bd266e45f2eaee374e5a66cde097bd8a273f2ee6f42cf08a1e65222293263f13

General

Target

UltraAdwareKiller.exe
Size

17.0MB
MD5

c2708a1c9d281c7c0c8b9fbe79bf0343
SHA1

f21a15f0e68ee0f162f3854afc7358f4a1ae5571
SHA256

bd266e45f2eaee374e5a66cde097bd8a273f2ee6f42cf08a1e65222293263f13
SHA512

5fde87111c80ae4d0a65ffec1a1d0b1388f9e7fe0c0d33045a3173a6eb68bac3d60485d5565a56685ca52736a75d94ab45d6c66a6fc4656e3a0c0d68a76699fb
SSDEEP

393216:HX3bbsi2rqriNvbj8lHk7H+tG0SRRv3fIKploxB1ji32Q7uQuQPPP:HPtGj8lHsHRBv3Zn01WWMPPP

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3880	UltraAdwareKiller64.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UltraAdwareKiller.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2228	UltraAdwareKiller.exe
Token: SeBackupPrivilege	2228	UltraAdwareKiller.exe
Token: SeDebugPrivilege	2228	UltraAdwareKiller.exe
Token: SeSecurityPrivilege	2228	UltraAdwareKiller.exe
Token: SeTakeOwnershipPrivilege	2228	UltraAdwareKiller.exe
Token: SeImpersonatePrivilege	2228	UltraAdwareKiller.exe
Token: SeSystemProfilePrivilege	2228	UltraAdwareKiller.exe
Token: SeShutdownPrivilege	2228	UltraAdwareKiller.exe
Token: SeIncreaseQuotaPrivilege	2228	UltraAdwareKiller.exe
Token: SeRestorePrivilege	3880	UltraAdwareKiller64.exe
Token: SeBackupPrivilege	3880	UltraAdwareKiller64.exe
Token: SeDebugPrivilege	3880	UltraAdwareKiller64.exe
Token: SeSecurityPrivilege	3880	UltraAdwareKiller64.exe
Token: SeTakeOwnershipPrivilege	3880	UltraAdwareKiller64.exe
Token: SeImpersonatePrivilege	3880	UltraAdwareKiller64.exe
Token: SeSystemProfilePrivilege	3880	UltraAdwareKiller64.exe
Token: SeShutdownPrivilege	3880	UltraAdwareKiller64.exe
Token: SeIncreaseQuotaPrivilege	3880	UltraAdwareKiller64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3880	2228	UltraAdwareKiller.exe	89
PID 2228 wrote to memory of 3880	2228	UltraAdwareKiller.exe	89

C:\Users\Admin\AppData\Local\Temp\UltraAdwareKiller.exe
"C:\Users\Admin\AppData\Local\Temp\UltraAdwareKiller.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\UltraAdwareKiller64.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\UltraAdwareKiller64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Ultra Adware Killer\Settings\settings.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\ProgramData\Ultra Adware Killer\UAKdb.txt

Filesize
9B

MD5
90118f9284f6c2e00aaa1bbda3eac67b

SHA1
9855d85e46f712e6eede62516bd16a9cb41a650c

SHA256
200340efe503523f3a958917f49aa22677ad47abc7c4bd49a660bf4df7d8c2b3

SHA512
43ca7f1f815cebb1dfcfba7e446f75a136d0e44fb580f02b1e9966c9d222e97eebb28ea14f68ffa99dea67f33de3aff434e4a3af7a0ddc443b0b37af17bee583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D6E2330B1723FACB0955B460D99C4EBD

Filesize
471B

MD5
8db0330aa761b10b114378c0c42c37c8

SHA1
c8c8e1284e69b50313b2bde6a3adebfb40270c08

SHA256
6e1f8bbbedc899f2ff2cfee9dfde23e48a9a71c578b54024382158816a813e1c

SHA512
1716add674703e29dc506a3f0784e9abf93236b5354a9c2f01d1de946f844df23add39ecc0d5a736c683b0f3713e9608f2dd194e561fa0a0b2ba9057e590f1cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_F24AE254AC712022CD7275ECC89876F9

Filesize
471B

MD5
6b3e71d39311ca29fb76d2dfdaa84774

SHA1
8a2e5c86eea058587951818db14312e94e89004e

SHA256
dd4402ea2cdfe9262ef2427bdb67c32eb7a4705ed830c5e0d819500bf01e9eef

SHA512
250f895472ee42b7e17dc42b2aef46fc1aa814788fcdbee4d3df26700b17b92243f63b0f44ff51ec06bda71eecc8a0c10c0cdea8d062a395e7fd381f2fe6269e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6E2330B1723FACB0955B460D99C4EBD

Filesize
420B

MD5
974d63c171a40309f1defcc2e6bb4437

SHA1
d58d18235b19a12726cf7643559e8016d7771525

SHA256
69ff49d65830ff5b038f7f95b3e029f44d0efde643d74dc4c9dc26b12065d873

SHA512
1437950429692943f9ab7c0629a3e2d868809a46e8e1ed8041b467c633ef8931c64c3290dad24606529c571a68581d8b1a542b8c9e76508912af464693df5b22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_F24AE254AC712022CD7275ECC89876F9

Filesize
416B

MD5
ada65fb857f7fc25bc6e1273cc4570e1

SHA1
07877ba6b2b11405d487eaa4d74cdc50a1e07ac1

SHA256
0a196895d9d947186b4daa1d816bfeac3f33da58afc8ee76e8b8ee245bdb8df2

SHA512
8ff8b8acf433de115dfdcb807483e45c2c7a9aa4905ba8bbae64da562ee2d7c18bafeef62e103b65b02da94203cc4b3a32aaa55d4e62f734701f1dce3b1f874e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraAdwareKiller64.exe

Filesize
1.4MB

MD5
be1337e46729ee8520cf4a83d085a716

SHA1
e657e14cb1fd93a2b0ada61ad7ae7aa43c0adef1

SHA256
51cc0727670f79e5cd450ebd1aa5b89f8b8d842c3868128fdc9c7a483967f231

SHA512
74fe6cd26288e00f9f756c6d0886f8be86414e08e6b44f86658329c8858109ea47e8f07585d8c5f5b58f214d13a7733eb09f3dbf88fdbdc279e43c8d7a474f5d

Download Submit

Analysis

Sharing