Analysis Overview
SHA256
6153872c1610031f5242968a5b2818fb307f800886262a0e932e9bcaeb980859
Threat Level: Known bad
The file #PO 4500515595 ULTRA TEC_1.zip was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Blocklisted process makes network request
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-11 18:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-11 18:41
Reported
2023-10-12 11:03
Platform
win7-20230831-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2828 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2528 set thread context of 1192 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 2820 set thread context of 1192 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe
"C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gtpTbwW.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gtpTbwW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8D0.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.therealopulent.com | udp |
| CA | 23.227.38.74:80 | www.therealopulent.com | tcp |
| US | 8.8.8.8:53 | www.paover.com | udp |
| CA | 72.10.173.130:80 | www.paover.com | tcp |
| US | 8.8.8.8:53 | www.cirbs.com | udp |
| US | 44.230.85.241:80 | www.cirbs.com | tcp |
Files
memory/2828-0-0x00000000748E0000-0x0000000074FCE000-memory.dmp
memory/2828-1-0x0000000000350000-0x00000000003DE000-memory.dmp
memory/2828-2-0x0000000004C30000-0x0000000004C70000-memory.dmp
memory/2828-3-0x0000000000560000-0x0000000000570000-memory.dmp
memory/2828-4-0x00000000748E0000-0x0000000074FCE000-memory.dmp
memory/2828-5-0x0000000004C30000-0x0000000004C70000-memory.dmp
memory/2828-6-0x0000000000660000-0x000000000066C000-memory.dmp
memory/2828-7-0x0000000004F40000-0x0000000004FAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF8D0.tmp
| MD5 | 24ea0f7ce8c7b0e4a50b1a106027abe4 |
| SHA1 | a8567838ecf7544ed3aa332668822ac3b2e553b8 |
| SHA256 | efe6d31564707d553a06158373e2e00d28b1aa881f2bee59d25d00191afed12f |
| SHA512 | 895519826b4ac0038b585e71433795c82ef445b5716b9bf45b51f2fd79d929f399cea2553ece4d1c76def02fa5b2186cc7d1f672a4de3cc1069bb84b069f1963 |
memory/2720-15-0x000000006ECB0000-0x000000006F25B000-memory.dmp
memory/2720-16-0x000000006ECB0000-0x000000006F25B000-memory.dmp
memory/2720-17-0x0000000002680000-0x00000000026C0000-memory.dmp
memory/2528-18-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2528-20-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2720-19-0x0000000002680000-0x00000000026C0000-memory.dmp
memory/2528-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2528-23-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2828-24-0x00000000748E0000-0x0000000074FCE000-memory.dmp
memory/2528-25-0x0000000000980000-0x0000000000C83000-memory.dmp
memory/2720-26-0x0000000002680000-0x00000000026C0000-memory.dmp
memory/1192-29-0x0000000002E70000-0x0000000002F70000-memory.dmp
memory/2528-28-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2528-30-0x0000000000190000-0x00000000001A5000-memory.dmp
memory/1192-31-0x0000000004D40000-0x0000000004E2C000-memory.dmp
memory/2720-32-0x000000006ECB0000-0x000000006F25B000-memory.dmp
memory/2820-33-0x00000000007E0000-0x00000000007E6000-memory.dmp
memory/2820-34-0x00000000007E0000-0x00000000007E6000-memory.dmp
memory/2820-35-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/2820-36-0x0000000000980000-0x0000000000C83000-memory.dmp
memory/2820-37-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/2820-39-0x0000000000600000-0x0000000000694000-memory.dmp
memory/1192-40-0x0000000004020000-0x00000000040B9000-memory.dmp
memory/1192-41-0x0000000004020000-0x00000000040B9000-memory.dmp
memory/1192-43-0x0000000004020000-0x00000000040B9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-11 18:41
Reported
2023-10-12 11:03
Platform
win10v2004-20230915-en
Max time kernel
170s
Max time network
172s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3840 set thread context of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4992 set thread context of 776 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 4992 set thread context of 776 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 3368 set thread context of 776 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe
"C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gtpTbwW.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gtpTbwW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.yccop.cfd | udp |
| US | 8.8.8.8:53 | www.wellhousesctx.com | udp |
| US | 35.212.127.26:80 | www.wellhousesctx.com | tcp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.aunoption.com | udp |
| TH | 147.50.231.116:80 | www.aunoption.com | tcp |
| US | 8.8.8.8:53 | www.wellhousesctx.com | udp |
| US | 35.212.127.26:80 | www.wellhousesctx.com | tcp |
| US | 8.8.8.8:53 | 116.231.50.147.in-addr.arpa | udp |
Files
memory/3840-0-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/3840-1-0x0000000000030000-0x00000000000BE000-memory.dmp
memory/3840-2-0x00000000050A0000-0x0000000005644000-memory.dmp
memory/3840-3-0x0000000004AF0000-0x0000000004B82000-memory.dmp
memory/3840-4-0x0000000004D40000-0x0000000004D50000-memory.dmp
memory/3840-5-0x0000000004AA0000-0x0000000004AAA000-memory.dmp
memory/3840-6-0x0000000004D20000-0x0000000004D30000-memory.dmp
memory/3840-7-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/3840-8-0x0000000004D40000-0x0000000004D50000-memory.dmp
memory/3840-9-0x0000000005F90000-0x0000000005F9C000-memory.dmp
memory/3840-10-0x00000000064A0000-0x000000000650E000-memory.dmp
memory/3840-11-0x0000000008B10000-0x0000000008BAC000-memory.dmp
memory/3540-16-0x0000000005240000-0x0000000005276000-memory.dmp
memory/3540-17-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/3540-18-0x0000000005310000-0x0000000005320000-memory.dmp
memory/3540-19-0x0000000005310000-0x0000000005320000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp
| MD5 | 91a17735fc66345ccca918b9384e53ba |
| SHA1 | 56065f0ae5d7eafd937e2b0578e40a86eae1d65a |
| SHA256 | f3fa972ce39f8177f330c0f3d351fc86b53fc4bacaa0cd9eebd4ad60265678ce |
| SHA512 | 8ebe5d17c153fe05b76516867c890b80dc88ad407819c321543cdb95e98d74f4fae52afab1e43fd176e8f3ce1868bc7bb1f48ceec4753f03501ebc6d55c7a75a |
memory/3540-21-0x0000000005950000-0x0000000005F78000-memory.dmp
memory/4992-22-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3840-24-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/3540-25-0x0000000005860000-0x0000000005882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gxxrvrnz.xng.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3540-26-0x0000000006130000-0x0000000006196000-memory.dmp
memory/3540-32-0x0000000006210000-0x0000000006276000-memory.dmp
memory/3540-37-0x0000000006380000-0x00000000066D4000-memory.dmp
memory/4992-38-0x00000000016E0000-0x0000000001A2A000-memory.dmp
memory/3540-40-0x0000000006820000-0x000000000683E000-memory.dmp
memory/4992-42-0x0000000001390000-0x00000000013A5000-memory.dmp
memory/776-44-0x00000000094C0000-0x000000000965B000-memory.dmp
memory/3540-43-0x00000000068F0000-0x000000000693C000-memory.dmp
memory/4992-41-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3540-45-0x0000000005310000-0x0000000005320000-memory.dmp
memory/3540-46-0x000000007F0B0000-0x000000007F0C0000-memory.dmp
memory/3540-47-0x0000000006E00000-0x0000000006E32000-memory.dmp
memory/3540-48-0x00000000717C0000-0x000000007180C000-memory.dmp
memory/3540-58-0x0000000006DE0000-0x0000000006DFE000-memory.dmp
memory/3540-59-0x0000000007A50000-0x0000000007AF3000-memory.dmp
memory/3540-60-0x0000000008180000-0x00000000087FA000-memory.dmp
memory/3540-61-0x0000000007B40000-0x0000000007B5A000-memory.dmp
memory/3540-62-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/3540-63-0x0000000007BB0000-0x0000000007BBA000-memory.dmp
memory/3540-64-0x0000000005310000-0x0000000005320000-memory.dmp
memory/3540-65-0x0000000007DE0000-0x0000000007E76000-memory.dmp
memory/3540-66-0x0000000007D60000-0x0000000007D71000-memory.dmp
memory/3540-67-0x0000000005310000-0x0000000005320000-memory.dmp
memory/4992-69-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4992-70-0x0000000001400000-0x0000000001415000-memory.dmp
memory/776-71-0x0000000009170000-0x000000000929D000-memory.dmp
memory/776-72-0x00000000094C0000-0x000000000965B000-memory.dmp
memory/3540-73-0x0000000007D90000-0x0000000007D9E000-memory.dmp
memory/3540-74-0x0000000007DA0000-0x0000000007DB4000-memory.dmp
memory/3540-75-0x0000000007EA0000-0x0000000007EBA000-memory.dmp
memory/3540-76-0x0000000007E80000-0x0000000007E88000-memory.dmp
memory/3540-78-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/3368-79-0x0000000000420000-0x0000000000447000-memory.dmp
memory/3368-80-0x0000000000420000-0x0000000000447000-memory.dmp
memory/3368-81-0x0000000000550000-0x000000000057F000-memory.dmp
memory/3368-82-0x0000000002670000-0x00000000029BA000-memory.dmp
memory/776-83-0x0000000009170000-0x000000000929D000-memory.dmp
memory/3368-84-0x0000000000550000-0x000000000057F000-memory.dmp
memory/3368-86-0x00000000023E0000-0x0000000002474000-memory.dmp
memory/776-87-0x000000000BC90000-0x000000000BDEA000-memory.dmp
memory/776-88-0x000000000BC90000-0x000000000BDEA000-memory.dmp
memory/776-90-0x000000000BC90000-0x000000000BDEA000-memory.dmp