b6ae29d9de7ee942b90bcd5c4ff97fe7ee6510900ca9f86bd560f86d47e35f1f

General

Target

UIExecutor.exe
Size

285KB
MD5

c152daaf76f20ee8f06be8bb6422d4a2
SHA1

6ce9de47a28aed0324f22d496e4e137180e0b0a9
SHA256

b6ae29d9de7ee942b90bcd5c4ff97fe7ee6510900ca9f86bd560f86d47e35f1f
SHA512

ce8460fb022a5143e1da63b8ed90b654424961d1ed3c7c540e932a3e8881aa262817b305db49ea0f92ac01606ac8b1d045d23c79255a1cc8607e6d200be8a760
SSDEEP

6144:3Q5FtRjkYOmXcIbHh+/iqzgo8kqfogA+Z3fyPj/TLFRkGGof:gJlImjhzToFGX3aPjXFRkGGof

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1076	UIExecutor.exe

Drops desktop.ini file(s) 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ehshell.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	ehshell.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ehshell.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	ehshell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UIExecutor.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ehshell.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	ehshell.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ehshell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	ehshell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	ehshell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	ehshell.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\microsoft\ehome\ehthumbs_vista.db:encryptable	ehshell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1928	ehshell.exe
1928	ehshell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1928	ehshell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	ehshell.exe
Token: SeShutdownPrivilege	1928	ehshell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1640	1928	ehshell.exe	37
PID 1928 wrote to memory of 1640	1928	ehshell.exe	37
PID 1928 wrote to memory of 1640	1928	ehshell.exe	37
PID 1928 wrote to memory of 1640	1928	ehshell.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\UIExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\UIExecutor.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1076

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1296

C:\Windows\eHome\ehshell.exe
"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Downloads\BackupUpdate.DVR"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /SkipFUE /RemoteOCXLaunch /SuppressDialogs
  2⤵
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1640

C:\Windows\ehome\ehshell.exe
"C:\Windows\ehome\ehshell.exe"
1⤵
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
503KB

MD5
dad03d35685bc14f42cf0fb07052c5e0

SHA1
662fcedc3fa8b9ca10b9f288bf4e59a2bcd214bb

SHA256
13d014a5d923954f23d50eda15202e87965981e162ae64cfb86e73dd1a3b4719

SHA512
f49b39d7e8c092df62b7870065516bdcb2fde9d2be91882f89ce94d5efd768222cb0f74b654aea3abb4f88ea03737437ee645aa99491a30c83c278cd6941bef4

Download Submit
memory/1076-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/1076-1-0x00000000008A0000-0x00000000008F0000-memory.dmp

Filesize
320KB

Download
memory/1076-2-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1076-7-0x00000000776F0000-0x00000000777B1000-memory.dmp

Filesize
772KB

Download
memory/1076-8-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1928-9-0x00000000021A0000-0x0000000002220000-memory.dmp

Filesize
512KB

Download
memory/1928-11-0x000000001E2B0000-0x000000001E8B8000-memory.dmp

Filesize
6.0MB

Download
memory/1928-12-0x000000001E8C0000-0x000000001EA44000-memory.dmp

Filesize
1.5MB

Download
memory/1928-13-0x000000001BAB0000-0x000000001BB4E000-memory.dmp

Filesize
632KB

Download
memory/1928-14-0x000000001CE80000-0x000000001CF38000-memory.dmp

Filesize
736KB

Download
memory/1928-15-0x00000000021A0000-0x0000000002220000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads