File name:

Ulta_x64.exe

Full analysis: https://app.any.run/tasks/c17161fa-9cc9-42d4-a32b-2c043d153b98
Verdict: Malicious activity
Analysis date: October 18, 2024, 04:20:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

314A0458915B37640D34EA6F71A34152

SHA1:

DFF5781A41409D8940CC51A20659B144F0E79401

SHA256:

EC525C38A11C01D15B197E4BB60BBFCEA463AE47E60B6DCC912457CFAD98E830

SSDEEP:

786432:nD2UCIYKDAEfTrAMC0zyNxjxx3BjRAFpoH2BeNByDj:nD8IYOAEfTrpzyNxjxdBNAFpoWQNA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • Ulta_x64.exe (PID: 6112)

    • Starts NET.EXE for service management

      • Ulta_x64.exe (PID: 6112)
      • net.exe (PID: 4208)

  • SUSPICIOUS

    • Get information on the list of running processes

      • Ulta_x64.exe (PID: 6132)

    • Reads security settings of Internet Explorer

      • Ulta_x64.exe (PID: 6132)

    • Reads the date of Windows installation

      • Ulta_x64.exe (PID: 6132)

    • Application launched itself

      • Ulta_x64.exe (PID: 6132)

    • Process drops legitimate windows executable

      • Ulta_x64.exe (PID: 6112)

    • Executable content was dropped or overwritten

      • Ulta_x64.exe (PID: 6112)

    • Drops a system driver (possible attempt to evade defenses)

      • Ulta_x64.exe (PID: 6112)

    • Starts SC.EXE for service management

      • Ulta_x64.exe (PID: 6112)
      • cmd.exe (PID: 2724)

    • Starts CMD.EXE for commands execution

      • Ulta_x64.exe (PID: 6112)

    • Executes as Windows Service

      • Ulta-service.exe (PID: 1452)

    • Executing commands from ".cmd" file

      • Ulta_x64.exe (PID: 6112)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2724)

  • INFO

    • Reads the computer name

      • Ulta_x64.exe (PID: 6132)
      • Ulta_x64.exe (PID: 6112)

    • Checks supported languages

      • Ulta_x64.exe (PID: 6132)
      • Ulta_x64.exe (PID: 6112)

    • Creates files or folders in the user directory

      • Ulta_x64.exe (PID: 6132)

    • Create files in a temporary directory

      • Ulta_x64.exe (PID: 6132)
      • Ulta_x64.exe (PID: 6112)

    • Reads the machine GUID from the registry

      • Ulta_x64.exe (PID: 6132)
      • Ulta_x64.exe (PID: 6112)

    • Process checks whether UAC notifications are on

      • Ulta_x64.exe (PID: 6132)

    • The process uses the downloaded file

      • Ulta_x64.exe (PID: 6132)

    • Process checks computer location settings

      • Ulta_x64.exe (PID: 6132)

    • Creates files in the program directory

      • Ulta_x64.exe (PID: 6112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:02:15 06:09:55+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 23275008
InitializedDataSize: 9988608
UninitializedDataSize: -
EntryPoint: 0x15c3968
OSVersion: 6
ImageVersion: 4.7
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 4.7.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
17
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ulta_x64.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs ulta_x64.exe conhost.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs taskkill.exe no specs taskkill.exe no specs net.exe no specs net1.exe no specs ulta-service.exe sc.exe no specs ulta.exe

Process information

PID
CMD
Path
Indicators
Parent process
1452"C:\\Program Files\Ulta\Ulta-service.exe"C:\Program Files\Ulta\Ulta-service.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\program files\ulta\ulta-service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
2724cmd /c "C:\\Program Files\Ulta\post_install.cmd"C:\Windows\System32\cmd.exeUlta_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
3276C:\WINDOWS\system32\net1 start Ulta-serviceC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll
3396sc failure Ulta-service reset= 100 actions= restart/2000/restart/2000/restart/2000C:\Windows\System32\sc.exeUlta_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3844sc create Ulta-service binpath= "C:\\Program Files\Ulta\Ulta-service.exe" start= auto depend= BFE/nsiC:\Windows\System32\sc.exeUlta_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4208net start Ulta-serviceC:\Windows\System32\net.exeUlta_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUlta_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6112"C:\Users\admin\Desktop\Ulta_x64.exe" --start-server PRODUCTION,{57503137-f879-41b1-9635-5cc56e8074b5},{69eb1365-1c70-4075-b1ee-d1bd82b0532b}C:\Users\admin\Desktop\Ulta_x64.exe
Ulta_x64.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\ulta_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6132"C:\Users\admin\Desktop\Ulta_x64.exe" C:\Users\admin\Desktop\Ulta_x64.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\ulta_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 237
Read events
2 221
Write events
16
Delete events
0

