Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 02:57
Static task
static1
Behavioral task
behavioral1
Sample
UniversalRecoilV2.exe
Resource
win7-20240903-en
General
-
Target
UniversalRecoilV2.exe
-
Size
6.7MB
-
MD5
d8e739ca8627a709dbd025c95eec3c09
-
SHA1
cb0d1baefa7b97e355e16b1bbfa418334c579e80
-
SHA256
6d97acf787fc0571e81d0c82c301f91005523246319a2b17eb9db765e754ad89
-
SHA512
85bbb0e0c2059d9a141edf49102d43aef55ffab458f52f7bb755bd434499629a936fa39c3ec8d60e289232ab4abe2cdf1ffd55b59d914e18d62a2114a5006ebf
-
SSDEEP
196608:6aLfVOixPlm+6Q9JqjodWfeNSkfoIKtAINPsbET9iorQ:NLXlm+6vjLGybNEbET9Z
Malware Config
Extracted
stealc
game
http://193.233.112.44
-
url_path
/383ccd496f3c5eee.php
Signatures
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VC_redistx64.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VC_redistx64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VC_redistx64.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation UniversalRecoilV2.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation VC_redistx64.exe -
Executes dropped EXE 3 IoCs
pid Process 3088 gWsmPty.exe 3452 VC_redistx64.exe 2704 UniversalRecoilV2.exe -
resource yara_rule behavioral2/files/0x0007000000023cb6-19.dat themida behavioral2/memory/3452-34-0x0000000000400000-0x0000000000B78000-memory.dmp themida behavioral2/memory/3452-36-0x0000000000400000-0x0000000000B78000-memory.dmp themida behavioral2/memory/3452-37-0x0000000000400000-0x0000000000B78000-memory.dmp themida behavioral2/memory/3452-48-0x0000000000400000-0x0000000000B78000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\ProgramData\\MyHiddenFolder\\VC_redistx64.exe" VC_redistx64.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VC_redistx64.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3452 VC_redistx64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gWsmPty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redistx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UniversalRecoilV2.exe -
Modifies registry class 36 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000004759a34a10004c6f63616c003c0009000400efbe4759864864592f172e0000006be10100000001000000000000000000000000000000f82ccb004c006f00630061006c00000014000000 UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags UniversalRecoilV2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 UniversalRecoilV2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff UniversalRecoilV2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" UniversalRecoilV2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000047598648120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe4759864864592f172e00000058e10100000001000000000000000000000000000000d2fecc004100700070004400610074006100000042000000 UniversalRecoilV2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell UniversalRecoilV2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" UniversalRecoilV2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" UniversalRecoilV2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 UniversalRecoilV2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 UniversalRecoilV2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000064592f17100054656d7000003a0009000400efbe4759864864592f172e0000006ce101000000010000000000000000000000000000000b468200540065006d007000000014000000 UniversalRecoilV2.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} UniversalRecoilV2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" UniversalRecoilV2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3452 VC_redistx64.exe 3452 VC_redistx64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2704 UniversalRecoilV2.exe 2704 UniversalRecoilV2.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4288 wrote to memory of 3088 4288 UniversalRecoilV2.exe 87 PID 4288 wrote to memory of 3088 4288 UniversalRecoilV2.exe 87 PID 4288 wrote to memory of 3088 4288 UniversalRecoilV2.exe 87 PID 4288 wrote to memory of 3452 4288 UniversalRecoilV2.exe 88 PID 4288 wrote to memory of 3452 4288 UniversalRecoilV2.exe 88 PID 4288 wrote to memory of 3452 4288 UniversalRecoilV2.exe 88 PID 4288 wrote to memory of 2704 4288 UniversalRecoilV2.exe 89 PID 4288 wrote to memory of 2704 4288 UniversalRecoilV2.exe 89 PID 4288 wrote to memory of 2704 4288 UniversalRecoilV2.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe"C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Roaming\gWsmPty.exe"C:\Users\Admin\AppData\Roaming\gWsmPty.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088
-
-
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3452
-
-
C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe"C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5acf8907ce64638007fb5514265812c67
SHA1daa5404df21afc0cbfc126b9544fa68f3833e3f8
SHA2569fe5fb74600e204a4739a0ed262f16ab6c7eb9f970f61d6315a8e5010f9bc3d4
SHA512aa7478af047621b9f6d828356a20905f46a520cf364bc639ff0c21b5e9ae8eb29d5edcb2dd00c4dc327ca5348868d754c7068aff132d27d21e606e3ff821f9b6
-
Filesize
2.9MB
MD5507acc8f3249adef7468989fee931211
SHA14d66286973a21e76b0e2c746bac00fa28d446ca9
SHA2566abb77dce6d4af42005e673cb089b6d41e0ef0b88a6411f4d5dfd8e8b4858154
SHA5122faee963523b401bf1e588c86bfeef899067456f22848d299525acde5d2ce28a66f769d741deea2e6b218b4e1b0c0f7f4cc08cfc1c2fd8eac5375b3c183b7ee3
-
Filesize
322KB
MD5c57f035e099bfe7f8d56917a22266dc9
SHA188a4ab3cef2b3d293b6d94b8d5b38298d1ec6d87
SHA256d075bbba29912ff7a321ee5dcb32159b9de8e27e716a1aad9ed52bb9d9ccc4a3
SHA512836f345be084eeaef97144faa845a697f3c40a5f643088ee355d71cbedac23506c4d53267220bfa467872e850faebbc5a3919fbeb5628534619d39fbcbf1e1e4