Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-04-2024 21:58
Static task
static1
Behavioral task
behavioral1
Sample
577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe
Resource
win10v2004-20240412-en
General
-
Target
577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe
-
Size
67KB
-
MD5
b0bad3c5d1ce3ecad7914d3ec32e4a82
-
SHA1
f957a18ed5b758017e635fb1407f037db4bb4418
-
SHA256
577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25
-
SHA512
e06fe9bbb21f905026f9b6a99e8ec475c9de2c3ea2c55dbce5622b0d0fe76a0ff9021725b1042af3d6787a7e3c1f635fd8249cfc610d04dac7766d0844883a79
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1+dwY5b:ulg35GTslA5t3Gdwm
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ufratin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ufratin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ufratin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ufratin.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255} ufratin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ufratin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\IsInstalled = "1" ufratin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\StubPath = "C:\\Windows\\system32\\uxxexob.exe" ufratin.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ufratin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ihpakoab.exe" ufratin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ufratin.exe -
Executes dropped EXE 2 IoCs
pid Process 1672 ufratin.exe 2748 ufratin.exe -
Loads dropped DLL 3 IoCs
pid Process 2388 577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe 2388 577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe 1672 ufratin.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ufratin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ufratin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ufratin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ufratin.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ufratin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ufratin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ufratin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ougvoacom.dll" ufratin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ufratin.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ihpakoab.exe ufratin.exe File created C:\Windows\SysWOW64\ihpakoab.exe ufratin.exe File opened for modification C:\Windows\SysWOW64\uxxexob.exe ufratin.exe File created C:\Windows\SysWOW64\ougvoacom.dll ufratin.exe File opened for modification C:\Windows\SysWOW64\ufratin.exe ufratin.exe File opened for modification C:\Windows\SysWOW64\ufratin.exe 577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe File created C:\Windows\SysWOW64\ufratin.exe 577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe File created C:\Windows\SysWOW64\uxxexob.exe ufratin.exe File opened for modification C:\Windows\SysWOW64\ougvoacom.dll ufratin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 2748 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe 1672 ufratin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2388 577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe Token: SeDebugPrivilege 1672 ufratin.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1672 2388 577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe 28 PID 2388 wrote to memory of 1672 2388 577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe 28 PID 2388 wrote to memory of 1672 2388 577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe 28 PID 2388 wrote to memory of 1672 2388 577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe 28 PID 1672 wrote to memory of 2748 1672 ufratin.exe 29 PID 1672 wrote to memory of 2748 1672 ufratin.exe 29 PID 1672 wrote to memory of 2748 1672 ufratin.exe 29 PID 1672 wrote to memory of 2748 1672 ufratin.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe"C:\Users\Admin\AppData\Local\Temp\577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\ufratin.exe"C:\Windows\system32\ufratin.exe"2⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\ufratin.exeùù¿çç¤3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD57e37cf55f09a88dc3d0babfbd939cb1e
SHA1051761b4ea45544c85e096aadbb114f61c0c379b
SHA256a21109791e6d3dc65604761714c5f9d1029f87d016a86367ba8360b5cb2d583d
SHA512b4b0a363cb7bb80f0819c33eddd4081093c3e928f47e76e12186b98cb40ab63446dbddca3aa4516dd556f84f651454e0dc76c6055f277c3beb365ef8c5671272
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
69KB
MD55158558b85d9131dad0fb9bbef086fdd
SHA190e9d066b92f442af157e9d46bc016fe925dc2e3
SHA256af4a0005163067999c115f107d5f3314b987cfbefc82a52d55e3d28f42511abb
SHA512c38050e3c1ffe47ddbde0700a70433d3c119cdc66673665c0f9cdf7c71632e944abe526939281f9a58e4dba9f101e8f8d1474e998e3bd3f137dbca16b2f6714f
-
Filesize
67KB
MD5b0bad3c5d1ce3ecad7914d3ec32e4a82
SHA1f957a18ed5b758017e635fb1407f037db4bb4418
SHA256577066999bc3464f9926ac7d5c8cc6f2bbc09811f4143f2d9e9dcd77c52b1b25
SHA512e06fe9bbb21f905026f9b6a99e8ec475c9de2c3ea2c55dbce5622b0d0fe76a0ff9021725b1042af3d6787a7e3c1f635fd8249cfc610d04dac7766d0844883a79