb9a3191d9ba5f4066542c7d1294165bdb62d

SHA256
1a7a15c42a03190b538d3298e63017ca771b4de4f412d67248b046c46edcfe21

SHA512
e2d5caf655fa370c3b14ce79765b7c88c9e37b845030e3cf93ad38bd7332a9db8c2407f24035dc2d284de7b3c355e74dad462648e51e353be29fcae1efc54ed9

Download Submit
C:\Users\Admin\Desktop\UClient.exe

Filesize
1.5MB

MD5
09f16ecc21bd2d570fd6c6411128b714

SHA1
71dd57498b1989e7c61e1c4865f306e5d5e222f2

SHA256
0f6b398bf5f91af3ec82ad6a7417ec3dd71f7f220409d5c327b63a4c7334e844

SHA512
2b89d3c3e6722da0c7acfb8468aebfe112fadda93f71708e48035b9bb0ea35120a0eb1d04c80c4d2c4a2004f866f71d8a072f1f8ebc567d2813b243ac21488e1

Download Submit
C:\Users\Admin\Desktop\UClient.exe

Filesize
1.5MB

MD5
09f16ecc21bd2d570fd6c6411128b714

SHA1
71dd57498b1989e7c61e1c4865f306e5d5e222f2

SHA256
0f6b398bf5f91af3ec82ad6a7417ec3dd71f7f220409d5c327b63a4c7334e844

SHA512
2b89d3c3e6722da0c7acfb8468aebfe112fadda93f71708e48035b9bb0ea35120a0eb1d04c80c4d2c4a2004f866f71d8a072f1f8ebc567d2813b243ac21488e1

Download Submit
C:\Users\Admin\Desktop\UClient.exe

Filesize
1.5MB

MD5
09f16ecc21bd2d570fd6c6411128b714

SHA1
71dd57498b1989e7c61e1c4865f306e5d5e222f2

SHA256
0f6b398bf5f91af3ec82ad6a7417ec3dd71f7f220409d5c327b63a4c7334e844

SHA512
2b89d3c3e6722da0c7acfb8468aebfe112fadda93f71708e48035b9bb0ea35120a0eb1d04c80c4d2c4a2004f866f71d8a072f1f8ebc567d2813b243ac21488e1

Download Submit
C:\Users\Admin\Desktop\UClient.exe

Filesize
6.6MB

MD5
35e7c4b4062e78cd42451c4bb4d78176

SHA1
4bb7f98325714354a29a2ded751ded67d8ba718e

SHA256
dc723e1fb4c3c89da65c762127b59f5740a332fdd697b419c3f2cdb64cde207f

SHA512
3fd0d906e021681dc6e5fc1f407b9f813ccecef94cd9b67c5839d9a5f2442657627c1113aede49a4870afc49bc1cc97c130728978f33fc76d75d4f957a5a1118

Download Submit
C:\Users\Admin\Desktop\UClient.exe

Filesize
6.6MB

MD5
35e7c4b4062e78cd42451c4bb4d78176

SHA1
4bb7f98325714354a29a2ded751ded67d8ba718e

SHA256
dc723e1fb4c3c89da65c762127b59f5740a332fdd697b419c3f2cdb64cde207f

SHA512
3fd0d906e021681dc6e5fc1f407b9f813ccecef94cd9b67c5839d9a5f2442657627c1113aede49a4870afc49bc1cc97c130728978f33fc76d75d4f957a5a1118

Download Submit