bd266e45f2eaee374e5a66cde097bd8a273f2ee6f42cf08a1e65222293263f13

General

Target

UltraAdwareKiller.exe
Size

17.0MB
MD5

c2708a1c9d281c7c0c8b9fbe79bf0343
SHA1

f21a15f0e68ee0f162f3854afc7358f4a1ae5571
SHA256

bd266e45f2eaee374e5a66cde097bd8a273f2ee6f42cf08a1e65222293263f13
SHA512

5fde87111c80ae4d0a65ffec1a1d0b1388f9e7fe0c0d33045a3173a6eb68bac3d60485d5565a56685ca52736a75d94ab45d6c66a6fc4656e3a0c0d68a76699fb
SSDEEP

393216:HX3bbsi2rqriNvbj8lHk7H+tG0SRRv3fIKploxB1ji32Q7uQuQPPP:HPtGj8lHsHRBv3Zn01WWMPPP

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2884	UltraAdwareKiller64.exe
1264	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2252	UltraAdwareKiller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UltraAdwareKiller.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2884	UltraAdwareKiller64.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2252	UltraAdwareKiller.exe
Token: SeBackupPrivilege	2252	UltraAdwareKiller.exe
Token: SeDebugPrivilege	2252	UltraAdwareKiller.exe
Token: SeSecurityPrivilege	2252	UltraAdwareKiller.exe
Token: SeTakeOwnershipPrivilege	2252	UltraAdwareKiller.exe
Token: SeImpersonatePrivilege	2252	UltraAdwareKiller.exe
Token: SeSystemProfilePrivilege	2252	UltraAdwareKiller.exe
Token: SeShutdownPrivilege	2252	UltraAdwareKiller.exe
Token: SeIncreaseQuotaPrivilege	2252	UltraAdwareKiller.exe
Token: SeRestorePrivilege	2884	UltraAdwareKiller64.exe
Token: SeBackupPrivilege	2884	UltraAdwareKiller64.exe
Token: SeDebugPrivilege	2884	UltraAdwareKiller64.exe
Token: SeSecurityPrivilege	2884	UltraAdwareKiller64.exe
Token: SeTakeOwnershipPrivilege	2884	UltraAdwareKiller64.exe
Token: SeImpersonatePrivilege	2884	UltraAdwareKiller64.exe
Token: SeSystemProfilePrivilege	2884	UltraAdwareKiller64.exe
Token: SeShutdownPrivilege	2884	UltraAdwareKiller64.exe
Token: SeIncreaseQuotaPrivilege	2884	UltraAdwareKiller64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2884	2252	UltraAdwareKiller.exe	31
PID 2252 wrote to memory of 2884	2252	UltraAdwareKiller.exe	31
PID 2252 wrote to memory of 2884	2252	UltraAdwareKiller.exe	31
PID 2252 wrote to memory of 2884	2252	UltraAdwareKiller.exe	31

C:\Users\Admin\AppData\Local\Temp\UltraAdwareKiller.exe
"C:\Users\Admin\AppData\Local\Temp\UltraAdwareKiller.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\UltraAdwareKiller64.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\UltraAdwareKiller64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Ultra Adware Killer\Settings\settings.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\ProgramData\Ultra Adware Killer\UAKdb.txt

Filesize
9B

MD5
90118f9284f6c2e00aaa1bbda3eac67b

SHA1
9855d85e46f712e6eede62516bd16a9cb41a650c

SHA256
200340efe503523f3a958917f49aa22677ad47abc7c4bd49a660bf4df7d8c2b3

SHA512
43ca7f1f815cebb1dfcfba7e446f75a136d0e44fb580f02b1e9966c9d222e97eebb28ea14f68ffa99dea67f33de3aff434e4a3af7a0ddc443b0b37af17bee583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a22f04ef74c8ee04e215a96a04cc40a8

SHA1
2b450427a8b9fa406871e4c3ca53e4383ceea433

SHA256
50f418b24cfbd7228382b84a4b7394004114aa875b1214147f1a30d64d627f87

SHA512
84f4ce274c15de67e8ea38f5c73bddc498652747c33bfc39a2885d1c93c36d4e7ff5ebe3b929f2070ae09d8a575a57a684160dbc66626609df88d34ffe07936f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD9CD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9F0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\UltraAdwareKiller64.exe

Filesize
1.4MB

MD5
be1337e46729ee8520cf4a83d085a716

SHA1
e657e14cb1fd93a2b0ada61ad7ae7aa43c0adef1

SHA256
51cc0727670f79e5cd450ebd1aa5b89f8b8d842c3868128fdc9c7a483967f231

SHA512
74fe6cd26288e00f9f756c6d0886f8be86414e08e6b44f86658329c8858109ea47e8f07585d8c5f5b58f214d13a7733eb09f3dbf88fdbdc279e43c8d7a474f5d

Download Submit

Analysis

Sharing