b3847c94d840dd53c3ba7248734424f06715deacf6dd6ebb727c2f1a7de4c945

Resubmissions

14-01-2025 06:18

250114-g2qvnsyrdy 7

14-01-2025 06:15

14-01-2025 06:10

14-01-2025 06:09

03-07-2022 12:33

Analysis

max time kernel
423s
max time network
424s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ultima_Multihack.exe
Size

6.4MB
MD5

a2f01be6e514a6cd3424f9762f2c5b02
SHA1

1553dd3e3556f2c82ab312659d5184952d0b9a4e
SHA256

b3847c94d840dd53c3ba7248734424f06715deacf6dd6ebb727c2f1a7de4c945
SHA512

fa9dd15980bd80bcd250a1ac990281824f822635b8d3bb7d1d1a78958c8ec084e775735c3c14c09337076c3f4fe1185cd06cfb4cd989fcc0be78bd99c577e616
SSDEEP

196608:j6bFse+vAqC6Fe656nqpB9zDXq9frWSCuHynw:ebFsXIqje656qpB9zDa9DWSCwynw

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Ultima_Multihack.exe

Executes dropped EXE 1 IoCs

pid	Process
408	ultima.exe

Loads dropped DLL 2 IoCs

pid	Process
408	ultima.exe
408	ultima.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultima_Multihack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ultima.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 916	2656	Ultima_Multihack.exe	83
PID 2656 wrote to memory of 916	2656	Ultima_Multihack.exe	83
PID 916 wrote to memory of 408	916	cmd.exe	86
PID 916 wrote to memory of 408	916	cmd.exe	86
PID 916 wrote to memory of 408	916	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\Ultima_Multihack.exe
C:\Users\Admin\AppData\Local\Temp\Ultima_Multihack.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B239.tmp\B23A.tmp\B23B.bat C:\Users\Admin\AppData\Local\Temp\Ultima_Multihack.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\B239.tmp\ultima.exe
    ultima.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B239.tmp\B23A.tmp\B23B.bat

Filesize
48B

MD5
a703e72757cc5721f6604f29501d1fcb

SHA1
f296318971c483966d39548c7b26072c58b1cb63

SHA256
b7a7e70f4a51a62b70a08919924409d102b3d797189cca93295a24caa7fa4508

SHA512
f6c68271b63dedda9d7269d5a055b61ef68c5d9f6022e99cb1f08c1737085276c8ad63a7f79041b0076b960144cded460175b9ba09465e6641f00fff455b7764

Download Submit
C:\Users\Admin\AppData\Local\Temp\B239.tmp\Bunifu_UI_v1.5.3.dll

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B239.tmp\ultima.exe

Filesize
5.8MB

MD5
c67ec628289d5c29f6d3b925a8c0f4f9

SHA1
cf7710c70bdf807130f86241e1e6829594345fb7

SHA256
291c70fb8033924f6767371e3d5a53c896c57abc914b5729ef0a082cb63903fb

SHA512
c6ef4e80f7a84f8c675576c18e753273eb5b345843c1c6d571137adbcd66214e2284e7e3d730fa8a5c0314edbac9ab70ab9b7c0eaa1668fe22e36fde9121a97f

Download Submit
memory/408-17-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/408-15-0x00000000058C0000-0x000000000595C000-memory.dmp

Filesize
624KB

Download
memory/408-16-0x0000000005F80000-0x0000000006524000-memory.dmp

Filesize
5.6MB

Download
memory/408-14-0x0000000000950000-0x0000000000F24000-memory.dmp

Filesize
5.8MB

Download
memory/408-18-0x00000000059B0000-0x00000000059BA000-memory.dmp

Filesize
40KB

Download
memory/408-19-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/408-20-0x0000000005C00000-0x0000000005C56000-memory.dmp

Filesize
344KB

Download
memory/408-13-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/408-24-0x0000000005C60000-0x0000000005CA2000-memory.dmp

Filesize
264KB

Download
memory/408-25-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/408-26-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download