hxxps://github[.]com/pankoza2-pl/malwaredatabase-old/blob/main/Uranium%200[.]5[.]zip

Analysis

max time kernel
156s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 07:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old/blob/main/Uranium%200.5.zip

Score

8^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation	Uranium0.5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
3580	Uranium0.5.exe
1728	mbr.exe
1964	sn.exe
2904	gl4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
50	raw.githubusercontent.com
51	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gl4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uranium0.5.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5004	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2352	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5004	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4556	msedge.exe
4556	msedge.exe
868	msedge.exe
868	msedge.exe
60	identity_helper.exe
60	identity_helper.exe
3932	msedge.exe
3932	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3520	7zG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	4384	7zG.exe
Token: 35	4384	7zG.exe
Token: SeSecurityPrivilege	4384	7zG.exe
Token: SeSecurityPrivilege	4384	7zG.exe
Token: SeRestorePrivilege	3520	7zG.exe
Token: 35	3520	7zG.exe
Token: SeSecurityPrivilege	3520	7zG.exe
Token: SeSecurityPrivilege	3520	7zG.exe
Token: 33	4404	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4404	AUDIODG.EXE
Token: SeShutdownPrivilege	2140	shutdown.exe
Token: SeRemoteShutdownPrivilege	2140	shutdown.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
4384	7zG.exe
3520	7zG.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3580	Uranium0.5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 1080	868	msedge.exe	83
PID 868 wrote to memory of 1080	868	msedge.exe	83
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4404	868	msedge.exe	84
PID 868 wrote to memory of 4556	868	msedge.exe	85
PID 868 wrote to memory of 4556	868	msedge.exe	85
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86
PID 868 wrote to memory of 4744	868	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/blob/main/Uranium%200.5.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ee7c46f8,0x7ff8ee7c4708,0x7ff8ee7c4718
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,11728479098374137740,7311186090329621986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:60

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11376:84:7zEvent32752
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4384

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Uranium 0.5\" -ad -an -ai#7zMap29992:84:7zEvent10511
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3520

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Uranium 0.5\Readme.txt
1⤵
PID:4752

C:\Users\Admin\Desktop\Uranium 0.5\Uranium0.5.exe
"C:\Users\Admin\Desktop\Uranium 0.5\Uranium0.5.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3580
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\DABC.tmp\DABD.vbs //Nologo
  2⤵
  - Checks computer location settings
  PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\ur.cmd" "
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:3952
  - - C:\Windows\system32\reg.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\mbr.exe
      mbr.exe
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\sn.exe
      sn.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1964
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\gl4.exe
      gl4.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\t.vbs"
      4⤵
      PID:4492
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /t 200 /c "Uranium.exe Terminated Your PC"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2140

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
506e03d65052f54028056da258af8ae6

SHA1
c960e67d09834d528e12e062302a97c26e317d0e

SHA256
b26d2695dfe8aed4d0d67d11b46d4542c3c9c8964533404dfe32ce7a3e6cfb98

SHA512
15da55267433c41febebbe48983023293c6d436f89a56138cef1cea7deb5cdd7d4bcf58af12835e1152a8ec59e08cfc965e521eb54eed47fe44e1f4c2d1557a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a15dea0d79ea8ba114ad8141d7d10563

SHA1
9b730b2d809d4adef7e8b68660a05ac95b5b8478

SHA256
0c4dd77399040b8c38d41b77137861002ef209c79b486f7bbdb57b5834cd8dbf

SHA512
810fc1fb12bceae4ca3fad2a277682c2c56f0af91a329048adbeb433715b1f707927274e3e4a4479222f578e8218663533440c71b22c49735a290f907cc0af1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
716e0eb425eea39297204229f61f0779

SHA1
9a19f40ed7fc44aeec3b0b6dbc3f67ce973dc658

SHA256
6c089168b27d163666dfa1ee5263ac4ea2ec0e482eeec48581970407caaa411d

SHA512
a62bce459ca6ef3b6c39bfad9623f0d22ab95f3f94ded6b21d77dfe4f0b5a558ab63aed46be00e4151e7ec829cc632d2a68c283eb8e2e12904c75fc08a3bb985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
0a8a7c3dafeb4ad3d8cb846fc95b8f1c

SHA1
69e2b994e6882e1e783410dae53181984050fa13

SHA256
a88495f2c1c26c6c1d5690a29289467c8bb8a94bf6f4801d2c14da1456773f90

SHA512
2e59b4cd4cf6f86537aae4ae88e56e21abcff5070c5c1d1d2105a8e863523c80740438cc36b2b57672bc7bb7fb9387896135afcce534edfd4697fecf61031a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c359af4775d04e8bd1048450a9020cf0

SHA1
ded2c24775e8a912abe126026b138393274ec1bb

SHA256
7a59f4c88e7fa22f0b052df6a129c99453e8a344d478e98fcf3e2e90470964e4

SHA512
3dc9ffa67fbc5b176350e6838723350654f81782c02d478fb4a0f448420f7be0a008bf0efd4f3cd5e54a157513f088766a0017dca4da70e72f5e1a95f5e97f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fda82c6871689aaaba383b20a989e508

SHA1
576ee2fb6d240fcff7ad175e0e4fabbb590fe367

SHA256
e22748454fca0d46266991a7c033a5bc1c5fd5b949f9a4a08c71640d625f54fe

SHA512
b8536300f1e4de4677416a6a898984638e4a5c5823b9d151fbd368f09a86f2da0dd4a12111068d648ea68b0ec74eec3a975733e053bf8c3b112e6cb81d498e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6287aa7137e0f13bd89531e323a9c78c

SHA1
d7d4fcee623cddc073620d841726abeddc4858d8

SHA256
0de5ef106bf93b6f3979317a11ee5cffc58062eee899d4a1750d5c5f8dcc1292

SHA512
787347c26c7d6ea24c760ba7fbaf49a1c31968a720b838dd5efdd256186e03620c51be47f54da0374f762e5f7ee41ca36d81839a7b3d561a2afca420a950c31b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1fce8cb8ca66e834fbe579ca8c6b31e3

SHA1
ccf3d4a2a2f29a900daf755d5f346a241a160933

SHA256
de7623e3b66df69070a14b8c9ed41ad4276238222fbb266bdf402aa62bcf4319

SHA512
9dcdb1aa14a2f5d050bbd1308205fb9aabb6b2c3395e74212892f513b22bb2854456f6199123d644039542d41d2c5aab681896bb0b75773d4c8c19eb0b24936d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fd0d.TMP

Filesize
874B

MD5
10a5fa560c529caaea9485ea13b8c8d5

SHA1
57e046716adc8c1c0b596055788570923d56cab4

SHA256
7a9d0c7b948ffd94825da19c8af85773d2702adfce8f5164553fd90404af995f

SHA512
88319ff023aa30968254aeb417b5a14f83753886f00c3411e25dae01d93791b591720ba2f90af1f406ef4281e22a0a7048952652a3ed91a4f2813e3f79b29747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
160945edcdc42ea1ffa884d9798b8657

SHA1
64261696e394c5916ce347443a254e374538b1dd

SHA256
45079e7ebd60487b2268d5113119b6616e2ca7fcfc136ca422f797a5fe5cbd89

SHA512
4b9437b65e66e180b734729723f920216f39cc85039c938dd862f01c6e145acde2d7b3b1fc6a361b19e933d30140fceb02c71569fdd4378cf6129667f9f7ebe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c334735f9f49b9cd3840c40cec4b124e

SHA1
43e72ddf8b32caa09d306b9dab4b246b2a583cd1

SHA256
c753a084aed77b2c050c33dad148087f49dee90a98fe5592b235091c17185b23

SHA512
958022c2a87f13541bd6801dd36ab68bf281122c1db5c217d6d77df233e26e63a4e487654d9e184b51de91d87e0567996c030795f55b3e7f42135f8a6055c3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\DABC.tmp\DABD.vbs

Filesize
602B

MD5
3c18f6e3fc0a1c96938829f03a9c830d

SHA1
bb774a05712e2d48502c12a08a336d85ce78cee7

SHA256
3b2c8f2480dd4a5de600ca0a4b3f024e5f70c2984a4bb375189bfad206b32690

SHA512
7eed53bedeb8b65508b8e6fdc04dfc72653fb3d8c88da2f8d344a8b8b27963da90347b34ddd2ef2882e9ec63d7a745d95310b69eb385e8b464871eec0060c19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\gl4.exe

Filesize
107KB

MD5
a5abdf53e99edb8376ebc0e9f243ce1a

SHA1
cc01167a087a235d119bb866307f502d02ed7b44

SHA256
e27b6d1593e288c9d538d52d49bdebbd8273fae1c1e5e35c74c0a33a09c0133a

SHA512
3e1581e5dd5d3deb9524204a125a3d73b5d9631336bc1780dffdcf00a826a07b2aa2778f71999f238caf7091738ef1b07c0879ad5496c8e9182782574f7f99a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\mbr.exe

Filesize
1.3MB

MD5
7bc50a34c948a8edf5fbeace233d6572

SHA1
17d1033372b9b5da30506a443d57db4a5254cc5a

SHA256
6e06c350fbb82a23860ef6ced21956f077ba61dbb1cc37c4ee2e6e76efe84c0e

SHA512
6d5623442119f33db18b1f3dea4773e8e91d5de842d1af46b58a4083677aef119bbadcebf1b9478bbd5141095e265a8740c0773b1ccb7646f60acc15b9be4045

