98fb90047b2f9b8efc6b83cc33189f2c57a2daeff509796334f42b6579877c4f

General

Target

ULMT Beta.exe
Size

163KB
MD5

86ee0143153b810ec3c831c82743c194
SHA1

934823e37048eba156f75e9ad19ec733e93c9edc
SHA256

98fb90047b2f9b8efc6b83cc33189f2c57a2daeff509796334f42b6579877c4f
SHA512

8746e51a2a67e22286b53e9d257eea2acf8a04cc810b6b8a4c089b12f3bb3834679bdb211b80d54790d1c7033b57770ace924369e355f307ac06cd2a1279526f
SSDEEP

3072:LahKyd2n31n5GWp1icKAArDZz4N9GhbkrNEk1crrgT:LahO/p0yN90QEk

Score

6^/10

execution persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ULMT Beta.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4220	powershell.exe
1124	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4220	powershell.exe
4220	powershell.exe
1124	powershell.exe
1124	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 1716	4820	ULMT Beta.exe	81
PID 4820 wrote to memory of 1716	4820	ULMT Beta.exe	81
PID 1716 wrote to memory of 4220	1716	cmd.exe	83
PID 1716 wrote to memory of 4220	1716	cmd.exe	83
PID 1716 wrote to memory of 1124	1716	cmd.exe	90
PID 1716 wrote to memory of 1124	1716	cmd.exe	90
PID 1716 wrote to memory of 4452	1716	cmd.exe	93
PID 1716 wrote to memory of 4452	1716	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\ULMT Beta.exe
"C:\Users\Admin\AppData\Local\Temp\ULMT Beta.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "ULMT Beta.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "[reflection.assembly]::loadwithpartialname('System.Windows.Forms');[System.Windows.Forms.NotifyIcon]$n=New-Object System.Windows.Forms.NotifyIcon;$n.Icon=[System.Drawing.SystemIcons]::Information;$n.BalloonTipTitle='ULMT Beta v1.0.5';$n.BalloonTipText='Successfully Injected!';$n.Visible=$true;$n.ShowBalloonTip(5000);Start-Sleep -Seconds 6;$n.Dispose()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL.EXE -Command "Add-Type -AssemblyName System.Windows.Forms; [void] [System.Windows.Forms.Messagebox]::Show( 'Welcome User Enjoy Destructiom!', 'ULMT Beta V1.0.5', 'OK', 'Warning' )"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
39c16280020c86e0f9ee61f7f8e42180

SHA1
d94ce357ad7a0da168fefb168308d4aa81891da9

SHA256
be6bc99bf009d09fb46198ddf42668f4ee8aefdded68dc436374b2bc90de422e

SHA512
6ceaa51e1b0740ba7e7ff3886e8351ab0be1d37b4f266eb46571b19d658b8c63cac928130e89c11cafd7781b4c94989870abb62f48382f0f7ff9c5db2f545c8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4908ee5d334313c85d69b143b8b1dcc

SHA1
1aa86e351a8484b65685fba1de7adddbdb5b8791

SHA256
7dbf49ec6d0886da9499fc82fbeb8a62262835bff0611f54e3e782386e77942c

SHA512
3485fea625d3961b4bbe54e05b1d5ee414575f1c0b18606426ac5fcf7977b3113a38ea0eccc298728f9a9e656238ae5bbf2468a267b68356a7d131a58eb351dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ULMT Beta.bat

Filesize
53KB

MD5
87212417b30d2f4b3d30216dce9504b1

SHA1
fbd209ba1a0f2a71e052461a0cae20089e3aac0f

SHA256
0b76266a94ee008295db0c5388bdb4de51e150bce6f6d7e3e686959e5eb157cf

SHA512
1d914b6b8b226d4ad086ec4185c739c3cddff3027d33fb66f2eadd207c005d8cf0837c8fc6e397cc9d54aee85c0a8fc99d9108b6f1c4a1d7edb4adc663e12ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0apwmyzl.wbj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1124-35-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/1124-33-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/1124-31-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/1124-21-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/4220-13-0x000001F01E7C0000-0x000001F01E7E2000-memory.dmp

Filesize
136KB

Download
memory/4220-19-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/4220-16-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/4220-15-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/4220-14-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/4220-3-0x00007FFFE62D3000-0x00007FFFE62D5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads