c01c0bce2f0088ebdd2f006b207ab1a2e033c455c59fc21b4e8bffcd2fd20077

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UUUpgrade.exe
Size

245KB
MD5

ee312a70c89c6b7c396c4476feaf6719
SHA1

3bc8e5010bc286acb3c08c9822317b3e6301910e
SHA256

060465633683c494a9ae9dbc54030fbad70d9ecf09cc462238122b613e81e0cc
SHA512

cc0db276b40e873144d03f2509c1b2bd0d3822952cf5a2a74f4a2a393a6759f2f739224e14e6cb22f0503081cf63319d811252ff122a07232fce8e1f6ad2e4ee
SSDEEP

3072:/erSAkNdtEqwXW+0IEcwdTFf1sJGoDf9woSMmAdiAQkwdTg0gK:/Q+mxQBzgr3SMmwZQFB1

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UUUpgrade.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UUUPGRADE.UUUpgradeCtrl.1	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77910CD3-5447-4CCB-92DE-35BA8198BE81}\MiscStatus\1	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{770B88B4-DCD8-4857-8E82-62C650F58545}\ProxyStubClsid32	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{17413BA0-0160-4C1F-BA66-679436BCA89B}\CLSID = "{17413BA0-0160-4C1F-BA66-679436BCA89B}"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56ABD0A3-FEA0-420E-A72C-6D4D7C3DBB2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CACD7BB-1C59-4BBB-8E81-6E83F82C813B}\Control\	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7F18B7F-9F1F-4AE6-9866-AB7E1A81ECCA}\InprocServer32	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C348EAC-3600-45D3-B477-DFEDDFB78472}\Version	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A2113517-E452-43A3-977D-28BA30D5E389}	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56ABD0A3-FEA0-420E-A72C-6D4D7C3DBB2D}\TypeLib	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CACD7BB-1C59-4BBB-8E81-6E83F82C813B}\ = "UUUpgrade Control"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9587E96-9349-4F58-A7D5-77E53811BDFD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9587E96-9349-4F58-A7D5-77E53811BDFD}\ = "_DUUPlayerOCX"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77910CD3-5447-4CCB-92DE-35BA8198BE81}\MiscStatus\1\ = "132497"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77910CD3-5447-4CCB-92DE-35BA8198BE81}\Version\ = "1.0"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UUWEBPLAYER.UUWebPlayerCtrl.1\ = "UUWebPlayer Control"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BC85539C-48EA-4222-B6EE-8DA6897175DA}\1.0\ = "UUUpgrade ActiveX Control module"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F39804DC-F2B5-4E8B-92F1-45F7B5349C4C}\ProxyStubClsid32	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CACD7BB-1C59-4BBB-8E81-6E83F82C813B}\MiscStatus	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41E77C38-9383-404C-BC49-EDF2AEA4E163}\1.0\FLAGS\ = "2"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7F18B7F-9F1F-4AE6-9866-AB7E1A81ECCA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rmsp011.ax"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0583926D-C114-4605-8DF3-770402F50E61}\InprocServer32\ThreadingModel = "Both"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03536919-5F7D-4506-80DF-144C74CB5B45}\ = "_DUUUpgradeEvents"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CACD7BB-1C59-4BBB-8E81-6E83F82C813B}\TypeLib	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{0583926D-C114-4605-8DF3-770402F50E61}	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{754EFA30-C752-4F45-8890-6250A53FD512}\1.0\HELPDIR\	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE61BB61-0E51-4080-8B6D-8F1FE00ABE38}	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{263BE21D-D834-4971-8097-1F5954995C18}\TypeLib\Version = "1.0"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{263BE21D-D834-4971-8097-1F5954995C18}\TypeLib\Version = "1.0"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{263BE21D-D834-4971-8097-1F5954995C18}\ProxyStubClsid32	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03536919-5F7D-4506-80DF-144C74CB5B45}\ProxyStubClsid32	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0E7BAF1-655E-4899-ACD4-10D055414CFB}	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CACD7BB-1C59-4BBB-8E81-6E83F82C813B}\ToolboxBitmap32	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77910CD3-5447-4CCB-92DE-35BA8198BE81}\InprocServer32	UUUpgrade.