0c939890c3cbc24675e353eaa90f791f0f8d57d3bc40394c125cf54aa00a8fa6

General

Target

ufsxpci.exe
Size

41.8MB
MD5

cc6cf30e86d774df9a3b3ffdc3f8c7ed
SHA1

ebad1a99ba436548a8115846e2ebae3b19b11c9c
SHA256

0c939890c3cbc24675e353eaa90f791f0f8d57d3bc40394c125cf54aa00a8fa6
SHA512

130daaba55d8c84b0afdca4681bd158da32ea1751c3a548a1c2223b00b3626212d440d027d50ef66533d4c67233c8cff3c2e6f9f640dc21336baed4c1b3a94bb
SSDEEP

786432:lYi145b7jnv4Gsfgcld7LiuChEuuh1qK9O7LsbEDhp8eHk:O7b7jnwpfxld4hCn9OPsbrP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1784	ufs-explorer-pro.exe
2084	softmanager.exe
1224	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
1932	ufsxpci.exe
1224	Process not Found
1224	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	ufs-explorer-pro.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ufs-explorer-pro.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1784	ufs-explorer-pro.exe
1784	ufs-explorer-pro.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Data Recovery\ufs-explorer-pro.exe.tmp	ufsxpci.exe
File created	C:\Program Files\Data Recovery\report-templates\dynamic-report-sample01-ufsx_pro.htm.tmp	ufsxpci.exe
File created	C:\Program Files\Data Recovery\report-templates\dynamic-report-sample02-logo.htm.tmp	ufsxpci.exe
File created	C:\Program Files\Data Recovery\report-templates\dynamic-report-sample03-tools.htm.tmp	ufsxpci.exe
File created	C:\Program Files\Data Recovery\report-templates\dynamic-report-sample04-show-total-size.htm.tmp	ufsxpci.exe
File created	C:\Program Files\Common Files\SysDev Laboratories\softmanager.exe.tmp	ufsxpci.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ufsxpci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	softmanager.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1784	ufs-explorer-pro.exe
1784	ufs-explorer-pro.exe
1784	ufs-explorer-pro.exe
1784	ufs-explorer-pro.exe
1784	ufs-explorer-pro.exe
1784	ufs-explorer-pro.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1784	ufs-explorer-pro.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1784	1932	ufsxpci.exe	32
PID 1932 wrote to memory of 1784	1932	ufsxpci.exe	32
PID 1932 wrote to memory of 1784	1932	ufsxpci.exe	32
PID 1932 wrote to memory of 1784	1932	ufsxpci.exe	32
PID 1784 wrote to memory of 2084	1784	ufs-explorer-pro.exe	33
PID 1784 wrote to memory of 2084	1784	ufs-explorer-pro.exe	33
PID 1784 wrote to memory of 2084	1784	ufs-explorer-pro.exe	33
PID 1784 wrote to memory of 2084	1784	ufs-explorer-pro.exe	33

C:\Users\Admin\AppData\Local\Temp\ufsxpci.exe
"C:\Users\Admin\AppData\Local\Temp\ufsxpci.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files\Data Recovery\ufs-explorer-pro.exe
  "C:\Program Files\Data Recovery\ufs-explorer-pro.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Program Files\Common Files\SysDev Laboratories\softmanager.exe
    "C:/Program Files/Common Files/SysDev Laboratories/softmanager.exe" update ufsx_p quite 0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\SysDev Laboratories\softmanager.exe

Filesize
2.4MB

MD5
4140d4d94e98c0aca371ac6726946e0e

SHA1
9d382f52b977930c036d1ff86b84a6720bf17b58

SHA256
02c06c13f2a10c1d398ccfb4911aac226f881fea4caef6aa78d5221c2d00a8b0

SHA512
f39372eeefd8e58f1b4b4e289a3260f8b6f7f17c009dc7813ee191037acdfe3d166c28062fb5a2749ca6750756590dcdf03580cdee7947650e490c160269f4e8

Download Submit
C:\Program Files\Data Recovery\ufs-explorer-pro.exe

Filesize
24.3MB

MD5
0aa68ad50c70c9f4278b387492bbd2ab

SHA1
75c418ea978621389c03210d4d65ff898feefd33

SHA256
6b62c68d4f5e9e6bab16f3ca80b1fcd8dcef6939d32f941cdda04b38f9d39060

SHA512
a11ff316fbf036ca9fd22a7e9ac5b29c75b7b6ae270a2a77866a9ef424eafd289a4015f68516d1df8f9c91ec4a658b5b080830fbcc2757d937f86bf1e66e33d0

Download Submit
C:\ProgramData\SysDev Laboratories\sdl\install

Filesize
1KB

MD5
090b89c9455586ff5a11a435d3962201

SHA1
69bf10427536696cca780680ed17ff5fd72d1445

SHA256
f2debb2afe3dcfaa53dcfe1b457ac0eaa37475509ec9b071ada490baeea14040

SHA512
fa295ce8743a4bcac5360e3679b01994ec89870a22ee18c178256e0985aa91126e8a1921adebb322b8d92d9e2d30ac7f247c0d75a8350c5fc8eb01f8a6b33fc9

Download Submit
C:\ProgramData\SysDev Laboratories\sdl\installer

Filesize
199B

MD5
af155972bd28d0a98854d1557863b0e8

SHA1
f71880f861c1fbe97ccab1d5573eee17ac95ce71

SHA256
8d837eb8cc6c07f0162c321cac10c0f0d7bbe0bf67df517efefcab83603c02e7

SHA512
f7f51eb7ceda6aa525898f0a3da587b306fa9ababceb2fcb9a80e65b2577749a501755f21aa54e88924a6610f8d3bf1bd1b98bd0e6fbd36c03378d8bbd502f59

Download Submit
C:\ProgramData\SysDev Laboratories\sdl\lang

Filesize
22B

MD5
f110c0f548ee0a4b31d063ccd418196e

SHA1
1bb5661c0d4efc0bbc1faf0c33b429fcbccc831c

SHA256
1822d2d0b91796efd5329a46d052eb9991bcbee2337a6e0b3198c437fadec7d3

SHA512
72decba5f59d28bfd2b2fce8810296c1b602e9fb93ebc3a49df857d10fb34562c963b9b266a759e9ca88009c0022a44d220045604348af37263f332935bdab6e

Download Submit
C:\Users\Admin\AppData\Roaming\SysDev Laboratories\sdl\updates

Filesize
24B

MD5
50821bbc9f67d03c933b50a47428177e

SHA1
8d6347c71adced44453d3d79850f9cf48b8bf916

SHA256
03342e0c2d49ecc5ea74c3cb92c2c8316072e325762cfae5cb145405da99d1d5

SHA512
d0e50debcd5ed4ea8eff1c1df64f611bb2bbdc799958b0d451482235c265c973404fba64decfea1df97660d2e15b5af55e2514841bce4ae22cca5c2c60550335

Download Submit
memory/1784-28-0x000000013F900000-0x0000000141197000-memory.dmp

Filesize
24.6MB

Download
memory/1784-31-0x000000013F900000-0x0000000141197000-memory.dmp

Filesize
24.6MB

Download
memory/1784-30-0x000000013F900000-0x0000000141197000-memory.dmp

Filesize
24.6MB

Download
memory/1784-27-0x000000013F900000-0x0000000141197000-memory.dmp

Filesize
24.6MB

Download
memory/1784-26-0x000000013F900000-0x0000000141197000-memory.dmp

Filesize
24.6MB

Download
memory/1784-29-0x000000013F900000-0x0000000141197000-memory.dmp

Filesize
24.6MB

Download
memory/1784-44-0x000000013F900000-0x0000000141197000-memory.dmp

Filesize
24.6MB

Download
memory/1784-46-0x000000013F900000-0x0000000141197000-memory.dmp

Filesize
24.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads