Overview

overview

7

Static

static

1

ufsxpci.exe

windows7-x64

7

ufsxpci.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 03:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ufsxpci.exe

  • Size

    41.8MB

  • MD5

    cc6cf30e86d774df9a3b3ffdc3f8c7ed

  • SHA1

    ebad1a99ba436548a8115846e2ebae3b19b11c9c

  • SHA256

    0c939890c3cbc24675e353eaa90f791f0f8d57d3bc40394c125cf54aa00a8fa6

  • SHA512

    130daaba55d8c84b0afdca4681bd158da32ea1751c3a548a1c2223b00b3626212d440d027d50ef66533d4c67233c8cff3c2e6f9f640dc21336baed4c1b3a94bb

  • SSDEEP

    786432:lYi145b7jnv4Gsfgcld7LiuChEuuh1qK9O7LsbEDhp8eHk:O7b7jnwpfxld4hCn9OPsbrP

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ufsxpci.exe
    "C:\Users\Admin\AppData\Local\Temp\ufsxpci.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Program Files\Data Recovery\ufs-explorer-pro.exe
      "C:\Program Files\Data Recovery\ufs-explorer-pro.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Program Files\Common Files\SysDev Laboratories\softmanager.exe
        "C:/Program Files/Common Files/SysDev Laboratories/softmanager.exe" update ufsx_p quite 0
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\SysDev Laboratories\softmanager.exe
    Filesize

    2.4MB

    MD5

    4140d4d94e98c0aca371ac6726946e0e

    SHA1

    9d382f52b977930c036d1ff86b84a6720bf17b58

    SHA256

    02c06c13f2a10c1d398ccfb4911aac226f881fea4caef6aa78d5221c2d00a8b0

    SHA512

    f39372eeefd8e58f1b4b4e289a3260f8b6f7f17c009dc7813ee191037acdfe3d166c28062fb5a2749ca6750756590dcdf03580cdee7947650e490c160269f4e8

    Download Submit

  • C:\Program Files\Data Recovery\ufs-explorer-pro.exe
    Filesize

    24.3MB

    MD5

    0aa68ad50c70c9f4278b387492bbd2ab

    SHA1

    75c418ea978621389c03210d4d65ff898feefd33

    SHA256

    6b62c68d4f5e9e6bab16f3ca80b1fcd8dcef6939d32f941cdda04b38f9d39060

    SHA512

    a11ff316fbf036ca9fd22a7e9ac5b29c75b7b6ae270a2a77866a9ef424eafd289a4015f68516d1df8f9c91ec4a658b5b080830fbcc2757d937f86bf1e66e33d0

    Download Submit

  • C:\ProgramData\SysDev Laboratories\sdl\install
    Filesize

    1KB

    MD5

    f62772c7b9aa424fc561538fef757fde

    SHA1

    ee78c9f43f42fc75e173cc39da8feb6091ecb9ad

    SHA256

    44cf6a53bb89b9962abf490541b5aaffb89f54aa0a453da0e8e8d3d0991a2ec5

    SHA512

    21381b40810862116b558910b66febe489d9fbcbe6b2d100ff0adbddf964521f284534d7572d0af30b6f59ca77093d3861b1abb37bd77224770588be6a67ee2f

    Download Submit

  • C:\ProgramData\SysDev Laboratories\sdl\installer
    Filesize

    199B

    MD5

    af155972bd28d0a98854d1557863b0e8

    SHA1

    f71880f861c1fbe97ccab1d5573eee17ac95ce71

    SHA256

    8d837eb8cc6c07f0162c321cac10c0f0d7bbe0bf67df517efefcab83603c02e7

    SHA512

    f7f51eb7ceda6aa525898f0a3da587b306fa9ababceb2fcb9a80e65b2577749a501755f21aa54e88924a6610f8d3bf1bd1b98bd0e6fbd36c03378d8bbd502f59

    Download Submit

  • C:\ProgramData\SysDev Laboratories\sdl\lang
    Filesize

    22B

    MD5

    f110c0f548ee0a4b31d063ccd418196e

    SHA1

    1bb5661c0d4efc0bbc1faf0c33b429fcbccc831c

    SHA256

    1822d2d0b91796efd5329a46d052eb9991bcbee2337a6e0b3198c437fadec7d3

    SHA512

    72decba5f59d28bfd2b2fce8810296c1b602e9fb93ebc3a49df857d10fb34562c963b9b266a759e9ca88009c0022a44d220045604348af37263f332935bdab6e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SysDev Laboratories\sdl\updates
    Filesize

    24B

    MD5

    50821bbc9f67d03c933b50a47428177e

    SHA1

    8d6347c71adced44453d3d79850f9cf48b8bf916

    SHA256

    03342e0c2d49ecc5ea74c3cb92c2c8316072e325762cfae5cb145405da99d1d5

    SHA512

    d0e50debcd5ed4ea8eff1c1df64f611bb2bbdc799958b0d451482235c265c973404fba64decfea1df97660d2e15b5af55e2514841bce4ae22cca5c2c60550335

    Download Submit

  • memory/1344-37-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-32-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-35-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-38-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-34-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-33-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-36-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-44-0x00007FF6B5A77000-0x00007FF6B5A83000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1344-49-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-50-0x00007FF6B5A77000-0x00007FF6B5A83000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1344-53-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-54-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-55-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-56-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1344-57-0x00007FF6B41F0000-0x00007FF6B5A87000-memory.dmp

    Filesize

    24.6MB

    Download