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\sn.exe

Filesize
102KB

MD5
876e8ae7d5981f9cb338afa8f4cafd01

SHA1
b49354a2d6a0e1a98b0faa9de14af99e64e9a527

SHA256
d003feaddaeb84b9fc57437bb0b5fc9a46e6f2f9f70427d06e5514e5264173e1

SHA512
38480d20863b8d226c4de34d2a3cec5fc79b3d2f6d7c995234d004edc7e37c714e5935ca156ff206228106034cf68651c8925f2c78e47e0a3a884122c0941f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\sn.wav

Filesize
5.1MB

MD5
7382e20023274f9011a8c389637c8ca1

SHA1
63df3e68d6cb41db1e0732a8d0e70aa81a78ed07

SHA256
9eaf8e4ce9d9dd998f5db9724e2439834d3e1a054e0d77ee7cf0f2cd371f1de0

SHA512
befcb02743e0953ce0dce7dc1a3e664367cb2206c8d78757de49497c4a07e975a71eaaf319c0ee7ae220ca406b31ab04b3acafcd99f860e9b84203bd8db00da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\t.vbs

Filesize
314B

MD5
c9a41a075b470de4c50a065b961a1433

SHA1
aa6da306d52595dc6a48b8c35a65c73a1eb76a97

SHA256
e86eabf3e022daadfbaa3bf9d697e6b23e704cc77ea5c82e282d5e7a210addba

SHA512
d4b8ff13c31cbc31972d366ca91ca8971c62b2dbfb53214baff0ef4c81733ce6ac3c63a96c78782872e095bb70a425023ebe3689eb16c7cc16e73620338c4db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAAB.tmp\ur.cmd

Filesize
284B

MD5
e27bac2287e60d839e2703b2400681ac

SHA1
a5ec922014fa923edc8ef0488549fbd0c0ee6263

SHA256
504714f50c425b316a678bf62b4d3826b3e48ffc79118426c8858db10cf42c7e

SHA512
a6903eec92eaf76cbe250dee1d8dfe82a009e02e8ef410ae0e1956b6703a95587512bae2bee395bd84cf9e44e4acd93383aff70e4864ff66ee2e26fabbeb9dbf

Download Submit
C:\Users\Admin\Desktop\Uranium 0.5\Readme.txt

Filesize
125B

MD5
212bb3ec07fc449a2d33f1ca3a2ce449

SHA1
a923c465b6dd1b48c53fa046fc96896ff1d9ae10

SHA256
65e1072d65f03516079f91e591342ba8a1def8a7bf00669097294eaabd50f52b

SHA512
a987f318e566182d784f0bd16ece6f3d93cad03cb52d22f979b9d978c13c64c81f795df55406599b2aa48827117792ce9f295ac6eaf25eaa560c5aa212226644

Download Submit
C:\Users\Admin\Desktop\Uranium 0.5\Uranium0.5.exe

Filesize
3.5MB

MD5
8f085f21b6a6830f5b6fb22c0916290d

SHA1
81ec35f9319a2efe351c48ff1b7dbbdea9b691d8

SHA256
4fd7498e6ad9cef9c55844ebf3486b43d3cff9f27b7ca686034ef099ab9d35f3

SHA512
cc0c219c0d09ae27836865c524059d632117e7af8541a4e805e15d34a16dd37d9dc2fefe4e8a16dac35bb6e566d5fecb6e62aaeedbc38097b8289f21904cf0e1

Download Submit
C:\Users\Admin\Desktop\uraniumwashere 5.txt

Filesize
31B

MD5
06f6861c8e3bd1a3f6f836d4141665c5

SHA1
be70648788f127f4170a77a0fe5342804e8e62eb

SHA256
d1a4a1f655050fe30d5bd40a7285805536cb6a10336152aeb7c43966f3cbc416

SHA512
d874634516ac5637c8970bfe6812d8246e405a614f8cefba4eb4d725eb15534315bfe14b1f3998c286de6d000eb055d36523507a7f78144b3f75eb77a9cfde34

Download Submit
C:\Users\Admin\Downloads\Uranium 0.5.zip

Filesize
8.8MB

MD5
7606d25e1d67a9644dd6567a68445c3b

SHA1
8cabe14e0acab53bf5f2ed51aec9b24f13d40d4d

SHA256
cdcfa0109556c1ce1db02c2f87c8c8c7c599f27b162c160b5fb5f6367200bc98

SHA512
2b9d481d1558eabd64d8a73d2ad4d9798eb8f9d0650986622380bc5aff7e02b1e3c5b1314072a6fd3689647e0fc5e055f47c98b4bdc0905c54fd8ce931e93a5c

Download Submit
memory/1728-352-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1964-559-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2904-560-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download