4558e5347818874f767466464daa78d5fcbf4180e2e4214e8bcd241cf8cf4288

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Furk-Ultra-main/Bypass.bat
Size

61B
MD5

ed9b8d9a7a6855bd7542906c89df7d59
SHA1

2fb50de53bb455b43cfe3f52032b245c2c50a3fc
SHA256

c29fe90eeae955d900405ff44043bdba6d2b76504a1f606dd87f97bcfd61ffa6
SHA512

bf2f3138353973f64ac93971fbf50e8ed8f6fb21d38f4c5a7940fb7077323df424da54c9ddcf172280dee97b0caa052eda09466dfc3e3bcc318235d97ff15219

Score

7^/10

discovery upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2660	Bypass.exe
680	Bypass1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019387-23.dat	upx
behavioral1/files/0x000500000001c85e-138.dat	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1060	2236	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FurkUltra.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2236	FurkUltra.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe
2236	FurkUltra.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	FurkUltra.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2236	3004	cmd.exe	31
PID 3004 wrote to memory of 2236	3004	cmd.exe	31
PID 3004 wrote to memory of 2236	3004	cmd.exe	31
PID 3004 wrote to memory of 2236	3004	cmd.exe	31
PID 3004 wrote to memory of 2684	3004	cmd.exe	32
PID 3004 wrote to memory of 2684	3004	cmd.exe	32
PID 3004 wrote to memory of 2684	3004	cmd.exe	32
PID 2684 wrote to memory of 2660	2684	Bypass.exe	33
PID 2684 wrote to memory of 2660	2684	Bypass.exe	33
PID 2684 wrote to memory of 2660	2684	Bypass.exe	33
PID 3004 wrote to memory of 2568	3004	cmd.exe	34
PID 3004 wrote to memory of 2568	3004	cmd.exe	34
PID 3004 wrote to memory of 2568	3004	cmd.exe	34
PID 2568 wrote to memory of 680	2568	Bypass1.exe	35
PID 2568 wrote to memory of 680	2568	Bypass1.exe	35
PID 2568 wrote to memory of 680	2568	Bypass1.exe	35
PID 2236 wrote to memory of 1060	2236	FurkUltra.exe	36
PID 2236 wrote to memory of 1060	2236	FurkUltra.exe	36
PID 2236 wrote to memory of 1060	2236	FurkUltra.exe	36
PID 2236 wrote to memory of 1060	2236	FurkUltra.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\Bypass.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\FurkUltra.exe
  FurkUltra.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1288
    3⤵
    - Program crash
    PID:1060
- C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\Bypass.exe
  Bypass.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\Bypass.exe
    Bypass.exe
    3⤵
    - Loads dropped DLL
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\Bypass1.exe
  Bypass1.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\Bypass1.exe
    Bypass1.exe
    3⤵
    - Loads dropped DLL
    PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25682\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
memory/680-148-0x000007FEF5D80000-0x000007FEF61EE000-memory.dmp

Filesize
4.4MB

Download
memory/680-141-0x000007FEF5D80000-0x000007FEF61EE000-memory.dmp

Filesize
4.4MB

Download
memory/2236-144-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2236-140-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-142-0x0000000004860000-0x0000000004910000-memory.dmp

Filesize
704KB

Download
memory/2236-143-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2236-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2236-145-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2236-146-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-11-0x0000000000FC0000-0x00000000010B0000-memory.dmp

Filesize
960KB

Download
memory/2660-25-0x000007FEF5C00000-0x000007FEF61E9000-memory.dmp

Filesize
5.9MB

Download
memory/2660-147-0x000007FEF5C00000-0x000007FEF61E9000-memory.dmp

Filesize
5.9MB

Download