Analysis
-
max time kernel
26s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 08:14
Behavioral task
behavioral1
Sample
UUDPTBXHGP.exe
Resource
win10v2004-20240611-en
8 signatures
300 seconds
General
-
Target
UUDPTBXHGP.exe
-
Size
6.1MB
-
MD5
b15850bf1a5712a40e7cb9dba90e54be
-
SHA1
7b4b4d5a24e8123f32f5260382917c05d2fd5789
-
SHA256
4eab28bf6548c6a24b13e8bdbda9bbac66a8df97a31c77426e0e46c5503213c8
-
SHA512
5a8d3d0ba102a23bd6d1b65f7b64a422e88207c98e988c1ea66c92b6533d6854cf1dd08b8daffca1fbf174b10a8b1c7e5684993e99a3788e0e69f40c2a879794
-
SSDEEP
196608:2TKSzjl6H+jCy7VzIyrzbqGWXcZRJRbUST:2mMCy7j3BOcZBUST
Score
8/10
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
UUDPTBXHGP.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bbgxjvpNOweUMglODMUEhaVrzSPZ\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bbgxjvpNOweUMglODMUEhaVrzSPZ" UUDPTBXHGP.exe -
Processes:
resource yara_rule behavioral1/memory/1704-1-0x0000000140000000-0x00000001412A9000-memory.dmp vmprotect behavioral1/memory/1704-6-0x0000000140000000-0x00000001412A9000-memory.dmp vmprotect behavioral1/memory/1704-7-0x0000000140000000-0x00000001412A9000-memory.dmp vmprotect behavioral1/memory/1704-11-0x0000000140000000-0x00000001412A9000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
UUDPTBXHGP.exepid process 1704 UUDPTBXHGP.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
UUDPTBXHGP.exepid process 1704 UUDPTBXHGP.exe 1704 UUDPTBXHGP.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
UUDPTBXHGP.exepid process 1704 UUDPTBXHGP.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
UUDPTBXHGP.exepid process 1704 UUDPTBXHGP.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
UUDPTBXHGP.exedescription pid process Token: SeLoadDriverPrivilege 1704 UUDPTBXHGP.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
UUDPTBXHGP.exedescription pid process target process PID 1704 wrote to memory of 640 1704 UUDPTBXHGP.exe cmd.exe PID 1704 wrote to memory of 640 1704 UUDPTBXHGP.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UUDPTBXHGP.exe"C:\Users\Admin\AppData\Local\Temp\UUDPTBXHGP.exe"1⤵
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1704-2-0x0000000140A1C000-0x0000000140C8F000-memory.dmpFilesize
2.4MB
-
memory/1704-0-0x00007FFAABEB0000-0x00007FFAABEB2000-memory.dmpFilesize
8KB
-
memory/1704-1-0x0000000140000000-0x00000001412A9000-memory.dmpFilesize
18.7MB
-
memory/1704-6-0x0000000140000000-0x00000001412A9000-memory.dmpFilesize
18.7MB
-
memory/1704-7-0x0000000140000000-0x00000001412A9000-memory.dmpFilesize
18.7MB
-
memory/1704-10-0x0000000140A1C000-0x0000000140C8F000-memory.dmpFilesize
2.4MB
-
memory/1704-12-0x0000000140A1C000-0x0000000140C8F000-memory.dmpFilesize
2.4MB
-
memory/1704-11-0x0000000140000000-0x00000001412A9000-memory.dmpFilesize
18.7MB