Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
#PO 4500515595 ULTRA TEC.exe
Resource
win7-20230831-en
General
-
Target
#PO 4500515595 ULTRA TEC.exe
-
Size
550KB
-
MD5
5adbfe3a05eb61b2d2620b6538dc5772
-
SHA1
8bee7a099e2c1753a62be196915da3756758e75c
-
SHA256
d404e5865cddbf47f6a494f9120130035b3ac5761810dc75e20bc28873327547
-
SHA512
5d66a876e199a1733c9c445cdb5d2c4d4842373a710c6a93c088d1d5456ef7c6a3308a56b1b00c5852457ec8db8108b1fe278f45b0dcc7b7433ea20b9e4a465c
-
SSDEEP
12288:JZ725ZbHWLBajVyuexPgAHsP3o4roF6Btp3P:uCQSxPgAIogPBth
Malware Config
Extracted
formbook
4.1
ey16
slimshotonline.com
rifaboa.com
metallzauber.com
jabandfuel.com
reacthat.com
qcgaeu.top
ssongg446.cfd
29kuan7.cfd
101agh.com
reliablii.com
luginfinity.com
e513.cloud
k4lantar.sbs
etoempire.com
phons.info
vovacom.com
birbakalim.fun
wellhousesctx.com
flthg.link
strasburgangus.com
warehouse-jobs-19432.bond
tisduallywheels.com
gbcontabilidade.com
nsyoiq.top
erlacx.xyz
graphic-design-degrees-us.xyz
therealopulent.com
genw.support
fmfo.asia
rrbookreviews.com
cirbs.com
afu-bf.net
northwesttheatreballet.com
koru.clinic
railway-tandoori.com
dumpsterrentalreading.com
73a73.com
ysudveg.buzz
y0rvragmr5.com
dataroomfiscale.com
jbfinishing.com
dcm393.com
nebulousharmony.bet
solaldesign.com
ssongg4323.cfd
rentingstudio.com
affiliatemarketingjoy.com
cvilleflowerfarm.com
huhubet505.com
bigpeople.top
casaalmafurniture.com
yccop.cfd
moviescoutt.com
wholemind.store
hvvwff.net
xn--srsz50dqxa5xb3rn52a.com
aunoption.com
zgtiku.com
jnbks.link
alqalamacademy.net
fly-destiny.com
servprowestpalm.com
itdev.life
paover.com
trsmine.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2528-23-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2528-28-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2820-35-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2820-37-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2828 set thread context of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 2528 set thread context of 1192 2528 RegSvcs.exe 11 PID 2820 set thread context of 1192 2820 help.exe 11 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2828 #PO 4500515595 ULTRA TEC.exe 2828 #PO 4500515595 ULTRA TEC.exe 2828 #PO 4500515595 ULTRA TEC.exe 2828 #PO 4500515595 ULTRA TEC.exe 2528 RegSvcs.exe 2528 RegSvcs.exe 2720 powershell.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe 2820 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1192 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2528 RegSvcs.exe 2528 RegSvcs.exe 2528 RegSvcs.exe 2820 help.exe 2820 help.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2828 #PO 4500515595 ULTRA TEC.exe Token: SeDebugPrivilege 2528 RegSvcs.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2820 help.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2828 wrote to memory of 2720 2828 #PO 4500515595 ULTRA TEC.exe 30 PID 2828 wrote to memory of 2720 2828 #PO 4500515595 ULTRA TEC.exe 30 PID 2828 wrote to memory of 2720 2828 #PO 4500515595 ULTRA TEC.exe 30 PID 2828 wrote to memory of 2720 2828 #PO 4500515595 ULTRA TEC.exe 30 PID 2828 wrote to memory of 2648 2828 #PO 4500515595 ULTRA TEC.exe 32 PID 2828 wrote to memory of 2648 2828 #PO 4500515595 ULTRA TEC.exe 32 PID 2828 wrote to memory of 2648 2828 #PO 4500515595 ULTRA TEC.exe 32 PID 2828 wrote to memory of 2648 2828 #PO 4500515595 ULTRA TEC.exe 32 PID 2828 wrote to memory of 2688 2828 #PO 4500515595 ULTRA TEC.exe 34 PID 2828 wrote to memory of 2688 2828 #PO 4500515595 ULTRA TEC.exe 34 PID 2828 wrote to memory of 2688 2828 #PO 4500515595 ULTRA TEC.exe 34 PID 2828 wrote to memory of 2688 2828 #PO 4500515595 ULTRA TEC.exe 34 PID 2828 wrote to memory of 2688 2828 #PO 4500515595 ULTRA TEC.exe 34 PID 2828 wrote to memory of 2688 2828 #PO 4500515595 ULTRA TEC.exe 34 PID 2828 wrote to memory of 2688 2828 #PO 4500515595 ULTRA TEC.exe 34 PID 2828 wrote to memory of 2040 2828 #PO 4500515595 ULTRA TEC.exe 35 PID 2828 wrote to memory of 2040 2828 #PO 4500515595 ULTRA TEC.exe 35 PID 2828 wrote to memory of 2040 2828 #PO 4500515595 ULTRA TEC.exe 35 PID 2828 wrote to memory of 2040 2828 #PO 4500515595 ULTRA TEC.exe 35 PID 2828 wrote to memory of 2040 2828 #PO 4500515595 ULTRA TEC.exe 35 PID 2828 wrote to memory of 2040 2828 #PO 4500515595 ULTRA TEC.exe 35 PID 2828 wrote to memory of 2040 2828 #PO 4500515595 ULTRA TEC.exe 35 PID 2828 wrote to memory of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 2828 wrote to memory of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 2828 wrote to memory of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 2828 wrote to memory of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 2828 wrote to memory of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 2828 wrote to memory of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 2828 wrote to memory of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 2828 wrote to memory of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 2828 wrote to memory of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 2828 wrote to memory of 2528 2828 #PO 4500515595 ULTRA TEC.exe 36 PID 1192 wrote to memory of 2820 1192 Explorer.EXE 37 PID 1192 wrote to memory of 2820 1192 Explorer.EXE 37 PID 1192 wrote to memory of 2820 1192 Explorer.EXE 37 PID 1192 wrote to memory of 2820 1192 Explorer.EXE 37 PID 2820 wrote to memory of 1868 2820 help.exe 38 PID 2820 wrote to memory of 1868 2820 help.exe 38 PID 2820 wrote to memory of 1868 2820 help.exe 38 PID 2820 wrote to memory of 1868 2820 help.exe 38
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe"C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gtpTbwW.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gtpTbwW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8D0.tmp"3⤵
- Creates scheduled task(s)
PID:2648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1868
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD524ea0f7ce8c7b0e4a50b1a106027abe4
SHA1a8567838ecf7544ed3aa332668822ac3b2e553b8
SHA256efe6d31564707d553a06158373e2e00d28b1aa881f2bee59d25d00191afed12f
SHA512895519826b4ac0038b585e71433795c82ef445b5716b9bf45b51f2fd79d929f399cea2553ece4d1c76def02fa5b2186cc7d1f672a4de3cc1069bb84b069f1963