File name:	Ulta_x64.exe
Full analysis:	https://app.any.run/tasks/c17161fa-9cc9-42d4-a32b-2c043d153b98
Verdict:	Malicious activity
Analysis date:	October 18, 2024, 04:20:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	314A0458915B37640D34EA6F71A34152
SHA1:	DFF5781A41409D8940CC51A20659B144F0E79401
SHA256:	EC525C38A11C01D15B197E4BB60BBFCEA463AE47E60B6DCC912457CFAD98E830
SSDEEP:	786432:nD2UCIYKDAEfTrAMC0zyNxjxx3BjRAFpoH2BeNByDj:nD8IYOAEfTrpzyNxjxdBNAFpoWQNA

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:02:15 06:09:55+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	23275008
InitializedDataSize:	9988608
UninitializedDataSize:	-
EntryPoint:	0x15c3968
OSVersion:	6
ImageVersion:	4.7
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	4.7.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileVersion:


(PID) Process:	(6112) Ulta_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:	write	Name:	DisplayName
Value: Ulta
(PID) Process:	(6112) Ulta_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:	write	Name:	DisplayVersion
Value: 1.0.0.0
(PID) Process:	(6112) Ulta_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:	write	Name:	DisplayIcon
Value: C:\\Program Files\Ulta\maintenancetool.exe
(PID) Process:	(6112) Ulta_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:	write	Name:	Publisher
Value: Ulta
(PID) Process:	(6112) Ulta_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:	write	Name:	UrlInfoAbout
Value:
(PID) Process:	(6112) Ulta_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:	write	Name:	Comments
Value: Ulta
(PID) Process:	(6112) Ulta_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:	write	Name:	InstallDate
Value: Fri Oct 18 04:21:42 2024
(PID) Process:	(6112) Ulta_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:	write	Name:	InstallLocation
Value: C:\\Program Files\Ulta
(PID) Process:	(6112) Ulta_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:	write	Name:	UninstallString
Value: "C:\\Program Files\Ulta\maintenancetool.exe"
(PID) Process:	(6112) Ulta_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:	write	Name:	ModifyPath
Value: "C:\\Program Files\Ulta\maintenancetool.exe" --manage-packages

PID	Process	Filename		Type
6132	Ulta_x64.exe	C:\Users\admin\AppData\Local\cache\qt-installer-framework\5422bdec-aa15-3725-8d91-73ece6220ecb\cache.lock		text
		MD5:36D5EF2A011F0B3E0E0FA139228BBE18	SHA256:BF174755D0DB444C42AA5C1250B0C22558AFB1D380C2FF570A28E63E5094620C
6112	Ulta_x64.exe	C:\Program Files\Ulta\mullvad-split-tunnel.cat		binary
		MD5:4B36725F5A00E040084F246094035EDE	SHA256:385C90BE86B6C934344C6D2647887182B41D7E37803DC5EABE7E0805F6210317
6112	Ulta_x64.exe	C:\Program Files\Ulta\d3dcompiler_47.dll		executable
		MD5:A7349236212B0E5CEC2978F2CFA49A1A	SHA256:A05D04A270F68C8C6D6EA2D23BEBF8CD1D5453B26B5442FA54965F90F1C62082
6132	Ulta_x64.exe	C:\Users\admin\AppData\Local\Temp\Ulta_x641234865.lock		text
		MD5:36D5EF2A011F0B3E0E0FA139228BBE18	SHA256:BF174755D0DB444C42AA5C1250B0C22558AFB1D380C2FF570A28E63E5094620C
6112	Ulta_x64.exe	C:\Program Files\Ulta\Qt6Qml.dll		executable
		MD5:53C51CA65DAB8D78427FE8525B1E5CCA	SHA256:6A4B3C4C4ECF610431622BBEFE94FA4129271C8787AEC1D55E63C72FEFEB2B62
6112	Ulta_x64.exe	C:\Program Files\Ulta\Qt6Core.dll		executable
		MD5:4B109B08AB6AE8B532BA254722B83A67	SHA256:B3FE8C06F5FF686EAB4A5784A9C36213D341809D982BF81570909FEC262907CD
6112	Ulta_x64.exe	C:\Program Files\Ulta\Qt6Network.dll		executable
		MD5:4812B1BA9956B935D541628FF79C83B9	SHA256:F2400FF51C603D8F518F069D90D9B88823192E6CAD1695D64083FE26377682ED
6112	Ulta_x64.exe	C:\Program Files\Ulta\Qt6Core5Compat.dll		executable
		MD5:B3FE7FDE16DEA4E4A4B2F5B9D9D04490	SHA256:91C5D1788A31E2AE195754B76B00E05BC1ED28042570F78F4DE2C34DE3D1F9A7
6112	Ulta_x64.exe	C:\Program Files\Ulta\Qt6Gui.dll		executable
		MD5:4D427578CE80D21926239BDE77859CBC	SHA256:1158536C723CFBCBF24F6F3443B16E42FC5473D8B1309040AA300A03408B5979
6112	Ulta_x64.exe	C:\Program Files\Ulta\Qt6LabsFolderListModel.dll		executable
		MD5:F5502B2EE28932EA994A0E325A018D07	SHA256:49B8387E01970444D4DB637F7870031762868A266A3BB8EB1F8AFF601C3AFECE

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	204	92.123.104.38:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted
—	—	POST	204	92.123.104.32:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	2.23.209.182:443	www.bing.com	Akamai International B.V.	GB	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6944	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
www.bing.com	2.23.209.182 2.23.209.133 2.23.209.130 2.23.209.187 2.23.209.140 2.23.209.149 92.123.104.32 92.123.104.38 92.123.104.34	whitelisted
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 51.124.78.146	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
self.events.data.microsoft.com	51.132.193.105	whitelisted

Process	Message
Ulta-service.exe	Amnezia "Daemon" "Daemon created"
Ulta-service.exe	Started as system service
Ulta-service.exe	Amnezia "WindowsSplitTunnel" "No Split-Tunnel Conflict detected, continue."
Ulta-service.exe	Amnezia "WindowsSplitTunnel" "Driver is not Installed, doing so"
Ulta-service.exe	Amnezia "WindowsSplitTunnel" "Driver installed"
Ulta-service.exe	Amnezia "WindowsSplitTunnel" "No Split-Tunnel Conflict detected, continue."
Ulta-service.exe	Amnezia "WindowsSplitTunnel" "Try to open Split Tunnel Driver"
Ulta-service.exe	Amnezia "WindowsUtils" "Failed to open Driver: - The system cannot find the file specified."
Ulta-service.exe	Amnezia "WindowsFirewall" "Opening the filter engine"
Ulta-service.exe	Amnezia "WindowsFirewall" "Initialised Sublayer"

General Info

Ulta_x64.exe

314A0458915B37640D34EA6F71A34152

DFF5781A41409D8940CC51A20659B144F0E79401

EC525C38A11C01D15B197E4BB60BBFCEA463AE47E60B6DCC912457CFAD98E830

786432:nD2UCIYKDAEfTrAMC0zyNxjxx3BjRAFpoH2BeNByDj:nD8IYOAEfTrpzyNxjxdBNAFpoWQNA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Detects Cygwin installation

Starts NET.EXE for service management

SUSPICIOUS

Get information on the list of running processes

Reads security settings of Internet Explorer

Reads the date of Windows installation

Application launched itself

Process drops legitimate windows executable

Executable content was dropped or overwritten

Drops a system driver (possible attempt to evade defenses)

Starts SC.EXE for service management

Starts CMD.EXE for commands execution

Uses TASKKILL.EXE to kill process

Executes as Windows Service

Executing commands from ".cmd" file

INFO

Reads the computer name

Checks supported languages

Creates files or folders in the user directory

Reads the machine GUID from the registry

Process checks whether UAC notifications are on

Create files in a temporary directory

The process uses the downloaded file

Process checks computer location settings

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings