94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab

General

Target

94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
Size

197KB
MD5

039ce25d495fa555ae1c210592b564d0
SHA1

6684d0ffde174052a03931981262dc0a7cb9891c
SHA256

94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab
SHA512

c2be8d6b80e57339957f370b4ac31bd03140f9a9ed4865926eb6d7e5a69d3510b046930c1933d38629b4c3bcae007b6cf5e6140463ab6e064820cdd91bbd46bb

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

edta.exe

pid process

328 edta.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Awym\edta.exe	upx
C:\Users\Admin\AppData\Roaming\Awym\edta.exe	upx
C:\Users\Admin\AppData\Roaming\Awym\edta.exe	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

432 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe

pid process

1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe

pid	process
432	cmd.exe

pid	process
1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

edta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\Currentversion\Run	edta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8312DD2C-C7DA-6404-07BE-57994C93C992} = "C:\\Users\\Admin\\AppData\\Roaming\\Awym\\edta.exe"	edta.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exeedta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	edta.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	edta.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe

description pid process target process

PID 1716 set thread context of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe

description	pid	process	target process
PID 1716 set thread context of 432	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Privacy	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

edta.exe

pid	process
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe
328	edta.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe

description pid process

Token: SeSecurityPrivilege 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe

description	pid	process
Token: SeSecurityPrivilege	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exeedta.exe

description	pid	process	target process
PID 1716 wrote to memory of 328	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	edta.exe
PID 1716 wrote to memory of 328	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	edta.exe
PID 1716 wrote to memory of 328	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	edta.exe
PID 1716 wrote to memory of 328	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	edta.exe
PID 328 wrote to memory of 1128	328	edta.exe	taskhost.exe
PID 328 wrote to memory of 1128	328	edta.exe	taskhost.exe
PID 328 wrote to memory of 1128	328	edta.exe	taskhost.exe
PID 328 wrote to memory of 1128	328	edta.exe	taskhost.exe
PID 328 wrote to memory of 1128	328	edta.exe	taskhost.exe
PID 328 wrote to memory of 1228	328	edta.exe	Dwm.exe
PID 328 wrote to memory of 1228	328	edta.exe	Dwm.exe
PID 328 wrote to memory of 1228	328	edta.exe	Dwm.exe
PID 328 wrote to memory of 1228	328	edta.exe	Dwm.exe
PID 328 wrote to memory of 1228	328	edta.exe	Dwm.exe
PID 328 wrote to memory of 1268	328	edta.exe	Explorer.EXE
PID 328 wrote to memory of 1268	328	edta.exe	Explorer.EXE
PID 328 wrote to memory of 1268	328	edta.exe	Explorer.EXE
PID 328 wrote to memory of 1268	328	edta.exe	Explorer.EXE
PID 328 wrote to memory of 1268	328	edta.exe	Explorer.EXE
PID 328 wrote to memory of 1716	328	edta.exe	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
PID 328 wrote to memory of 1716	328	edta.exe	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
PID 328 wrote to memory of 1716	328	edta.exe	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
PID 328 wrote to memory of 1716	328	edta.exe	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
PID 328 wrote to memory of 1716	328	edta.exe	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
PID 1716 wrote to memory of 432	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	cmd.exe
PID 1716 wrote to memory of 432	1716	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe	cmd.exe
PID 328 wrote to memory of 608	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 608	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 608	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 608	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 608	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 1528	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 1528	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 1528	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 1528	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 1528	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 1488	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 1488	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 1488	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 1488	328	edta.exe	DllHost.exe
PID 328 wrote to memory of 1488	328	edta.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
"C:\Users\Admin\AppData\Local\Temp\94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe"
2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Roaming\Awym\edta.exe
"C:\Users\Admin\AppData\Roaming\Awym\edta.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp205d5cba.bat"
3⤵
- Deletes itself
PID:432

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp205d5cba.bat
MD5
beb9e1f9b54ce894cb86d7f722713be6

SHA1
7973e493ef79b56ad9e42d001b4cfc68c822bfae

SHA256
1c7785d6c956fdf06b19a09d18e46d0c61be733618938399bfd30308cf859420

SHA512
c1201ae2736494452796cfb5c2b4424eaaf5e73f4769a833b8bd286d77963b35e5b44ed63089253318260ae18e8c699189550b8ab62a29494bbbbceaa0212f2b

Download Submit
C:\Users\Admin\AppData\Roaming\Awym\edta.exe
MD5
cb163d91c95f087fed58eae663fc9c37

SHA1
473c13d7f76aab2be69b33411f72f1e3d9461747

SHA256
363d46c02e11a307f9740dbc994f30e287357e94369c0e0bc27ca0cd991e884f

SHA512
981e71e40e45a801a39416da9d3f486d5c984cd6da6e404b6edd67bf54444e22545e029bbd2d93112156e3d3bc83dd32b5bf3d8cc2fb4ba8d1bc2666fe7f9492

Download Submit
C:\Users\Admin\AppData\Roaming\Awym\edta.exe
MD5
cb163d91c95f087fed58eae663fc9c37

SHA1
473c13d7f76aab2be69b33411f72f1e3d9461747

SHA256
363d46c02e11a307f9740dbc994f30e287357e94369c0e0bc27ca0cd991e884f

SHA512
981e71e40e45a801a39416da9d3f486d5c984cd6da6e404b6edd67bf54444e22545e029bbd2d93112156e3d3bc83dd32b5bf3d8cc2fb4ba8d1bc2666fe7f9492

Download Submit
\Users\Admin\AppData\Roaming\Awym\edta.exe
MD5
cb163d91c95f087fed58eae663fc9c37

SHA1
473c13d7f76aab2be69b33411f72f1e3d9461747

SHA256
363d46c02e11a307f9740dbc994f30e287357e94369c0e0bc27ca0cd991e884f

SHA512
981e71e40e45a801a39416da9d3f486d5c984cd6da6e404b6edd67bf54444e22545e029bbd2d93112156e3d3bc83dd32b5bf3d8cc2fb4ba8d1bc2666fe7f9492

Download Submit
memory/328-5-0x0000000000000000-mapping.dmp

Download
memory/432-10-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/432-11-0x0000000000064540-mapping.dmp

Download
memory/432-18-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1528-19-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

Filesize
2.5MB

Download
memory/1716-2-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1716-9-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1716-3-0x00000000001C0000-0x00000000001D5000-memory.dmp

Filesize
84KB

Download
memory/1716-15-0x0000000000270000-0x0000000000292000-memory.dmp

Filesize
136KB

Download
memory/1716-16-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads