cc3fbfa0fa74fbc726e44e82698122ef072faba171c51b65c769b79b359d6790

Analysis

max time kernel
144s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/UBIKeyPlugIn.exe
Size

65KB
MD5

a4aceddcc388b5f27099e45eee5491be
SHA1

e417a140ba3b047a8ca81c10117ade245d0f1571
SHA256

9b798ac9ebf4d526082b55a83764217345dee83cc95c43ce0ac363b24e186646
SHA512

67649a58009979075c3a5fe19c4b5b60083d432b3849602fd35a868c8aac603c988e96095f01cceac1a140524b5ddd84327f62e32581afce627e6601d58daee3
SSDEEP

1536:fLv+zvAOsOn/7UJKarrMnnP3o94eh3hYE:QHnnwJKa0nP3o9HAE

Score

7^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UBIKey = "\"C:\\Program Files (x86)\\INFovine\\UBIKeyService.exe\""	UBIKeyPlugIn.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
552	netsh.exe
4380	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	UBIKeyPlugIn.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\UbiKey.dll	UBIKeyPlugIn.exe
File opened for modification	C:\Windows\SysWOW64\UbiKey.dll	UBIKeyPlugIn.exe
File created	C:\Windows\SysWOW64\UbiKeyWin32.dll	UBIKeyPlugIn.exe
File created	C:\Windows\SysWOW64\UbiKeyUninstall.exe	UBIKeyPlugIn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\INFovine\DSCToolkitV30.dll	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\UbikeyCrypto.dll	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\UBIKey_svr.key	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\MobileCertWin32.dll	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\NpkiCard.dll	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\kdfapi2.dll	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\UBIKey_svr.crt	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\list.ifv	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\DSCertEx.dll	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\oid.ifv	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\sc.ifv	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\UBIKeyService.exe	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\UBIKey_Root.crt	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\msvcr120.dll	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\mc.ifv	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\SCSKAPPLink.dll	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\NFilterOpenWeb.dll	UBIKeyPlugIn.exe
File created	C:\Program Files (x86)\INFovine\UBIKey_Root.key	UBIKeyPlugIn.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\certutil.log	certutil_win.exe

Executes dropped EXE 1 IoCs

pid	Process
3532	UbikeyService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3180	UBIKeyPlugIn.exe
3180	UBIKeyPlugIn.exe
3532	UbikeyService.exe
3532	UbikeyService.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3180	UBIKeyPlugIn.exe
3180	UBIKeyPlugIn.exe
3180	UBIKeyPlugIn.exe
3532	UbikeyService.exe
3532	UbikeyService.exe
3532	UbikeyService.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 2900	3180	UBIKeyPlugIn.exe	87
PID 3180 wrote to memory of 2900	3180	UBIKeyPlugIn.exe	87
PID 3180 wrote to memory of 2900	3180	UBIKeyPlugIn.exe	87
PID 3180 wrote to memory of 4128	3180	UBIKeyPlugIn.exe	91
PID 3180 wrote to memory of 4128	3180	UBIKeyPlugIn.exe	91
PID 3180 wrote to memory of 4128	3180	UBIKeyPlugIn.exe	91
PID 3180 wrote to memory of 2240	3180	UBIKeyPlugIn.exe	93
PID 3180 wrote to memory of 2240	3180	UBIKeyPlugIn.exe	93
PID 3180 wrote to memory of 2240	3180	UBIKeyPlugIn.exe	93
PID 3180 wrote to memory of 1440	3180	UBIKeyPlugIn.exe	95
PID 3180 wrote to memory of 1440	3180	UBIKeyPlugIn.exe	95
PID 3180 wrote to memory of 1440	3180	UBIKeyPlugIn.exe	95
PID 3180 wrote to memory of 4380	3180	UBIKeyPlugIn.exe	97
PID 3180 wrote to memory of 4380	3180	UBIKeyPlugIn.exe	97
PID 3180 wrote to memory of 4380	3180	UBIKeyPlugIn.exe	97
PID 3180 wrote to memory of 552	3180	UBIKeyPlugIn.exe	99
PID 3180 wrote to memory of 552	3180	UBIKeyPlugIn.exe	99
PID 3180 wrote to memory of 552	3180	UBIKeyPlugIn.exe	99
PID 3180 wrote to memory of 3532	3180	UBIKeyPlugIn.exe	101
PID 3180 wrote to memory of 3532	3180	UBIKeyPlugIn.exe	101
PID 3180 wrote to memory of 3532	3180	UBIKeyPlugIn.exe	101

C:\Users\Admin\AppData\Local\Temp\$TEMP\UBIKeyPlugIn.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\UBIKeyPlugIn.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil_win.exe
  "C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil_win.exe" -addstore root UBIKey_Root.crt
  2⤵
  - Drops file in Windows directory
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe" -D -n UBIKey -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b47qywhs.Admin"
  2⤵
  PID:4128
- C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe" -A -n UBIKey -t "CT,C,c" -i UBIKey_Root.crt -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b47qywhs.Admin"
  2⤵
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\$TEMP\certutil.exe" -A -n UBIKey -t "CT,C,c" -i UBIKey_Root.crt -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b47qywhs.Admin"
  2⤵
  PID:1440
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\INFovine\UbikeyService.exe" "UBIKey" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4380
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall show
  2⤵
  - Modifies Windows Firewall
  PID:552
- C:\Program Files (x86)\INFovine\UbikeyService.exe
  "C:\Program Files (x86)\INFovine\UbikeyService.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\INFovine\UBIKey_svr.crt

Filesize
1KB

MD5
58141645c3c353c9d31e7622381f38f8

SHA1
afa438affd318103d12fdd0f40841f5e00dcd247

SHA256
f2fcfba20bfe42a6aa1466e4e2d04f01c47fe878d217f95ccb249621151c2fa0

SHA512
1a428c3620ca74450f8d5eddd2e49f6c6c5fac196b55edd2091d59952718dc4daa0b328b7d8f5f96767a1426be6016b5d5da30f3fbf804ad4e9d95d1791866a1

Download Submit
C:\Program Files (x86)\INFovine\UBIKey_svr.key

Filesize
1KB

MD5
9aa54a652397bdcc2b241c94d54dad52

SHA1
b095cd09752c9645390f3cb5d4695a160f6944fc

SHA256
f4a1a4aabcf3b044d42a5f79756c22e3aefc6b799b059374282f43ecd04db5ef

SHA512
73419d759da7066747c6cd187089eaee856f36d03cdc4cd7db06bfc60a803fbdf27ddd7b52548b67b3a4a6a486c2cce2b558fcb80dee12645adaef797d1f6680

Download Submit
C:\Program Files (x86)\INFovine\UbikeyService.exe

Filesize
925KB

MD5
4e459af1454c80755092c7456cb04259

SHA1
456f8a13dc1744c64d2b93da86b6141087c066bc

SHA256
53f89189bee930b2512978be079978bcea3bb6004c45d8ccb52d96b51eb22002

SHA512
9af836489bf21e3ef8b87e7a33cf7a54d0ccbf15d9bb385c04b1848522ec91bcc5358d85fb8284d922986d4101ee5503c74bc24a5adb5b3355ef1f9f74a5fa1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b47qywhs.Admin\cert8.db

Filesize
64KB

MD5
5ed677ba541f087479591fafb449c336

SHA1
82b0edf7955102e0eac314dec266f576ffe96e23

SHA256
ce54c140c2041a0dbaf95b8b095caec358cf260b106f3c312c3a594270c19c00

SHA512
3ec79b37741d8153cd289b689a1f2cd05bbc57e40d1543efa5b200302fdd61d3adfc8dae421c62cceb855effce333c9f9764855bea221f9bef51580eb89ad068

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b47qywhs.Admin\key3.db

Filesize
16KB

MD5
44c3761845a39d966d27ed1844f408e8

SHA1
0813f1a289642eb8d69402383c892ed14addd715

SHA256
8069316ee0cb4d905e2ab8da8b8e5b94bfbdf887af2128c72b8d174b7989ea51

SHA512
9d6d4209d8961486257a113523b7d47ee73617f6e4f0c30d4e689e573e7838ac9c09c6ebb805e57299ef024913650e754fa9b381487bfd18714955eac1676981

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b47qywhs.Admin\key4.db

Filesize
9KB

MD5
e45c3fb0f28fe6590e3d75c785e65c1f

SHA1
d96690392e6428cac59bbaa9b2bcdbac27e683e5

SHA256
020b3c13b4dc97a12af70e1330d364ff2b17d08b6e4f607f3527ebcf962a2421

SHA512
be49505abd641bfd4a1bf6698578dab5951dbd1b254cf540f863f586a76576833d9f52f82810b047582ff379884d7452085b277132e6627c7fbc4733a0246e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b47qywhs.Admin\secmod.db

Filesize
16KB

MD5
9f841b2f70c7bb54bb83aa2f5d07b0e3

SHA1
813a2fafc895f87f80f0f22fe2cffa623fe4f7f6

SHA256
32ed6ae9d5e7e6c03b66da42fb312f47059397f6a9043d7250486fb2a7644dc2

SHA512
59184d18ce2656f7ec761765d8120ce0278fe192cdaad8f1a55ac36d23cd0666ca898bdd31ed7cc00d2e8371f7abf9e9530db5451b11b578ee038929ce8850f6

Download Submit
memory/2900-28-0x00000000006A0000-0x00000000006D1000-memory.dmp

Filesize
196KB

Download