Windows Analysis Report
uddisrw.exe

Overview

General Information

Sample name: uddisrw.exe
Analysis ID: 1428519
MD5: 15b03679ef8ddd85d6af560205265ac9
SHA1: 10edae785656a023cc73b8de403bbf969d4d1c3b
SHA256: 9be8ed92ccdf8f8c499cfe6ba1d6981ec38a076d8de2a1f25a9a484a4ff1c52a
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to detect sleep reduction / modifications
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: uddisrw.exe ReversingLabs: Detection: 75%
Source: uddisrw.exe Virustotal: Detection: 62% Perma Link
Machine Learning detection for sample
Source: uddisrw.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: uddisrw.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00404F50 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00404F50
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00426ACC OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire, 0_2_00426ACC
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00426ACC OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire, 0_2_00426ACC
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00420564 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 0_2_00420564
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00433E78 GetKeyboardState, 0_2_00433E78

Spam, unwanted Advertisements and Ransom Demands
barindex
Deletes shadow drive data (may be related to ransomware)
Source: uddisrw.exe Binary or memory string: vssadmin delete shadows /for=c: /all
Source: uddisrw.exe Binary or memory string: vssadmin delete shadows /for=f: /all
Source: uddisrw.exe Binary or memory string: vssadmin delete shadows /for=d: /all
Source: uddisrw.exe Binary or memory string: vssadmin delete shadows /for=e: /all
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vssadmin delete shadows /for=c: /all
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vssadmin delete shadows /for=d: /all
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vssadmin delete shadows /for=e: /all
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vssadmin delete shadows /for=f: /all
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vssadmin delete shadows /for=c: /allvssadmin delete shadows /for=d: /allvssadmin delete shadows /for=e: /allvssadmin delete shadows /for=f: /allRDP Admin RestoreSystem Restore Points cleared!Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.comU
Contains functionality to call native functions
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00436DF4 NtdllDefWindowProc_A,GetCapture, 0_2_00436DF4
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004514F4 NtdllDefWindowProc_A, 0_2_004514F4
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0042842C NtdllDefWindowProc_A, 0_2_0042842C
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00446820 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_00446820
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00451C9C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00451C9C
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00451D4C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00451D4C
Detected potential crypto function
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00446820 0_2_00446820
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0044B9EC 0_2_0044B9EC
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\uddisrw.exe Code function: String function: 00403E4C appears 68 times
Source: C:\Users\user\Desktop\uddisrw.exe Code function: String function: 00405F08 appears 61 times
Uses 32bit PE files
Source: uddisrw.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: uddisrw.exe Static PE information: Section: UPX1 ZLIB complexity 0.9916666666666667
Source: classification engine Classification label: mal60.rans.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0041D9EC GetLastError,FormatMessageA, 0_2_0041D9EC
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004082EA GetDiskFreeSpaceA, 0_2_004082EA
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00413670 FindResourceA, 0_2_00413670
Source: C:\Users\user\Desktop\uddisrw.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\uddisrw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: uddisrw.exe ReversingLabs: Detection: 75%
Source: uddisrw.exe Virustotal: Detection: 62%
Source: C:\Users\user\Desktop\uddisrw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\uddisrw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\uddisrw.exe Section loaded: uxtheme.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00425A1C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00425A1C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0043E388 push 0043E415h; ret 0_2_0043E40D
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004261A8 push 004261F7h; ret 0_2_004261EF
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00426250 push 0042627Ch; ret 0_2_00426274
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00426218 push 00426244h; ret 0_2_0042623C
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004262C8 push 004262F4h; ret 0_2_004262EC
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004242EC push 00424318h; ret 0_2_00424310
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00426290 push 004262BCh; ret 0_2_004262B4
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004242AC push 004242D8h; ret 0_2_004242D0
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00426300 push 0042632Ch; ret 0_2_00426324
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0043E320 push 0043E386h; ret 0_2_0043E37E
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00426338 push 00426364h; ret 0_2_0042635C
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004263F0 push 0042641Ch; ret 0_2_00426414
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00426380 push 004263ACh; ret 0_2_004263A4
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004263B8 push 004263E4h; ret 0_2_004263DC
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004105D2 push 0041064Ah; ret 0_2_00410642
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004105D4 push 0041064Ah; ret 0_2_00410642
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0041064C push 004106F4h; ret 0_2_004106EC
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0041A686 push 0041A733h; ret 0_2_0041A72B
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0041A688 push 0041A733h; ret 0_2_0041A72B
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0041A738 push 0041A7C8h; ret 0_2_0041A7C0
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004107E0 push 0041080Ch; ret 0_2_00410804
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004067F4 push ecx; mov dword ptr [esp], eax 0_2_004067F5
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0042886C push 004288AFh; ret 0_2_004288A7
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004288E4 push 00428910h; ret 0_2_00428908
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0042891C push 00428954h; ret 0_2_0042894C
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00412938 push ecx; mov dword ptr [esp], edx 0_2_0041293D
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004069D8 push 00406A04h; ret 0_2_004069FC
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004289B0 push 004289DCh; ret 0_2_004289D4
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0041AA50 push 0041AA80h; ret 0_2_0041AA78
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0041AA54 push 0041AA80h; ret 0_2_0041AA78
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00406A10 push 00406A3Ch; ret 0_2_00406A34
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0045157C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_0045157C
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00438518 IsIconic,GetCapture, 0_2_00438518
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0044E5A4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_0044E5A4
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00438DCC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_00438DCC
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_004396F0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_004396F0
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00451C9C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00451C9C
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00451D4C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00451D4C
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00423D64 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00423D64
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00425A1C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00425A1C

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0042D70C 0_2_0042D70C
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\uddisrw.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_00450AEC
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\uddisrw.exe API coverage: 5.9 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0042D70C 0_2_0042D70C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00404F50 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00404F50
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0041DF7C GetSystemInfo, 0_2_0041DF7C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_00425A1C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00425A1C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\uddisrw.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405108
Source: C:\Users\user\Desktop\uddisrw.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040C228
Source: C:\Users\user\Desktop\uddisrw.exe Code function: GetLocaleInfoA, 0_2_0040ABC0
Source: C:\Users\user\Desktop\uddisrw.exe Code function: GetLocaleInfoA, 0_2_0040AC0C
Source: C:\Users\user\Desktop\uddisrw.exe Code function: GetLocaleInfoA, 0_2_004059FE
Source: C:\Users\user\Desktop\uddisrw.exe Code function: GetLocaleInfoA, 0_2_00405A00
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0040965C GetLocalTime, 0_2_0040965C
Source: C:\Users\user\Desktop\uddisrw.exe Code function: 0_2_0043E388 GetVersion, 0_2_0043E388
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428519 Sample: uddisrw.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 60 8 Multi AV Scanner detection for submitted file 2->8 10 Machine Learning detection for sample 2->10 12 Deletes shadow drive data (may be related to ransomware) 2->12 5 uddisrw.exe 2->5         started        process3 signatures4 14 Deletes shadow drive data (may be related to ransomware) 5->14 16 Contains functionality to detect sleep reduction / modifications 5->16
No contacted IP infos