d8c56946b65ffcf4b6aa2bd510fefb626edcc2a135c07e2f0175686aa0e588e6

General

Target

02aa4aac6bc417b73d6ea452194252fe.exe
Size

786KB
MD5

02aa4aac6bc417b73d6ea452194252fe
SHA1

69d4e8942d6c3891a06b988ada2cb8a75fc738b5
SHA256

d8c56946b65ffcf4b6aa2bd510fefb626edcc2a135c07e2f0175686aa0e588e6
SHA512

c241466c03983fa0809836d61db44c640c2ae16d8349723327b6bf0cc5267c69ecf4c91c74ba7e948655ff3b4bf9dd72046e11d4d9a123f35f1dde40e63c4158
SSDEEP

12288:vyxPJa2s86jofrWEuxjcZxyPq8tf8sQ+PRtj3lDsmMHj3N6eiaFmhL+JigD:vyxPJ/s86szWEuKiflOmMDhPEhL+lD

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

02aa4aac6bc417b73d6ea452194252fe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ultrasearch.lnk	02aa4aac6bc417b73d6ea452194252fe.exe

Executes dropped EXE 1 IoCs

Processes:

GetX64BTIT.exe

pid process

4520 GetX64BTIT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4520	GetX64BTIT.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

02aa4aac6bc417b73d6ea452194252fe.exe

pid	process
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe
2640	02aa4aac6bc417b73d6ea452194252fe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

02aa4aac6bc417b73d6ea452194252fe.exe

pid process

2640 02aa4aac6bc417b73d6ea452194252fe.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

02aa4aac6bc417b73d6ea452194252fe.exe

description	pid	process	target process
PID 2640 wrote to memory of 4520	2640	02aa4aac6bc417b73d6ea452194252fe.exe	GetX64BTIT.exe
PID 2640 wrote to memory of 4520	2640	02aa4aac6bc417b73d6ea452194252fe.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\02aa4aac6bc417b73d6ea452194252fe.exe
"C:\Users\Admin\AppData\Local\Temp\02aa4aac6bc417b73d6ea452194252fe.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
2⤵
- Executes dropped EXE
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
Filesize
28B

MD5
989a17e9c6f2c6164dd19c18b90ad0d8

SHA1
dfc1f826f6a10f55acfe4965bc8c36abd7b77bbb

SHA256
da201b2b1ba4569b09202ce772c039dd483fdfffd3b9bcda28bee6d05393405b

SHA512
41a8e3af213b3b06b26403e5c22155d965a379dd141bed0d396e7686f303e8314ce77140dd07163b02598cdf62a8a2369da1168357ff0593542aa2a5954a3d58

Download Submit
memory/2640-5-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2640-6-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2640-1-0x0000000003490000-0x00000000034D0000-memory.dmp

Filesize
256KB

Download
memory/2640-8-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2640-2-0x0000000000A60000-0x0000000000B2A000-memory.dmp

Filesize
808KB

Download
memory/2640-4-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2640-14-0x0000000000A60000-0x0000000000B2A000-memory.dmp

Filesize
808KB

Download
memory/2640-16-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2640-17-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2640-3-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2640-24-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2640-26-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2640-31-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads