Overview

overview

3

Static

static

1

UltraFuck.zip

windows10-1703-x64

1

UltraFuck.luac

windows10-1703-x64

3

resource/f...00.ttf

windows10-1703-x64

3

resource/f...nt.ttf

windows10-1703-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-02-2024 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UltraFuck.luac

  • Size

    148KB

  • MD5

    f68f911a22031fd61e52ff06245b30b9

  • SHA1

    017cd406a22f94e438799fce998f0de82d2008ad

  • SHA256

    8add7b0b389fa5cfb0ebc9fc5da10c8b9c29c1068748708440f9d9e72958d4bc

  • SHA512

    177a4f53feb5c0561608bd19d7ca14735be34577d4b5d89bb9e47d219c797bec1a5dc4324e5ff3e98af294030736e0b5acb64ce56d154aa4d8a008e85e9e92c7

  • SSDEEP

    3072:kISUKOHpGU7jbzFkaQ5Bjf3e6bP1b66rOcvyLaLorNkVc:ZLfpVnaaQDrPR661qmaNkVc

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 35 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\UltraFuck.luac
    1⤵
    • Modifies registry class
    PID:4692
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\UltraFuck.luac"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\UltraFuck.luac
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4664
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.0.751640771\1989664278" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cca0fe3-798b-4df2-a49e-fa703cf3b535} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 1796 1bf53ec5d58 gpu
          4⤵
            PID:4172
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.1.1551981797\835414216" -parentBuildID 20221007134813 -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52cfde43-785a-48af-b5da-97d46309f8f1} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 2172 1bf53e03258 socket
            4⤵
            • Checks processor information in registry
            PID:3700
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.2.1283022438\741699994" -childID 1 -isForBrowser -prefsHandle 2764 -prefMapHandle 2744 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ba3d4b3-820a-481e-95f3-02488d374c59} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 2800 1bf580d6958 tab
            4⤵
              PID:4636
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.3.22797105\1988273141" -childID 2 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26efa2e7-e683-4937-b843-c8a2514bb063} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 3412 1bf41b63e58 tab
              4⤵
                PID:1700
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.5.956512082\1539260109" -childID 4 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b810f5a6-23d1-4308-b706-dba2ea5ad5fc} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 4992 1bf5a8bd258 tab
                4⤵
                  PID:3628
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.4.957173066\788673070" -childID 3 -isForBrowser -prefsHandle 4808 -prefMapHandle 4840 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c54bafd3-0b31-4f89-9514-28aa780f4642} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 4852 1bf5a8bc358 tab
                  4⤵
                    PID:2264
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.6.1648709649\1455302757" -childID 5 -isForBrowser -prefsHandle 5276 -prefMapHandle 5272 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f832e41f-2cf2-45a0-ac15-4c188f2234c9} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 5292 1bf566e2258 tab
                    4⤵
                      PID:1492

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              System Information Discovery

              2
              T1082

              Query Registry

              2
              T1012

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n69gspjk.default-release\datareporting\glean\db\data.safe.bin
                Filesize

                2KB

                MD5

                1920e8dda160be4f83880b3f71a1de17

                SHA1

                4aca4a2572ff3cff4058d709472c405b5e960297

                SHA256

                c5e8e62067b8261c4fe1605a9ffc9bbf873602d0fbf6e892b59cf605a22b3d9d

                SHA512

                b5ab57fa8f7ea65e12852a250fd2c18864f267f6c4d42028a23f931b97d646db541a878e8ef60d14a765c10187ae384903b5c70db33c0edc3a2d06d4012fc35f

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n69gspjk.default-release\datareporting\glean\pending_pings\78beda1b-e04a-4a50-99e2-72149abe53e1
                Filesize

                11KB

                MD5

                18a70f4fac64ec4d10ba9f519f34c87b

                SHA1

                e67b221dfde3d36d8c69b8f7863f3691c180ed5c

                SHA256

                015ae4f81dc26d29ca4903216f1ab7449a0069b853ec4122b248b77e5b0f36fb

                SHA512

                80c39586c61cff85a68c5a5a5e93276414b040f92b174fb7a94b77dfef1966693ca0346ec20bd46df17181fddc674004384151617bb08793f61a02a07a724906

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n69gspjk.default-release\datareporting\glean\pending_pings\ef8130cb-fb67-44bc-8f50-740d9301ac43
                Filesize

                746B

                MD5

                b7972ba32ee67fd1626237b156e50b2c

                SHA1

                bf03f875101438e6030a22ba63fdf3a6a2fb58a6

                SHA256

                06060ebbe2212b048ba2940285cfad9265304e30f5803ee472173def5fe44ccc

                SHA512

                6d2cce755472e1c8cad9fbc0d8da6212929ee413f4930393333e1c3d30560519b375d9033949783b81ee413c6dac8f29a61b77a91e5299eadbc19c848485a3c4

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n69gspjk.default-release\prefs-1.js
                Filesize

                6KB

                MD5

                54abacee7963c6c445c6ccb32e918e2d

                SHA1

                4a39ffa5bb11cfcd0a4b461bb26d533b7263c23b

                SHA256

                4a4f92c20774fdcc217ed2509c5d5b036731263f10ccb31ce9e7424ba0b217bc

                SHA512

                528b9555c06e4d010ae1bd151369f0f7114fe774071b2488acb90c9bf4175e0f7b2f15e72535e60d55a692f0187413ca4ebf8228449dbaaea1abb01c7e0e9202

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n69gspjk.default-release\prefs.js
                Filesize

                6KB

                MD5

                6f218c403213de272c86e4f91988c060

                SHA1

                916621371f521e90678ff81fc4201efff7168f4b

                SHA256

                94af489bc5c706caffe7ed468ff30d083a76fb43df2ade150231865814e7d67a

                SHA512

                2067fa14f6a8932be6f16ff4516b5a13f9aa350d01994b1ffeae4b65f6569985a31082f9d198af698eaeda4ca84ec89f8e00ff1e609ca72885e4ecc8488f512b

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n69gspjk.default-release\prefs.js
                Filesize

                6KB

                MD5

                9316cc97a3ea115c33eb6042fff6aed0

                SHA1

                0d8debcdfd9ce7829794b433a06a97022e016c63

                SHA256

                eea45ed0072700bc31af879b3e2b83b7a5501cbf6128dd0334e1327da49dac3c

                SHA512

                6a3265e82c6dc2deef25326b6f822d0a64b5ae4fbcdadd74da743a79985642acbb585605e2a1a9191b4f18d667602df88c139c45cc3acad2c00cac9a634efc38

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n69gspjk.default-release\sessionstore.jsonlz4
                Filesize

                651B

                MD5

                e1f3438305900c7aea68668abcb549b9

                SHA1

                17517004323c3f7362511bf8185fb713284820a0

                SHA256

                aea7c90bf73e4329d3f0e3da7aa68d6690aada582bb20040eb5d41cf726d7203

                SHA512

                a6e7cb20aaf3fc871517ecdd36b5a086da129d50e3ab198c64a7180e8974ecdffae2600bdf73c9f12b26798705f64432b474d5f0adda8aab5401f8408251b4cb

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n69gspjk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                Filesize

                184KB

                MD5

                9eb79b3d53e352ef92c5c86a1b24ff21

                SHA1

                5932783b9840865da29a071ba4811377f5bd7579

                SHA256

                06969407bf1c51fb2bbba374b6b6c721223ab54503f2abccb5978e5154d57df5

                SHA512

                05fd360b46862dd9817e87b966bcc91858ebb7773a5695b1bbf4647d3d8d72b8c75e20bdc97b8e82bb63cda1abf4c4d25422d72847f16e28630ba723dda46335

                Download Submit
              • C:\Users\Admin\Downloads\0FN5hry4.luac.part
                Filesize

                148KB

                MD5

                f68f911a22031fd61e52ff06245b30b9

                SHA1

                017cd406a22f94e438799fce998f0de82d2008ad

                SHA256

                8add7b0b389fa5cfb0ebc9fc5da10c8b9c29c1068748708440f9d9e72958d4bc

                SHA512

                177a4f53feb5c0561608bd19d7ca14735be34577d4b5d89bb9e47d219c797bec1a5dc4324e5ff3e98af294030736e0b5acb64ce56d154aa4d8a008e85e9e92c7

                Download Submit