Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

UBGG Internal.exe

windows7-x64

9

UBGG Internal.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 05:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UBGG Internal.exe

  • Size

    6.3MB

  • MD5

    d4e1dc6dd9095039646485bdb5b2a452

  • SHA1

    b50fd8a91e5203aa52cd8ebfa55a69705fc1af9c

  • SHA256

    fe4bf4127f90432d512fd211363d59f552c6741bc4625a08bca9ac2c89b86ea9

  • SHA512

    556afcfb8424a2b3ca783e199ec1958e0171bbfc0d633da8b264fc42506bedda8ad393a5c266b190e2c47ab8039993e90f561d4f5995c80862002296ed26e530

  • SSDEEP

    98304:mtsSlQpwe40HXnEshBljnOgV2hcOwSfvfhk2MfYDY1GgOw9c41VBji0ChmpP/:mVQpdXHXnnhNV2hcDKXhV+UYJO8c8fn

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 22 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UBGG Internal.exe
    "C:\Users\Admin\AppData\Local\Temp\UBGG Internal.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3788

    Network

    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      134.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      access.chairfbi.com
      UBGG Internal.exe
      Remote address:
      8.8.8.8:53
      Request
      access.chairfbi.com
      IN A
      Response
      access.chairfbi.com
      IN A
      172.67.223.160
      access.chairfbi.com
      IN A
      104.21.46.46
    • flag-us
      GET
      https://access.chairfbi.com/loader/version/Customers
      UBGG Internal.exe
      Remote address:
      172.67.223.160:443
      Request
      GET /loader/version/Customers HTTP/1.1
      Connection: Keep-Alive
      User-Agent: cpprestsdk/2.10.18
      Host: access.chairfbi.com
      Response
      HTTP/1.1 200 OK
      Date: Sat, 08 Jun 2024 05:37:03 GMT
      Content-Type: text/plain; charset=utf-8
      Content-Length: 3
      Connection: keep-alive
      set-cookie: XSRF-TOKEN=e%3Ak1iYEO6Cs6zfbwv_AXyZFYqf3FeegIyy4MxPZPcJ4m_C9fMnA_0ZOaCYBdHFGrG_aO9vKBkRDlvbTFXYxOkR8SnVTRe10CxKNnTvnoEcBHU.dHFUUEFTeUpid0V2NHZtZw.vsEtQ7hCgeiAY1rREHWW9dAK4zHz6zZEQ0Zy5p-qq2c; Max-Age=7200; Path=/
      set-cookie: adonis-session=s%3AeyJtZXNzYWdlIjoiY2x4NW9uejhzMmFseGx1aXIwa2E0MG03biIsInB1cnBvc2UiOiJhZG9uaXMtc2Vzc2lvbiJ9.ybGhZMx-z_NmnubgyVWKAaIgGalB4jS-RKIXI6D3NZw; Max-Age=7200; Path=/; HttpOnly
      set-cookie: clx5onz8s2alxluir0ka40m7n=e%3AeEkLJKz9wkdJUU4-UfFNuPm3qCR28ORU85yGhw54c_4Ny3Q5YXWvxsZHjwzhU0nNihnA_sjG2w8bmSppywIPiR6gAg7W2dmFuTb6vjML0uYux97VFyC4NF-V_sMUqvoc.YnNManNWRjdjN0dEaGg0aw.SYuGB-cL80Rp_yDLRMtTH0OwbSfKUIWdHK_zxGq9QNI; Max-Age=7200; Path=/; HttpOnly
      x-dns-prefetch-control: on
      x-frame-options: DENY
      strict-transport-security: max-age=15552000000; includeSubDomains
      x-content-type-options: nosniff
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JJf%2F54EkcVyUjvVIjqNAcbC7IrdFt1Eby%2BUkLE97rYFsjgyCZeZxjb2%2BnppYS5ZHtPZ5pe%2FjnGpMcH2vjO7WPzsXSZ%2FGwpG6o81t4UjvGDoDrOMf13ryYBvPCHRWrb%2FlGr%2F8c4Fl"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8906871ccb69956b-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      x2.c.lencr.org
      UBGG Internal.exe
      Remote address:
      8.8.8.8:53
      Request
      x2.c.lencr.org
      IN A
      Response
      x2.c.lencr.org
      IN CNAME
      crl.root-x1.letsencrypt.org.edgekey.net
      crl.root-x1.letsencrypt.org.edgekey.net
      IN CNAME
      e8652.dscx.akamaiedge.net
      e8652.dscx.akamaiedge.net
      IN A
      23.55.97.11
    • flag-be
      GET
      http://x2.c.lencr.org/
      UBGG Internal.exe
      Remote address:
      23.55.97.11:80
      Request
      GET / HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: x2.c.lencr.org
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: application/pkix-crl
      Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
      ETag: "65ca969f-12b"
      Cache-Control: max-age=3600
      Expires: Sat, 08 Jun 2024 06:37:03 GMT
      Date: Sat, 08 Jun 2024 05:37:03 GMT
      Content-Length: 299
      Connection: keep-alive
    • flag-us
      DNS
      160.223.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      160.223.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      11.97.55.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.97.55.23.in-addr.arpa
      IN PTR
      Response
      11.97.55.23.in-addr.arpa
      IN PTR
      a23-55-97-11deploystaticakamaitechnologiescom
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.204.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.204.248.87.in-addr.arpa
      IN PTR
      Response
      0.204.248.87.in-addr.arpa
      IN PTR
      https-87-248-204-0lhrllnwnet
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      226.162.46.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      226.162.46.104.in-addr.arpa
      IN PTR
      Response
    • 172.67.223.160:443
      https://access.chairfbi.com/loader/version/Customers
      tls, http
      UBGG Internal.exe
      973 B
       6.9kB
       12
      12

      HTTP Request

      GET https://access.chairfbi.com/loader/version/Customers

      HTTP Response

      200
    • 23.55.97.11:80
      http://x2.c.lencr.org/
      http
      UBGG Internal.exe
      391 B
       760 B
       6
      4

      HTTP Request

      GET http://x2.c.lencr.org/

      HTTP Response

      200
    • 20.231.121.79:80
      46 B
       1
    • 13.107.246.64:443
      46 B
       40 B
       1
      1
    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      134.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      134.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      access.chairfbi.com
      dns
      UBGG Internal.exe
      65 B
       97 B
       1
      1

      DNS Request

      access.chairfbi.com

      DNS Response

      172.67.223.160
      104.21.46.46

    • 8.8.8.8:53
      x2.c.lencr.org
      dns
      UBGG Internal.exe
      60 B
       165 B
       1
      1

      DNS Request

      x2.c.lencr.org

      DNS Response

      23.55.97.11

    • 8.8.8.8:53
      160.223.67.172.in-addr.arpa
      dns
      73 B
       135 B
       1
      1

      DNS Request

      160.223.67.172.in-addr.arpa

    • 8.8.8.8:53
      11.97.55.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      11.97.55.23.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      0.204.248.87.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      0.204.248.87.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      226.162.46.104.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      226.162.46.104.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4acar4z.rwp.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/628-32-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-38-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-3-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-4-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-33-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-7-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-6-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-46-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-45-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-44-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-1-0x00007FF9F5790000-0x00007FF9F5792000-memory.dmp

      Filesize

      8KB

      Download

    • memory/628-43-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-2-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-42-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-5-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-34-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-35-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-36-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-37-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-0-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-39-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-40-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/628-41-0x00007FF76BFC0000-0x00007FF76CF0D000-memory.dmp

      Filesize

      15.3MB

      Download

    • memory/4696-25-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4696-13-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4696-12-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4696-10-0x000001A3A6340000-0x000001A3A6362000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4696-11-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

      Filesize

      2.0MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.