Analysis Overview
SHA256
cf21cb5e211d67c2fd4f9da05036d6654f412756dbce68c171932eba347e6a14
Threat Level: Known bad
The file UltraHook.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops startup file
Loads dropped DLL
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:21
Reported
2024-06-01 07:24
Platform
win10-20240404-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\UltraHook\hl2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\UltraHook\uh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\UltraHook\hl2.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\System32\bcastdvr.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\UltraHook\hl2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\GamePanel.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\System32\GamePanel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\GamePanel.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\System32\GamePanel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Users\Admin\AppData\Local\Temp\UltraHook.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Users\Admin\AppData\Local\Temp\UltraHook.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UltraHook.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\UltraHook.exe
"C:\Users\Admin\AppData\Local\Temp\UltraHook.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\UltraHook\hl2.exe
"C:\Users\Admin\Desktop\UltraHook\hl2.exe"
C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 000000000005022C /startuptips
C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
C:\Users\Admin\Desktop\UltraHook\uh.exe
"C:\Users\Admin\Desktop\UltraHook\uh.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 636
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 18.158.58.205:10369 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 205.58.158.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.251.17.2.in-addr.arpa | udp |
| DE | 18.158.58.205:10369 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 18.158.58.205:10369 | 5.tcp.eu.ngrok.io | tcp |
| DE | 18.158.58.205:10369 | 5.tcp.eu.ngrok.io | tcp |
| DE | 18.158.58.205:10369 | 5.tcp.eu.ngrok.io | tcp |
| DE | 18.158.58.205:10369 | 5.tcp.eu.ngrok.io | tcp |
| DE | 18.158.58.205:10369 | 5.tcp.eu.ngrok.io | tcp |
| DE | 18.158.58.205:10369 | 5.tcp.eu.ngrok.io | tcp |
| DE | 18.158.58.205:10369 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.127.181.115:10369 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 115.181.127.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| DE | 3.127.181.115:10369 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.127.181.115:10369 | 5.tcp.eu.ngrok.io | tcp |
Files
C:\Users\Admin\Desktop\UltraHook\hl2.exe
| MD5 | 7c271bbd974c760f516f1c9f9b61e0f2 |
| SHA1 | a1c9b9f1a9cc568ed707d880f78d16ce6d60ab4f |
| SHA256 | 4a06de84351ffbccc9bb1575c21142074c240f54902557e13e40ba037976d25f |
| SHA512 | f640b9f1eea0e5374522da490bd318bd17528f12d85ef1bd1566594c0d645de11cd1449fceadaa6751540dc95b2b3599b38a32f9bfa5700d75d81989095935e8 |
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |
C:\Users\Admin\Desktop\UltraHook\uh.exe
| MD5 | 25f2b0f9bf0237cb70c612a00509badc |
| SHA1 | 9f70d93c311314a506f4e102087c9c4213234390 |
| SHA256 | db1617ad28eae2935ea86e47a357ea8c0c460b228f3677901dc61af19a160684 |
| SHA512 | dfc82b0fc9eea24ec5d11f9e2497174116cae18b201292b4dc96b5ecce2fcfe00dd3f538dec2b0086cb4bece1d210d7a806d0d6a4384a7273943b15453d170a3 |
memory/4632-31-0x0000000000EF0000-0x0000000000F10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 09633ffe1d3b4c7a747e4408f8efbce5 |
| SHA1 | 1204d7963755d1d126b4b37110b3ce9aa363be26 |
