Analysis
-
max time kernel
170s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
#PO 4500515595 ULTRA TEC.exe
Resource
win7-20230831-en
General
-
Target
#PO 4500515595 ULTRA TEC.exe
-
Size
550KB
-
MD5
5adbfe3a05eb61b2d2620b6538dc5772
-
SHA1
8bee7a099e2c1753a62be196915da3756758e75c
-
SHA256
d404e5865cddbf47f6a494f9120130035b3ac5761810dc75e20bc28873327547
-
SHA512
5d66a876e199a1733c9c445cdb5d2c4d4842373a710c6a93c088d1d5456ef7c6a3308a56b1b00c5852457ec8db8108b1fe278f45b0dcc7b7433ea20b9e4a465c
-
SSDEEP
12288:JZ725ZbHWLBajVyuexPgAHsP3o4roF6Btp3P:uCQSxPgAIogPBth
Malware Config
Extracted
formbook
4.1
ey16
slimshotonline.com
rifaboa.com
metallzauber.com
jabandfuel.com
reacthat.com
qcgaeu.top
ssongg446.cfd
29kuan7.cfd
101agh.com
reliablii.com
luginfinity.com
e513.cloud
k4lantar.sbs
etoempire.com
phons.info
vovacom.com
birbakalim.fun
wellhousesctx.com
flthg.link
strasburgangus.com
warehouse-jobs-19432.bond
tisduallywheels.com
gbcontabilidade.com
nsyoiq.top
erlacx.xyz
graphic-design-degrees-us.xyz
therealopulent.com
genw.support
fmfo.asia
rrbookreviews.com
cirbs.com
afu-bf.net
northwesttheatreballet.com
koru.clinic
railway-tandoori.com
dumpsterrentalreading.com
73a73.com
ysudveg.buzz
y0rvragmr5.com
dataroomfiscale.com
jbfinishing.com
dcm393.com
nebulousharmony.bet
solaldesign.com
ssongg4323.cfd
rentingstudio.com
affiliatemarketingjoy.com
cvilleflowerfarm.com
huhubet505.com
bigpeople.top
casaalmafurniture.com
yccop.cfd
moviescoutt.com
wholemind.store
hvvwff.net
xn--srsz50dqxa5xb3rn52a.com
aunoption.com
zgtiku.com
jnbks.link
alqalamacademy.net
fly-destiny.com
servprowestpalm.com
itdev.life
paover.com
trsmine.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral2/memory/4992-22-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4992-41-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4992-69-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3368-81-0x0000000000550000-0x000000000057F000-memory.dmp formbook behavioral2/memory/3368-84-0x0000000000550000-0x000000000057F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
flow pid Process 71 3368 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation #PO 4500515595 ULTRA TEC.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3840 set thread context of 4992 3840 #PO 4500515595 ULTRA TEC.exe 102 PID 4992 set thread context of 776 4992 RegSvcs.exe 54 PID 4992 set thread context of 776 4992 RegSvcs.exe 54 PID 3368 set thread context of 776 3368 wscript.exe 54 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3540 powershell.exe 4992 RegSvcs.exe 4992 RegSvcs.exe 3540 powershell.exe 4992 RegSvcs.exe 4992 RegSvcs.exe 4992 RegSvcs.exe 4992 RegSvcs.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe 3368 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 776 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 4992 RegSvcs.exe 4992 RegSvcs.exe 4992 RegSvcs.exe 4992 RegSvcs.exe 3368 wscript.exe 3368 wscript.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3540 powershell.exe Token: SeDebugPrivilege 4992 RegSvcs.exe Token: SeShutdownPrivilege 776 Explorer.EXE Token: SeCreatePagefilePrivilege 776 Explorer.EXE Token: SeDebugPrivilege 3368 wscript.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3840 wrote to memory of 3540 3840 #PO 4500515595 ULTRA TEC.exe 98 PID 3840 wrote to memory of 3540 3840 #PO 4500515595 ULTRA TEC.exe 98 PID 3840 wrote to memory of 3540 3840 #PO 4500515595 ULTRA TEC.exe 98 PID 3840 wrote to memory of 2164 3840 #PO 4500515595 ULTRA TEC.exe 100 PID 3840 wrote to memory of 2164 3840 #PO 4500515595 ULTRA TEC.exe 100 PID 3840 wrote to memory of 2164 3840 #PO 4500515595 ULTRA TEC.exe 100 PID 3840 wrote to memory of 4992 3840 #PO 4500515595 ULTRA TEC.exe 102 PID 3840 wrote to memory of 4992 3840 #PO 4500515595 ULTRA TEC.exe 102 PID 3840 wrote to memory of 4992 3840 #PO 4500515595 ULTRA TEC.exe 102 PID 3840 wrote to memory of 4992 3840 #PO 4500515595 ULTRA TEC.exe 102 PID 3840 wrote to memory of 4992 3840 #PO 4500515595 ULTRA TEC.exe 102 PID 3840 wrote to memory of 4992 3840 #PO 4500515595 ULTRA TEC.exe 102 PID 776 wrote to memory of 3368 776 Explorer.EXE 106 PID 776 wrote to memory of 3368 776 Explorer.EXE 106 PID 776 wrote to memory of 3368 776 Explorer.EXE 106 PID 3368 wrote to memory of 3804 3368 wscript.exe 107 PID 3368 wrote to memory of 3804 3368 wscript.exe 107 PID 3368 wrote to memory of 3804 3368 wscript.exe 107
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe"C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gtpTbwW.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gtpTbwW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp"3⤵
- Creates scheduled task(s)
PID:2164
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:400
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2692
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:5044
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:3804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD591a17735fc66345ccca918b9384e53ba
SHA156065f0ae5d7eafd937e2b0578e40a86eae1d65a
SHA256f3fa972ce39f8177f330c0f3d351fc86b53fc4bacaa0cd9eebd4ad60265678ce
SHA5128ebe5d17c153fe05b76516867c890b80dc88ad407819c321543cdb95e98d74f4fae52afab1e43fd176e8f3ce1868bc7bb1f48ceec4753f03501ebc6d55c7a75a