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A2113517-E452-43A3-977D-28BA30D5E389}\FilterData = 02000000000020000200000000000000307069330000000000000000040000000000000000000000307479330000000090000000a0000000317479330000000090000000b0000000327479330000000090000000c0000000337479330000000090000000d0000000317069330800000000000000010000000000000000000000307479330000000090000000e00000007669647300001000800000aa00389b715256323000001000800000aa00389b715256333000001000800000aa00389b715256343000001000800000aa00389b715256343100001000800000aa00389b7100000000000000000000000000000000	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{263BE21D-D834-4971-8097-1F5954995C18}\TypeLib\ = "{34A24C1F-46A0-46B1-92C9-210132D85E60}"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41E77C38-9383-404C-BC49-EDF2AEA4E163}	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77910CD3-5447-4CCB-92DE-35BA8198BE81}\Implemented Categories	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77910CD3-5447-4CCB-92DE-35BA8198BE81}\ProgID\ = "UUPLAYEROCX.UUPlayerOCXCtrl.1"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17413BA0-0160-4C1F-BA66-679436BCA89B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UFSource.ax"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0583926D-C114-4605-8DF3-770402F50E61}	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EAB7A1CC-C77B-45E5-9AC2-AD037D047BCC}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F39804DC-F2B5-4E8B-92F1-45F7B5349C4C}\TypeLib\ = "{BC85539C-48EA-4222-B6EE-8DA6897175DA}"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0E7BAF1-655E-4899-ACD4-10D055414CFB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UUUPGR~1.OCX"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9587E96-9349-4F58-A7D5-77E53811BDFD}\TypeLib\Version = "1.0"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77910CD3-5447-4CCB-92DE-35BA8198BE81}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77910CD3-5447-4CCB-92DE-35BA8198BE81}\InprocServer32\ThreadingModel = "Apartment"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56ABD0A3-FEA0-420E-A72C-6D4D7C3DBB2D}\ = "_DUUWebPlayerEvents"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185448F-CD61-4FD0-A728-F62407D354AA}	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1185448F-CD61-4FD0-A728-F62407D354AA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UUWEBP~1.OCX"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C348EAC-3600-45D3-B477-DFEDDFB78472}\TypeLib	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9587E96-9349-4F58-A7D5-77E53811BDFD}	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77910CD3-5447-4CCB-92DE-35BA8198BE81}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UUPlayer.ocx, 1"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{770B88B4-DCD8-4857-8E82-62C650F58545}\TypeLib	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EAB7A1CC-C77B-45E5-9AC2-AD037D047BCC}\MiscStatus\ = "0"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C348EAC-3600-45D3-B477-DFEDDFB78472}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UUWEBP~1.OCX, 1"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CACD7BB-1C59-4BBB-8E81-6E83F82C813B}\Version\ = "1.0"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UPLAYER.UPlayerCtrl.1\ = "UPlayer Control"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EAB7A1CC-C77B-45E5-9AC2-AD037D047BCC}\TypeLib\ = "{754EFA30-C752-4F45-8890-6250A53FD512}"	UUUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17413BA0-0160-4C1F-BA66-679436BCA89B}\InprocServer32	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EAB7A1CC-C77B-45E5-9AC2-AD037D047BCC}\Version\ = "1.0"	UUUpgrade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F39804DC-F2B5-4E8B-92F1-45F7B5349C4C}\TypeLib\Version = "1.0"	UUUpgrade.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2304	UUUpgrade.exe
2304	UUUpgrade.exe
2304	UUUpgrade.exe
2304	UUUpgrade.exe
2304	UUUpgrade.exe
2304	UUUpgrade.exe
2304	UUUpgrade.exe
2304	UUUpgrade.exe
2304	UUUpgrade.exe
2304	UUUpgrade.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	UUUpgrade.exe
Token: SeDebugPrivilege	2304	UUUpgrade.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2304	UUUpgrade.exe
2304	UUUpgrade.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2304	UUUpgrade.exe
2304	UUUpgrade.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2304	UUUpgrade.exe
2304	UUUpgrade.exe

C:\Users\Admin\AppData\Local\Temp\UUUpgrade.exe
"C:\Users\Admin\AppData\Local\Temp\UUUpgrade.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...