Analysis Report USD67,884.08_Payment_Advise_9083008849.exe

Overview

General Information

Sample Name: USD67,884.08_Payment_Advise_9083008849.exe
Analysis ID: 321416
MD5: 947edeb169369ac67c5448cc2f8104a3
SHA1: 5d2181f018ab4b8afd6b193e4651233b44ad7d62
SHA256: 3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e
Tags: AgentTeslaexeHSBC

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe ReversingLabs: Detection: 22%
Multi AV Scanner detection for submitted file
Source: USD67,884.08_Payment_Advise_9083008849.exe Virustotal: Detection: 40% Perma Link
Source: USD67,884.08_Payment_Advise_9083008849.exe ReversingLabs: Detection: 22%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: USD67,884.08_Payment_Advise_9083008849.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 13.2.Uclldrv.exe.2ab0000.5.unpack Avira: Label: TR/Hijacker.Gen
Source: 13.2.Uclldrv.exe.45e0000.6.unpack Avira: Label: TR/Dropper.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then xor edx, edx 0_3_03ED6A44
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then xor eax, eax 0_3_03EC9170
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then mov eax, dword ptr [ebx] 0_3_03EC8F90
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then xor eax, eax 0_3_03ED6E58
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then xor eax, eax 0_3_03ED6E58
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then xor edx, edx 0_3_03EC8D5C
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then mov eax, dword ptr [ebx] 0_3_03ED6C78
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then xor edx, edx 0_3_03EBFAAC
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then xor eax, eax 0_3_03EBFEC0
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then xor eax, eax 0_3_03EBFEC0
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 4x nop then mov eax, dword ptr [ebx] 0_3_03EBFCE0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor edx, edx 13_3_03F26A44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor eax, eax 13_3_03F19170
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then mov eax, dword ptr [ebx] 13_3_03F18F90
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor eax, eax 13_3_03F26E58
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor eax, eax 13_3_03F26E58
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor edx, edx 13_3_03F18D5C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then mov eax, dword ptr [ebx] 13_3_03F26C78
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor edx, edx 13_3_03F0FAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor eax, eax 13_3_03F0FEC0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor eax, eax 13_3_03F0FEC0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then mov eax, dword ptr [ebx] 13_3_03F0FCE0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then mov eax, dword ptr [ebx] 16_3_03F48F90
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor edx, edx 16_3_03F48D5C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor eax, eax 16_3_03F49506
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then mov eax, dword ptr [ebx] 16_3_03F56C78
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor edx, edx 16_3_03F3FAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then xor eax, eax 16_3_03F40256
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 4x nop then mov eax, dword ptr [ebx] 16_3_03F3FCE0

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.136.232 162.159.136.232
Source: Joe Sandbox View IP Address: 162.159.138.232 162.159.138.232
Source: global traffic HTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: discord.com
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.co
Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-adm0
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/t
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twent
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-se
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-sevent8
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/7009$
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll0848
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374H
Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8
Source: Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp String found in binary or memory: http://hHeaxI.com
Source: Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/
Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/J
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: Uclldrv.exe PID: 6756, type: MEMORY

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: USD67,884.08_Payment_Advise_9083008849.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ECBAC4 0_3_03ECBAC4
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ECBA44 0_3_03ECBA44
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ECBA42 0_3_03ECBA42
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC9170 0_3_03EC9170
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC9931 0_3_03EC9931
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED6E58 0_3_03ED6E58
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED6E58 0_3_03ED6E58
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EBFEC0 0_3_03EBFEC0
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EBFEC0 0_3_03EBFEC0
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00408C60 5_2_00408C60
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_0040DC11 5_2_0040DC11
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00407C3F 5_2_00407C3F
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00418CCC 5_2_00418CCC
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00406CA0 5_2_00406CA0
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_004028B0 5_2_004028B0
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_0041A4BE 5_2_0041A4BE
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00418244 5_2_00418244
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00401650 5_2_00401650
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00402F20 5_2_00402F20
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_004193C4 5_2_004193C4
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00418788 5_2_00418788
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00402F89 5_2_00402F89
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00402B90 5_2_00402B90
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_004073A0 5_2_004073A0
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_022A0C60 5_2_022A0C60
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_022A0C50 5_2_022A0C50
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_04A80006 5_2_04A80006
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_04A80040 5_2_04A80040
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_05A82D58 5_2_05A82D58
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_05A84C70 5_2_05A84C70
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_05A82140 5_2_05A82140
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_05A82488 5_2_05A82488
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 13_3_03F1BAC4 13_3_03F1BAC4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 13_3_03F1BA42 13_3_03F1BA42
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 13_3_03F1BA44 13_3_03F1BA44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 13_3_03F19170 13_3_03F19170
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 13_3_03F19931 13_3_03F19931
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 13_3_03F26E58 13_3_03F26E58
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 13_3_03F26E58 13_3_03F26E58
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 13_3_03F0FEC0 13_3_03F0FEC0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 13_3_03F0FEC0 13_3_03F0FEC0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 16_3_03F4BAC4 16_3_03F4BAC4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 16_3_03F4BA44 16_3_03F4BA44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 16_3_03F4BA42 16_3_03F4BA42
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 16_3_03F49931 16_3_03F49931
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00408C60 18_2_00408C60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_0040DC11 18_2_0040DC11
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00407C3F 18_2_00407C3F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00418CCC 18_2_00418CCC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00406CA0 18_2_00406CA0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_004028B0 18_2_004028B0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_0041A4BE 18_2_0041A4BE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00418244 18_2_00418244
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00401650 18_2_00401650
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00402F20 18_2_00402F20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_004193C4 18_2_004193C4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00418788 18_2_00418788
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00402F89 18_2_00402F89
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00402B90 18_2_00402B90
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_004073A0 18_2_004073A0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_02340C60 18_2_02340C60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_02340C50 18_2_02340C50
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_04F90040 18_2_04F90040
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_04F9003A 18_2_04F9003A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_04F99283 18_2_04F99283
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_05A82FA0 18_2_05A82FA0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_05A82388 18_2_05A82388
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_05A84EB0 18_2_05A84EB0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_05A826D0 18_2_05A826D0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_00408C60 18_1_00408C60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_0040DC11 18_1_0040DC11
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_00407C3F 18_1_00407C3F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_00418CCC 18_1_00418CCC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_00406CA0 18_1_00406CA0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_004028B0 18_1_004028B0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_0041A4BE 18_1_0041A4BE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_00418244 18_1_00418244
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_00401650 18_1_00401650
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_00402F20 18_1_00402F20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_004193C4 18_1_004193C4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_00418788 18_1_00418788
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_00402F89 18_1_00402F89
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_00402B90 18_1_00402B90
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_1_004073A0 18_1_004073A0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: String function: 0040D606 appears 48 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: String function: 0040E1D8 appears 88 times
PE / OLE file has an invalid certificate
Source: USD67,884.08_Payment_Advise_9083008849.exe Static PE information: invalid certificate
PE file contains strange resources
Source: USD67,884.08_Payment_Advise_9083008849.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Uclldrv.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs USD67,884.08_Payment_Advise_9083008849.exe
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameygwxuBNDsCnleMFrPILFrkECdmuYRRQwMZPAraQ.exe4 vs USD67,884.08_Payment_Advise_9083008849.exe
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilename_.dll4 vs USD67,884.08_Payment_Advise_9083008849.exe
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468624139.0000000002490000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs USD67,884.08_Payment_Advise_9083008849.exe
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477770135.0000000005620000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs USD67,884.08_Payment_Advise_9083008849.exe
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468661954.00000000024A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs USD67,884.08_Payment_Advise_9083008849.exe
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.469808808.000000000262A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs USD67,884.08_Payment_Advise_9083008849.exe
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.469808808.000000000262A000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs USD67,884.08_Payment_Advise_9083008849.exe
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.469808808.000000000262A000.00000004.00000001.sdmp Binary or memory string: m,\\StringFileInfo\\040904B0\\OriginalFilename vs USD67,884.08_Payment_Advise_9083008849.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Section loaded: mscorjit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Section loaded: mscorjit.dll Jump to behavior
Yara signature match
Source: 0000000D.00000002.362836092.0000000002AC7000.00000020.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000D.00000002.362836092.0000000002AC7000.00000020.00000001.sdmp, type: MEMORY Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: C:\Users\user\AppData\Local\llcU.url, type: DROPPED Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\llcU.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\llcU.url, type: DROPPED Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/5@6/4
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4 Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Command line argument: 08A 18_2_00413780
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Command line argument: 08A 18_2_00413780
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Command line argument: 08A 18_1_00413780
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: USD67,884.08_Payment_Advise_9083008849.exe Virustotal: Detection: 40%
Source: USD67,884.08_Payment_Advise_9083008849.exe ReversingLabs: Detection: 22%
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe File read: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe 'C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe'
Source: unknown Process created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: _.pdb source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.469055192.00000000025F0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Unpacked PE file: 18.2.Uclldrv.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Unpacked PE file: 18.2.Uclldrv.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED2BC8 push 0040547Ch; ret 0_3_03ED2BEC
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED63C4 push 00408CBBh; ret 0_3_03ED642B
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED2BC6 push 0040547Ch; ret 0_3_03ED2BEC
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED63C2 push 00408CBBh; ret 0_3_03ED642B
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED6B9C push ecx; mov dword ptr [esp], eax 0_3_03ED6B9F
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED6244 push 00408C48h; ret 0_3_03ED63B8
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC4A28 push 00404FE9h; ret 0_3_03EC4A71
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED2A28 push 004052DCh; ret 0_3_03ED2A4C
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED29EE push 004052A4h; ret 0_3_03ED2A14
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED29F0 push 004052A4h; ret 0_3_03ED2A14
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ECA1D8 push 14004056h; retn 0040h 0_3_03ECA1DD
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ECC1AC push 0040A2B5h; ret 0_3_03ECC215
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC5198 push 00405734h; ret 0_3_03EC51BC
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ECC124 push 0040A1F2h; ret 0_3_03ECC152
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ECC122 push 0040A1F2h; ret 0_3_03ECC152
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC87CC push 00408D60h; ret 0_3_03EC87E8
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC87C4 push 00408D60h; ret 0_3_03EC87E8
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC87C2 push 00408D60h; ret 0_3_03EC87E8
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC878C push 00408D20h; ret 0_3_03EC87A8
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC8784 push 00408D20h; ret 0_3_03EC87A8
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC8782 push 00408D20h; ret 0_3_03EC87A8
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC5F60 push ecx; mov dword ptr [esp], eax 0_3_03EC5F61
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC4F18 push 00405734h; ret 0_3_03EC51BC
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ED2710 push 00404FE9h; ret 0_3_03ED2759
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC4EE8 push 0040547Ch; ret 0_3_03EC4F04
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC4EE0 push 0040547Ch; ret 0_3_03EC4F04
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC86DC push 00408CBBh; ret 0_3_03EC8743
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC4EDE push 0040547Ch; ret 0_3_03EC4F04
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC86DA push 00408CBBh; ret 0_3_03EC8743
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03ECC6A0 push 14004056h; retn 0040h 0_3_03ECC6A5
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 0_3_03EC8EB4 push ecx; mov dword ptr [esp], eax 0_3_03EC8EB7

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Jump to dropped file
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Ucll Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Ucll Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Window / User API: threadDelayed 661 Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Window / User API: threadDelayed 471 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 6140 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 6140 Thread sleep count: 661 > 30 Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -59500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -59312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -58906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -58406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -58218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -57812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -57312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -56906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -56718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -56218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -55812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -55594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -54906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -54718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -53812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -53594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -53406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -53218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -52718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -52312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -51406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -51218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -51000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -50094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -49718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -49218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -49000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -48812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -48594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -47500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -46812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -46594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124 Thread sleep time: -46218s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe TID: 2408 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe TID: 2416 Thread sleep count: 471 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe TID: 2408 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Last function: Thread delayed
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 5_2_004019F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_0040ADB0 GetProcessHeap,HeapFree, 5_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0040CE09
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0040E61C
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00416F6A
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_004123F1 SetUnhandledExceptionFilter, 5_2_004123F1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_0040CE09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_0040E61C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00416F6A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: 18_2_004123F1 SetUnhandledExceptionFilter, 18_2_004123F1
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Memory written: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Process created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Jump to behavior
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.467234236.0000000000D10000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.467936207.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.467234236.0000000000D10000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.467936207.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.467234236.0000000000D10000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.467936207.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.467234236.0000000000D10000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.467936207.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: GetLocaleInfoA, 5_2_00417A20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Code function: GetLocaleInfoA, 18_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 5_2_00412A15
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Code function: 5_2_05A849A4 GetUserNameW, 5_2_05A849A4
Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.469055192.00000000025F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.358872577.0000000000852000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.281256788.00000000006D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.477031647.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.474318013.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.468146329.00000000021D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.467456643.0000000002154000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.473405683.00000000035D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.477297812.0000000004F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Uclldrv.exe PID: 6868, type: MEMORY
Source: Yara match File source: Process Memory Space: USD67,884.08_Payment_Advise_9083008849.exe PID: 6248, type: MEMORY
Source: Yara match File source: 18.2.Uclldrv.exe.25f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Uclldrv.exe.25f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.4a10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Uclldrv.exe.4f00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.23e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Uclldrv.exe.4f00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.4a10000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.23e0000.1.raw.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Uclldrv.exe PID: 6868, type: MEMORY
Source: Yara match File source: Process Memory Space: USD67,884.08_Payment_Advise_9083008849.exe PID: 6248, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.469055192.00000000025F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.358872577.0000000000852000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.281256788.00000000006D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.477031647.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.474318013.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.468146329.00000000021D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.467456643.0000000002154000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.473405683.00000000035D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.477297812.0000000004F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Uclldrv.exe PID: 6868, type: MEMORY
Source: Yara match File source: Process Memory Space: USD67,884.08_Payment_Advise_9083008849.exe PID: 6248, type: MEMORY
Source: Yara match File source: 18.2.Uclldrv.exe.25f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Uclldrv.exe.25f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.4a10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Uclldrv.exe.4f00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.23e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Uclldrv.exe.4f00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.4a10000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.23e0000.1.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321416 Sample: USD67,884.08_Payment_Advise... Startdate: 21/11/2020 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected AgentTesla 2->31 33 Machine Learning detection for sample 2->33 35 Initial sample is a PE file and has a suspicious name 2->35 6 Uclldrv.exe 14 2->6         started        10 USD67,884.08_Payment_Advise_9083008849.exe 1 16 2->10         started        13 Uclldrv.exe 14 2->13         started        process3 dnsIp4 21 162.159.138.232, 443, 49733, 49738 CLOUDFLARENETUS United States 6->21 23 192.168.2.1 unknown unknown 6->23 37 Multi AV Scanner detection for dropped file 6->37 39 Detected unpacking (changes PE section rights) 6->39 41 Detected unpacking (overwrites its own PE header) 6->41 43 Machine Learning detection for dropped file 6->43 15 Uclldrv.exe 2 6->15         started        25 airseaalliance.com 198.136.51.123, 49708, 49734, 49739 DIMENOCUS United States 10->25 27 discord.com 162.159.136.232, 443, 49707 CLOUDFLARENETUS United States 10->27 19 C:\Users\user\AppData\Local\...\Uclldrv.exe, PE32 10->19 dropped 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->47 49 Injects a PE file into a foreign processes 10->49 17 USD67,884.08_Payment_Advise_9083008849.exe 2 10->17         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.136.232
 unknown United States
13335 CLOUDFLARENETUS false
198.136.51.123
 unknown United States
33182 DIMENOCUS false
162.159.138.232
 unknown United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
discord.com 162.159.136.232 true
airseaalliance.com 198.136.51.123 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 false
  • Avira URL Cloud: safe
 unknown