Modification events

(PID) Process:(6112) Ulta_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:writeName:DisplayName
Value:
Ulta
(PID) Process:(6112) Ulta_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:writeName:DisplayVersion
Value:
1.0.0.0
(PID) Process:(6112) Ulta_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:writeName:DisplayIcon
Value:
C:\\Program Files\Ulta\maintenancetool.exe
(PID) Process:(6112) Ulta_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:writeName:Publisher
Value:
Ulta
(PID) Process:(6112) Ulta_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:writeName:UrlInfoAbout
Value:
(PID) Process:(6112) Ulta_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:writeName:Comments
Value:
Ulta
(PID) Process:(6112) Ulta_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:writeName:InstallDate
Value:
Fri Oct 18 04:21:42 2024
(PID) Process:(6112) Ulta_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:writeName:InstallLocation
Value:
C:\\Program Files\Ulta
(PID) Process:(6112) Ulta_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:writeName:UninstallString
Value:
"C:\\Program Files\Ulta\maintenancetool.exe"
(PID) Process:(6112) Ulta_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{de0761d2-486c-4b5d-a36c-16c1974611f1}
Operation:writeName:ModifyPath
Value:
"C:\\Program Files\Ulta\maintenancetool.exe" --manage-packages
Executable files
121
Suspicious files
85
Text files
491
Unknown types
2

Dropped files

PID
Process
Filename
Type
6132Ulta_x64.exeC:\Users\admin\AppData\Local\Temp\Ulta_x641234865.locktext
MD5:36D5EF2A011F0B3E0E0FA139228BBE18
SHA256:BF174755D0DB444C42AA5C1250B0C22558AFB1D380C2FF570A28E63E5094620C
6112Ulta_x64.exeC:\Program Files\Ulta\post_uninstall.cmdtext
MD5:E8875E0931FE100878ECD0C5797EA670
SHA256:1CA31ECFDF108C5F24E158B09CAE6E409DD9CC9C80B06FAA1E1D80AD6474D778
6112Ulta_x64.exeC:\Program Files\Ulta\mullvad-split-tunnel.infbinary
MD5:8E5E79A0409AF7435924DF8256ACA512
SHA256:A9500015B0C93C96D6859E942CF76B6B637653F46ADDEE11BB07AF0C1EA6E879
6112Ulta_x64.exeC:\Program Files\Ulta\opengl32sw.dllexecutable
MD5:83BBECF92FB68795A620B395998B131B
SHA256:B04DE4541863BC7D8879040A78889C4849C1B1DA2784C4630F734C146C2998CE
6112Ulta_x64.exeC:\Program Files\Ulta\d3dcompiler_47.dllexecutable
MD5:A7349236212B0E5CEC2978F2CFA49A1A
SHA256:A05D04A270F68C8C6D6EA2D23BEBF8CD1D5453B26B5442FA54965F90F1C62082
6132Ulta_x64.exeC:\Users\admin\AppData\Local\cache\qt-installer-framework\5422bdec-aa15-3725-8d91-73ece6220ecb\cache.locktext
MD5:36D5EF2A011F0B3E0E0FA139228BBE18
SHA256:BF174755D0DB444C42AA5C1250B0C22558AFB1D380C2FF570A28E63E5094620C
6112Ulta_x64.exeC:\Program Files\Ulta\mullvad-split-tunnel.catbinary
MD5:4B36725F5A00E040084F246094035EDE
SHA256:385C90BE86B6C934344C6D2647887182B41D7E37803DC5EABE7E0805F6210317
6112Ulta_x64.exeC:\Program Files\Ulta\mullvad-split-tunnel.sysexecutable
MD5:FE94A7529C2EBA6C17DD0EA4363A11E3
SHA256:8BDC9FC6AA1203E444A2D6E3A564CF8DD8F7EC9DB850F0095B9D33E16B96AFF5
6112Ulta_x64.exeC:\Program Files\Ulta\post_install.cmdtext
MD5:D1C649755C5528DC1C30BB313AE1D533
SHA256:D3ED4D83A4E04A822A53D1D8712E8025304AF708FEB4712167BF76492FF724E8
6112Ulta_x64.exeC:\Program Files\Ulta\Qt6Core.dllexecutable
MD5:4B109B08AB6AE8B532BA254722B83A67
SHA256:B3FE8C06F5FF686EAB4A5784A9C36213D341809D982BF81570909FEC262907CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
204
92.123.104.38:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
POST
204
92.123.104.32:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.23.209.182:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.140
  • 2.23.209.149
  • 92.123.104.32
  • 92.123.104.38
  • 92.123.104.34
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 51.132.193.105
whitelisted

Threats

No threats detected
Process
Message
Ulta-service.exe
Amnezia "Daemon" "Daemon created"
Ulta-service.exe
Started as system service
Ulta-service.exe
Amnezia "WindowsSplitTunnel" "No Split-Tunnel Conflict detected, continue."
Ulta-service.exe
Amnezia "WindowsSplitTunnel" "Driver is not Installed, doing so"
Ulta-service.exe
Amnezia "WindowsSplitTunnel" "Driver installed"
Ulta-service.exe
Amnezia "WindowsSplitTunnel" "No Split-Tunnel Conflict detected, continue."
Ulta-service.exe
Amnezia "WindowsSplitTunnel" "Try to open Split Tunnel Driver"
Ulta-service.exe
Amnezia "WindowsUtils" "Failed to open Driver: - The system cannot find the file specified."
Ulta-service.exe
Amnezia "WindowsFirewall" "Opening the filter engine"
Ulta-service.exe
Amnezia "WindowsFirewall" "Initialised Sublayer"
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Ulta_x64.exe