| SHA256 | a05bf5a2ce5ede067135335270d9baf3d01b11589262d484b549ecfc6ed18afb |
| SHA512 | 63bfca8dca0e438b8eef2ba4ad5aafcb2369793cb5c1c979b2b4090ad1153c540372ec274cc1a9fd4f4fc85e142e2e6eb7a7b4780106c9d7189a9ece89a6bb60 |
memory/2384-40-0x0000000000970000-0x0000000000CE8000-memory.dmp
\Users\Admin\Desktop\UltraHook\uh.dll
| MD5 | dee522e807bdfd9b79db03ff6e90116a |
| SHA1 | 249685a1c7aa3b0fb526a3d21d163f41f1881217 |
| SHA256 | 7461010af30c604682fdda59b421291a4bd13820b9511734b9f850ed286adaf4 |
| SHA512 | 04fabe0e63dd56a7036e43dea4e19428199e67b5276596f2e28e91a35da3567424c011ffb83d3c76b8958999218321d2a635c50c1b89b6e9035e312775db07c2 |
memory/2384-45-0x0000000000970000-0x0000000000CE8000-memory.dmp
memory/2384-44-0x0000000000970000-0x0000000000CE8000-memory.dmp
memory/2384-48-0x0000000006200000-0x000000000629C000-memory.dmp
memory/2384-49-0x00000000062A0000-0x0000000006306000-memory.dmp
memory/2768-52-0x0000000004800000-0x0000000004836000-memory.dmp
memory/2768-53-0x0000000007450000-0x0000000007A78000-memory.dmp
memory/2768-54-0x0000000007250000-0x0000000007272000-memory.dmp
memory/2768-55-0x00000000072F0000-0x0000000007356000-memory.dmp
memory/2768-56-0x0000000007CE0000-0x0000000008030000-memory.dmp
memory/2768-57-0x0000000007C80000-0x0000000007C9C000-memory.dmp
memory/2768-58-0x0000000008040000-0x000000000808B000-memory.dmp
memory/2768-59-0x0000000008350000-0x00000000083C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tthg411a.k1u.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2768-76-0x00000000093C0000-0x00000000093F3000-memory.dmp
memory/2768-77-0x000000006E240000-0x000000006E28B000-memory.dmp
memory/2768-78-0x00000000093A0000-0x00000000093BE000-memory.dmp
memory/2768-83-0x0000000009500000-0x00000000095A5000-memory.dmp
memory/2768-84-0x0000000009730000-0x00000000097C4000-memory.dmp
memory/2768-277-0x0000000009690000-0x00000000096AA000-memory.dmp
memory/2768-282-0x0000000009670000-0x0000000009678000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 974ad918567d85b0b05f625c163f6179 |
| SHA1 | 6a6518481192c1d131d3bcae7cb5703203105c34 |
| SHA256 | 45d525ec9dbc9579eeb8bfe2b7e33a8a6554bcf13fe7089c3a8ab07d297063f5 |
| SHA512 | 685014d63a71e40dabbe00cd169c1110425f357c4aa0be6f38f59407d9b31f021eb1329452907405e8eab063cca1ff0e2d7f024bf6f692130cf67a4214420724 |
memory/4960-318-0x000000006E240000-0x000000006E28B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 108fd55c5964b6ddb685e736b1a0a526 |
| SHA1 | ee7227f5cfc7817ceb1cc92ea0209f83fc22853b |
| SHA256 | ece2baf832bcb7231c634ad8f180c65c50bc77f1df5f60ba4ab507351ec39e75 |
| SHA512 | 5f3abfb0570292a62729f7f924ec2c80b1ccad46fc7dfc91df9b9d648383e3447a2d3bd693b82195cd8517a50608ef5c2f7ec61a0bc808fecc67f5d2efb22488 |
memory/4920-552-0x000000006E240000-0x000000006E28B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 48c51c38e52b8dd821307498a6a87a36 |
| SHA1 | 2a0177d0b03f9393ffbb7e031aab7036f432b987 |
| SHA256 | f1881bef8d770cec5089449168708c78498447a42499b276b68446c1ea32dbfc |
| SHA512 | 8ba275fbf51593e502cab67449414e3d5a01b1ca57e8e0735bc10c8cf11aa379048ec4999c7b7b0781942247df99ee12c0c12a3cf867e1f3b0ed2b4dea788c9e |
memory/3160-787-0x000000006E240000-0x000000006E28B000-memory.dmp
memory/2384-1007-0x0000000000970000-0x0000000000CE8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
| MD5 | 4434bce1cc04fec99fc83160c0630311 |
| SHA1 | d7db2b7a9f7cf331dd5a7e65bc752da11490b3d6 |
| SHA256 | f87e288c5e76832f4fc845568645f0812766b196db7f43a08f94f6a9df820cc6 |
| SHA512 | b88b8e36093ed0ca4fb62fd38ecb59b304ade6d0036d029b0b0de52c19a72c0c55fead3dac3da62f315377a7dfc204653635a11a412e26117d880f439fd1c5c1 |