Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe
Resource
win10v2004-20241007-en
General
-
Target
bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe
-
Size
398KB
-
MD5
f13c0dbee984cb888636b40a7dc90970
-
SHA1
a253c2047926bdc1a2cbb7d82007a44390ef64aa
-
SHA256
bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5
-
SHA512
ec28f96cdb3e5ffb059bd077611addd68607b5bc0f0d2c3a85c97825abf8444cf38cd4bac8d61c78af522338c539ef73a05759d69c8d27b820bbea37c8727608
-
SSDEEP
12288:vdDU6g13sJd1fm/+yb3O2jg82ydU/DdKumh:vdE3sJd1fm/+yb3OYg84/JHy
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4236 udkgtol.exe -
Executes dropped EXE 2 IoCs
pid Process 4236 udkgtol.exe 116 uqobf.exe -
Loads dropped DLL 1 IoCs
pid Process 116 uqobf.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VIEW = "c:\\Program Files\\xtdjzyq\\uqobf.exe \"c:\\Program Files\\xtdjzyq\\uqobf.dll\",Viewer" uqobf.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: uqobf.exe File opened (read-only) \??\p: uqobf.exe File opened (read-only) \??\q: uqobf.exe File opened (read-only) \??\h: uqobf.exe File opened (read-only) \??\j: uqobf.exe File opened (read-only) \??\m: uqobf.exe File opened (read-only) \??\n: uqobf.exe File opened (read-only) \??\t: uqobf.exe File opened (read-only) \??\u: uqobf.exe File opened (read-only) \??\v: uqobf.exe File opened (read-only) \??\y: uqobf.exe File opened (read-only) \??\a: uqobf.exe File opened (read-only) \??\i: uqobf.exe File opened (read-only) \??\k: uqobf.exe File opened (read-only) \??\s: uqobf.exe File opened (read-only) \??\z: uqobf.exe File opened (read-only) \??\g: uqobf.exe File opened (read-only) \??\r: uqobf.exe File opened (read-only) \??\x: uqobf.exe File opened (read-only) \??\b: uqobf.exe File opened (read-only) \??\e: uqobf.exe File opened (read-only) \??\l: uqobf.exe File opened (read-only) \??\w: uqobf.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 uqobf.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\xtdjzyq udkgtol.exe File created \??\c:\Program Files\xtdjzyq\uqobf.dll udkgtol.exe File created \??\c:\Program Files\xtdjzyq\uqobf.exe udkgtol.exe File opened for modification \??\c:\Program Files\xtdjzyq\uqobf.exe udkgtol.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language udkgtol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uqobf.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5012 cmd.exe 4736 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 uqobf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString uqobf.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4736 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 116 uqobf.exe 116 uqobf.exe 116 uqobf.exe 116 uqobf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 116 uqobf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2292 bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe 4236 udkgtol.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2292 wrote to memory of 5012 2292 bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe 83 PID 2292 wrote to memory of 5012 2292 bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe 83 PID 2292 wrote to memory of 5012 2292 bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe 83 PID 5012 wrote to memory of 4736 5012 cmd.exe 85 PID 5012 wrote to memory of 4736 5012 cmd.exe 85 PID 5012 wrote to memory of 4736 5012 cmd.exe 85 PID 5012 wrote to memory of 4236 5012 cmd.exe 86 PID 5012 wrote to memory of 4236 5012 cmd.exe 86 PID 5012 wrote to memory of 4236 5012 cmd.exe 86 PID 4236 wrote to memory of 116 4236 udkgtol.exe 87 PID 4236 wrote to memory of 116 4236 udkgtol.exe 87 PID 4236 wrote to memory of 116 4236 udkgtol.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe"C:\Users\Admin\AppData\Local\Temp\bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\udkgtol.exe "C:\Users\Admin\AppData\Local\Temp\bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\udkgtol.exeC:\Users\Admin\AppData\Local\Temp\\udkgtol.exe "C:\Users\Admin\AppData\Local\Temp\bf768bd2edeac7924b20acb49e960c82d7b34f17720fdf2ad8658e6eac75fcc5N.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\Program Files\xtdjzyq\uqobf.exe"c:\Program Files\xtdjzyq\uqobf.exe" "c:\Program Files\xtdjzyq\uqobf.dll",Viewer C:\Users\Admin\AppData\Local\Temp\udkgtol.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
398KB
MD5347857f4e1f3ee306a772a327955b802
SHA134e75d14dd0368cb61d6730fb7a93162e7917aa0
SHA25653d9a067078bca060b9243e05674335a0b691a8cbb19eb5189d4ee127af8cc1b
SHA512e5e345e0eeb3f47f4d9a5fdf9312c63d4525a47518c595fd9e7022350909e6b8991e2ea89bfbd48394f5a2b4759f038156f4f9f4d058400407ea547f16289764
-
Filesize
89KB
MD55f670912dccf46825bf3e55e1c3a78b2
SHA16a1354305bfec4c2ba85b17609b8943e5718a997
SHA2568ef54d6a38abf0d52ea067b09c116938fbfd840468431f7506898497ecab581c
SHA512856803f586b2498d3095997f949f6c91b1add6c53d17bce8e4a75df6a7b98327b4276bc1809763f371c64b485742da02557f8f3a5b88ad9728d46c1a4fa28d7c