9f330b9235b7e96e57ffc3aebbb08573f2824e895889a96a650de9316a959f0d

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UgPhone.exe
Size

130.1MB
MD5

b15e411ff8e001a75f453262f8f7e6c0
SHA1

c4173c0c6e3490cc51249a0b31d16deb0dc60661
SHA256

81f178fef70e5a05bfaf70e3ca0cec93002b6d0ada112fd33c5454ea8237a59e
SHA512

4d734a55b1ab890265e135352ea8c2f7d7683388574bd5288af80c9c58a9bd8a893df0442c250b65c88717bb66ef79cd9f59f6ab8a13562ae4b33502f341806f
SSDEEP

1572864:hK/gNQW2SJeFf769vh9hwK9opP8rju/BRcjmmRm1WWn:E46WVJeFz690ujm7WWn

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UgPhone.exeUgPhone.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	UgPhone.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	UgPhone.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

UgPhone.exeUgPhone.exeUgPhone.exe

pid process

4004 UgPhone.exe
4004 UgPhone.exe
1596 UgPhone.exe
1596 UgPhone.exe
3436 UgPhone.exe
3436 UgPhone.exe
3436 UgPhone.exe
3436 UgPhone.exe

pid	process
4004	UgPhone.exe
4004	UgPhone.exe
1596	UgPhone.exe
1596	UgPhone.exe
3436	UgPhone.exe
3436	UgPhone.exe
3436	UgPhone.exe
3436	UgPhone.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

UgPhone.exe

description	pid	process	target process
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1244	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1596	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 1596	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 4004	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 4004	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 3436	3892	UgPhone.exe	UgPhone.exe
PID 3892 wrote to memory of 3436	3892	UgPhone.exe	UgPhone.exe

C:\Users\Admin\AppData\Local\Temp\UgPhone.exe
"C:\Users\Admin\AppData\Local\Temp\UgPhone.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Local\Temp\UgPhone.exe
"C:\Users\Admin\AppData\Local\Temp\UgPhone.exe" --type=gpu-process --field-trial-handle=1588,15653115576260134116,3633441977201316162,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1596 /prefetch:2
2⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\UgPhone.exe
"C:\Users\Admin\AppData\Local\Temp\UgPhone.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,15653115576260134116,3633441977201316162,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=none --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=2084 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Users\Admin\AppData\Local\Temp\UgPhone.exe
"C:\Users\Admin\AppData\Local\Temp\UgPhone.exe" --type=renderer --field-trial-handle=1588,15653115576260134116,3633441977201316162,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4004

C:\Users\Admin\AppData\Local\Temp\UgPhone.exe
"C:\Users\Admin\AppData\Local\Temp\UgPhone.exe" --type=gpu-process --field-trial-handle=1588,15653115576260134116,3633441977201316162,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1472 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\UgPhone1\Network Persistent State
Filesize
183B

MD5
55c27488a6cb0b3d088f2cd1b1fc6619

SHA1
fba84859e385865e7c16f16d66de31852338ca96

SHA256
d4687fb74330e49a39c70ec2483c7729c2b3b07488b9b416290c1b88e77acf3e

SHA512
35da27b00123fb942cf86566de4997bf31f8876f60d5baa27b501f3f2ae47426c3cab7aec88a51fa796bafafef9ea099024e4e79a387a544b52edade085cef73

Download Submit
C:\Users\Admin\AppData\Roaming\UgPhone1\Network Persistent State~RFe586915.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\UgPhone1\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/1244-2-0x00007FFDF4610000-0x00007FFDF4611000-memory.dmp

Filesize
4KB

Download