Overview

overview

7

Static

static

3

7b6e0e0a98...92.exe

windows7-x64

7

7b6e0e0a98...92.exe

windows10-2004-x64

7

$TEMP/DSCT...30.dll

windows7-x64

1

$TEMP/DSCT...30.dll

windows10-2004-x64

3

$TEMP/DSCertEx.dll

windows7-x64

1

$TEMP/DSCertEx.dll

windows10-2004-x64

1

$TEMP/Mobi...32.dll

windows7-x64

1

$TEMP/Mobi...32.dll

windows10-2004-x64

3

$TEMP/NFil...eb.dll

windows7-x64

3

$TEMP/NFil...eb.dll

windows10-2004-x64

3

$TEMP/NpkiCard.dll

windows7-x64

1

$TEMP/NpkiCard.dll

windows10-2004-x64

3

$TEMP/SCSKAPPLink.dll

windows7-x64

1

$TEMP/SCSKAPPLink.dll

windows10-2004-x64

1

$TEMP/UBIK...In.exe

windows7-x64

7

$TEMP/UBIK...In.exe

windows10-2004-x64

7

$TEMP/UBIK...ce.exe

windows7-x64

1

$TEMP/UBIK...ce.exe

windows10-2004-x64

1

$TEMP/UbiKey.dll

windows7-x64

1

$TEMP/UbiKey.dll

windows10-2004-x64

3

$TEMP/UbiK...ll.exe

windows7-x64

1

$TEMP/UbiK...ll.exe

windows10-2004-x64

1

$TEMP/UbiKeyWin32.dll

windows7-x64

1

$TEMP/UbiKeyWin32.dll

windows10-2004-x64

1

$TEMP/Ubik...to.dll

windows7-x64

1

$TEMP/Ubik...to.dll

windows10-2004-x64

1

$TEMP/certadm.dll

windows7-x64

1

$TEMP/certadm.dll

windows10-2004-x64

1

$TEMP/certcli.dll

windows7-x64

1

$TEMP/certcli.dll

windows10-2004-x64

1

$TEMP/certutil.exe

windows7-x64

1

$TEMP/certutil.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2024, 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/UBIKeyPlugIn.exe

  • Size

    65KB

  • MD5

    a4aceddcc388b5f27099e45eee5491be

  • SHA1

    e417a140ba3b047a8ca81c10117ade245d0f1571

  • SHA256

    9b798ac9ebf4d526082b55a83764217345dee83cc95c43ce0ac363b24e186646

  • SHA512

    67649a58009979075c3a5fe19c4b5b60083d432b3849602fd35a868c8aac603c988e96095f01cceac1a140524b5ddd84327f62e32581afce627e6601d58daee3

  • SSDEEP

    1536:fLv+zvAOsOn/7UJKarrMnnP3o94eh3hYE:QHnnwJKa0nP3o9HAE

Score
7/10
discoveryevasionpersistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops file in System32 directory 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\UBIKeyPlugIn.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\UBIKeyPlugIn.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil_win.exe
      "C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil_win.exe" -addstore root UBIKey_Root.crt
      2⤵
      • Drops file in Windows directory
      PID:2848
    • C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe
      "C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe" -D -n UBIKey -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x5f9h1ra.Admin"
      2⤵
        PID:2072
      • C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe
        "C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe" -A -n UBIKey -t "CT,C,c" -i UBIKey_Root.crt -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x5f9h1ra.Admin"
        2⤵
          PID:2612
        • C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe
          "C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe" -A -n UBIKey -t "CT,C,c" -i UBIKey_Root.crt -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x5f9h1ra.Admin"
          2⤵
            PID:2748
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\INFovine\UbikeyService.exe" "UBIKey" ENABLE
            2⤵
            • Modifies Windows Firewall
            PID:2556
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\System32\netsh.exe" firewall show
            2⤵
            • Modifies Windows Firewall
            PID:2896
          • C:\Program Files (x86)\INFovine\UbikeyService.exe
            "C:\Program Files (x86)\INFovine\UbikeyService.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2952

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\INFovine\UBIKey_svr.crt
          Filesize

          1KB

          MD5

          58141645c3c353c9d31e7622381f38f8

          SHA1

          afa438affd318103d12fdd0f40841f5e00dcd247

          SHA256

          f2fcfba20bfe42a6aa1466e4e2d04f01c47fe878d217f95ccb249621151c2fa0

          SHA512

          1a428c3620ca74450f8d5eddd2e49f6c6c5fac196b55edd2091d59952718dc4daa0b328b7d8f5f96767a1426be6016b5d5da30f3fbf804ad4e9d95d1791866a1

          Download Submit

        • C:\Program Files (x86)\INFovine\UBIKey_svr.key
          Filesize

          1KB

          MD5

          9aa54a652397bdcc2b241c94d54dad52

          SHA1

          b095cd09752c9645390f3cb5d4695a160f6944fc

          SHA256

          f4a1a4aabcf3b044d42a5f79756c22e3aefc6b799b059374282f43ecd04db5ef

          SHA512

          73419d759da7066747c6cd187089eaee856f36d03cdc4cd7db06bfc60a803fbdf27ddd7b52548b67b3a4a6a486c2cce2b558fcb80dee12645adaef797d1f6680

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x5f9h1ra.Admin\cert8.db
          Filesize

          64KB

          MD5

          5ed677ba541f087479591fafb449c336

          SHA1

          82b0edf7955102e0eac314dec266f576ffe96e23

          SHA256

          ce54c140c2041a0dbaf95b8b095caec358cf260b106f3c312c3a594270c19c00

          SHA512

          3ec79b37741d8153cd289b689a1f2cd05bbc57e40d1543efa5b200302fdd61d3adfc8dae421c62cceb855effce333c9f9764855bea221f9bef51580eb89ad068

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x5f9h1ra.Admin\key3.db
          Filesize

          16KB

          MD5

          b8f91a41319231ea653dd6993299c70a

          SHA1

          116690c11c4637e8ffb8a6cd8b977abee9e68098

          SHA256

          a3f55fb3e27f8a9d0e917355912b1d0444a9231f3ef9dc20cd66c4258d34a467

          SHA512

          2d0275c49fbe7f64c6981a5c581d2e73ae74f952a72fa4e92ecb3d3797aa1f5c4d52b88a51e65247454e6e62999e27435457a49ee1d57cf668a21cbe7ef8ecf5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x5f9h1ra.Admin\key4.db
          Filesize

          9KB

          MD5

          e45c3fb0f28fe6590e3d75c785e65c1f

          SHA1

          d96690392e6428cac59bbaa9b2bcdbac27e683e5

          SHA256

          020b3c13b4dc97a12af70e1330d364ff2b17d08b6e4f607f3527ebcf962a2421

          SHA512

          be49505abd641bfd4a1bf6698578dab5951dbd1b254cf540f863f586a76576833d9f52f82810b047582ff379884d7452085b277132e6627c7fbc4733a0246e2f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x5f9h1ra.Admin\secmod.db
          Filesize

          16KB

          MD5

          7cf160a4d2a0fc7cccc7720186022635

          SHA1

          93e47be0853373c4a5714a60444ca0621c53107c

          SHA256

          e263694998d10fe09c887a66ba882feaed87abbd44fb8f7887604dcaac7fafaf

          SHA512

          567e72ed69a020e591735eb0e28519e4962c4602a3d6863df29455752e2f08d0976141c2093e88d7471d9115c24402f74a6a2763586bec041d2cb4565b8b7524

          Download Submit

        • \Program Files (x86)\INFovine\UBIKeyService.exe
          Filesize

          925KB

          MD5

          4e459af1454c80755092c7456cb04259

          SHA1

          456f8a13dc1744c64d2b93da86b6141087c066bc

          SHA256

          53f89189bee930b2512978be079978bcea3bb6004c45d8ccb52d96b51eb22002

          SHA512

          9af836489bf21e3ef8b87e7a33cf7a54d0ccbf15d9bb385c04b1848522ec91bcc5358d85fb8284d922986d4101ee5503c74bc24a5adb5b3355ef1f9f74a5fa1a

          Download Submit

        • \Windows\SysWOW64\UbiKey.dll
          Filesize

          53KB

          MD5

          b89218255384b587056cb1e948c295d5

          SHA1

          0b13185c5152a221bc69cf27bccdc8cc9aeb1c7a

          SHA256

          03810ba96b08824141ef982dcdb76c42ef8bd7f91c852ff26120a0b82fba99cb

          SHA512

          48b181547448507c39465942ded6d18da9ff318fbc3abff042d18f70043a471050546b3e0b387b5d689e69baec5a027fb234c935d3068eeee867dc7d4a8b857f

          Download Submit

        • \Windows\SysWOW64\UbiKeyWin32.dll
          Filesize

          57KB

          MD5

          27ac04ae932f911c29ec56c7e75b7b82

          SHA1

          342459632c0af7d7142475abb3f82b9269f11a1c

          SHA256

          743097d53417609448988f4498d05c780feee5d946b20d6ada023d1597864eb8

          SHA512

          1b233145129b05d2a3650409034825de951e7cfbf3d1f39fcd2debb1e49e916a3f6abbad7d01b424fbc54074e09c3276c48ca648aaac68244ba71ccc6e2dad57

          Download Submit