ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2

General

Target

ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
Size

305KB
MD5

380628f35467056cd5eedeef3188f01e
SHA1

bd6cfdc7949228f8fe2ad532521f159a526a123f
SHA256

ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2
SHA512

129204e3dc7798e61527f3739703cece7f99606d0d66c7ef499997094e2a29d574d0fa1f44fba9a49db2781ab5e6891d0ee5cc8cd97eaeaf815dd9c57a2d2ebf
SSDEEP

3072:EfjboxnOCPJTY3M+iduU0Git18SFTyCMZqyFyyubKW/oaT0WMAgbPeDzQH+vpFTI:ss5YmfC3kzGKWz9w+QHCPGMSUwOoUa

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\taskhost.exe = "C:\\Windows\\system32\\taskhost.exe:*:Enabled:Host Process for Windows Tasks"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\taskhostex.exe = "C:\\Windows\\system32\\taskhostex.exe:*:Enabled:Host Process for Windows Tasks"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\explorer.exe = "C:\\Windows\\explorer.exe:*:Enabled:Windows Explorer"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\explorer.exe = "C:\\Windows\\SysWOW64\\explorer.exe:*:Enabled:Windows Explorer"	explorer.exe

Executes dropped EXE 2 IoCs

Processes:

egceb.exeegceb.exe

pid process

1748 egceb.exe
1372 egceb.exe
Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

628 explorer.exe

pid	process
1748	egceb.exe
1372	egceb.exe

pid	process
628	explorer.exe

Loads dropped DLL 2 IoCs

Processes:

ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe

pid	process
1632	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
1632	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{EB3FC849-0129-1E8A-F8D7-5FC3EC38ED20} = "C:\\Users\\Admin\\AppData\\Roaming\\Ebcyn\\egceb.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exeegceb.exe

description	pid	process	target process
PID 912 set thread context of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 1748 set thread context of 1372	1748	egceb.exe	egceb.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\24D751F6-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exeegceb.exeegceb.exeexplorer.exe

pid	process
912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
1748	egceb.exe
1748	egceb.exe
1372	egceb.exe
1372	egceb.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe
628	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

egceb.exe

pid process

1372 egceb.exe

pid	process
1372	egceb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1632	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
Token: SeManageVolumePrivilege	968	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

968 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

968 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

968 WinMail.exe

pid	process
968	WinMail.exe

pid	process
968	WinMail.exe

pid	process
968	WinMail.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exeec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exeegceb.exeegceb.exeexplorer.exe

description	pid	process	target process
PID 912 wrote to memory of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 912 wrote to memory of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 912 wrote to memory of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 912 wrote to memory of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 912 wrote to memory of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 912 wrote to memory of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 912 wrote to memory of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 912 wrote to memory of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 912 wrote to memory of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 912 wrote to memory of 1632	912	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
PID 1632 wrote to memory of 1748	1632	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	egceb.exe
PID 1632 wrote to memory of 1748	1632	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	egceb.exe
PID 1632 wrote to memory of 1748	1632	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	egceb.exe
PID 1632 wrote to memory of 1748	1632	ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe	egceb.exe
PID 1748 wrote to memory of 1372	1748	egceb.exe	egceb.exe
PID 1748 wrote to memory of 1372	1748	egceb.exe	egceb.exe
PID 1748 wrote to memory of 1372	1748	egceb.exe	egceb.exe
PID 1748 wrote to memory of 1372	1748	egceb.exe	egceb.exe
PID 1748 wrote to memory of 1372	1748	egceb.exe	egceb.exe
PID 1748 wrote to memory of 1372	1748	egceb.exe	egceb.exe
PID 1748 wrote to memory of 1372	1748	egceb.exe	egceb.exe
PID 1748 wrote to memory of 1372	1748	egceb.exe	egceb.exe
PID 1748 wrote to memory of 1372	1748	egceb.exe	egceb.exe
PID 1748 wrote to memory of 1372	1748	egceb.exe	egceb.exe
PID 1372 wrote to memory of 628	1372	egceb.exe	explorer.exe
PID 1372 wrote to memory of 628	1372	egceb.exe	explorer.exe
PID 1372 wrote to memory of 628	1372	egceb.exe	explorer.exe
PID 1372 wrote to memory of 628	1372	egceb.exe	explorer.exe
PID 628 wrote to memory of 1380	628	explorer.exe	Explorer.EXE
PID 628 wrote to memory of 1380	628	explorer.exe	Explorer.EXE
PID 628 wrote to memory of 1380	628	explorer.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
"C:\Users\Admin\AppData\Local\Temp\ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe
"C:\Users\Admin\AppData\Local\Temp\ec8fb53f340f4b82ed5d857cd65d5a647f1f7038b723def2669277e641dbdce2.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Roaming\Ebcyn\egceb.exe
"C:\Users\Admin\AppData\Roaming\Ebcyn\egceb.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\Ebcyn\egceb.exe
"C:\Users\Admin\AppData\Roaming\Ebcyn\egceb.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
6⤵
- Modifies firewall policy service
- Deletes itself
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ebcyn\egceb.exe
Filesize
305KB

MD5
d5ad660693cc36167d299424abf91a1b

SHA1
b5d8bf6bf459f18498c42a2801be763a43bb01c5

SHA256
b7862569a7179f6f826f8f4ecc009adb2cc3c9d51a818858b66d08a36963a902

SHA512
9d3f456d933e88be8dfaae1af2cf50a63dfc2a5a0bad1499875f987da82f6482b5a772993be69e8857e948d01665af2b349a8f95b20bfcdaeb0a3c8ba061b324

Download Submit
C:\Users\Admin\AppData\Roaming\Ebcyn\egceb.exe
Filesize
305KB

MD5
d5ad660693cc36167d299424abf91a1b

SHA1
b5d8bf6bf459f18498c42a2801be763a43bb01c5

SHA256
b7862569a7179f6f826f8f4ecc009adb2cc3c9d51a818858b66d08a36963a902

SHA512
9d3f456d933e88be8dfaae1af2cf50a63dfc2a5a0bad1499875f987da82f6482b5a772993be69e8857e948d01665af2b349a8f95b20bfcdaeb0a3c8ba061b324

Download Submit
C:\Users\Admin\AppData\Roaming\Ebcyn\egceb.exe
Filesize
305KB

MD5
d5ad660693cc36167d299424abf91a1b

SHA1
b5d8bf6bf459f18498c42a2801be763a43bb01c5

SHA256
b7862569a7179f6f826f8f4ecc009adb2cc3c9d51a818858b66d08a36963a902

SHA512
9d3f456d933e88be8dfaae1af2cf50a63dfc2a5a0bad1499875f987da82f6482b5a772993be69e8857e948d01665af2b349a8f95b20bfcdaeb0a3c8ba061b324

Download Submit
\Users\Admin\AppData\Roaming\Ebcyn\egceb.exe
Filesize
305KB

MD5
d5ad660693cc36167d299424abf91a1b

SHA1
b5d8bf6bf459f18498c42a2801be763a43bb01c5

SHA256
b7862569a7179f6f826f8f4ecc009adb2cc3c9d51a818858b66d08a36963a902

SHA512
9d3f456d933e88be8dfaae1af2cf50a63dfc2a5a0bad1499875f987da82f6482b5a772993be69e8857e948d01665af2b349a8f95b20bfcdaeb0a3c8ba061b324

Download Submit
\Users\Admin\AppData\Roaming\Ebcyn\egceb.exe
Filesize
305KB

MD5
d5ad660693cc36167d299424abf91a1b

SHA1
b5d8bf6bf459f18498c42a2801be763a43bb01c5

SHA256
b7862569a7179f6f826f8f4ecc009adb2cc3c9d51a818858b66d08a36963a902

SHA512
9d3f456d933e88be8dfaae1af2cf50a63dfc2a5a0bad1499875f987da82f6482b5a772993be69e8857e948d01665af2b349a8f95b20bfcdaeb0a3c8ba061b324

Download Submit
memory/628-114-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/628-96-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/628-94-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/628-92-0x0000000000000000-mapping.dmp

Download
memory/912-65-0x00000000001B0000-0x00000000001CD000-memory.dmp

Filesize
116KB

Download
memory/968-97-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/968-105-0x0000000001F10000-0x0000000001F20000-memory.dmp

Filesize
64KB

Download
memory/968-99-0x0000000001EB0000-0x0000000001EC0000-memory.dmp

Filesize
64KB

Download
memory/968-98-0x000007FEFB151000-0x000007FEFB153000-memory.dmp

Filesize
8KB

Download
memory/1372-87-0x00000000004037FF-mapping.dmp

Download
memory/1372-112-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1372-95-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-64-0x00000000004037FF-mapping.dmp

Download
memory/1632-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-59-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-69-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-63-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-68-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1632-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-111-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-113-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-71-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1748-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads