28411261cb3f27081f910190d1c7742fb805185430af10131d5b39fd2e39c832

Analysis

max time kernel
163s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09/02/2023, 22:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eMule0.50a-Installer.exe
Size

3.2MB
MD5

a31156b8d80a68e8f4354c63e0747beb
SHA1

185705e7d217132a104dc3f4ee12a72c7e8749ce
SHA256

28411261cb3f27081f910190d1c7742fb805185430af10131d5b39fd2e39c832
SHA512

33db65bf69a721be613316b729c06137ae4f323314b707f591b09f06f10dab2643f36742a457d04b5816e6e2aa795d78f01987ca173bd4ed0f0845279d2c96eb
SSDEEP

49152:a9r/Wx+GhZdsM+1GfhXM5uOMkbKH+1Ma6h2ZoHrkQb7MOBIfn2vrPLuG:ASgsdiM26+1MaO2iRTIv2vrjp

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4544	emule.exe

Loads dropped DLL 9 IoCs

pid	Process
4912	eMule0.50a-Installer.exe
4912	eMule0.50a-Installer.exe
4912	eMule0.50a-Installer.exe
4912	eMule0.50a-Installer.exe
4912	eMule0.50a-Installer.exe
4912	eMule0.50a-Installer.exe
4912	eMule0.50a-Installer.exe
4912	eMule0.50a-Installer.exe
4544	emule.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	emule.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\eMule\webserver\filetype_emulecollection.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\l_sources_5.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\add_server.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\ct_l.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\fr_BR.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\nb_NO.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\login_lefttop.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\l_calendar.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\l_filesearch.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\blue3.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\is_getflc.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\p_greenpercent.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\es_AS.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\nl_NL.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\ko_KR.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\ug_CN.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\is_halfcmtbad.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\l_sources_10.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\stats_2.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\t_connecting.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\emule.exe	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\Template.eMuleSkin.ini	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\l_clock.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\yellow.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\h_statistic.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\main_topbarseperator.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\filetype_document.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\filetype_video.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\is_banned.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\LinkCreator.exe	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\high.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\filetype_archive.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\l_resume.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\ct_a.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\l_homepage.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\login_bottom.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\eMule.tmpl	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\filetype_picture.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\vi_VN.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\ct_1.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\es_ES_T.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\fr_FR.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\readme.txt	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\va_ES.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\m_category.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\ct_0.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\error.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\blue5.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\h_graph.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\l_logout.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\main_menubg.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\l_hasherror.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\stalled.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\stats_14.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\is_static.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\l_forum.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\ct_s.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\lang\fi_FI.dll	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\ct_h.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\p_black.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\t_uploading.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\downloading.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\filetype_other.gif	eMule0.50a-Installer.exe
File created	C:\Program Files (x86)\eMule\webserver\completing.gif	eMule0.50a-Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\URL Protocol	eMule0.50a-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\shell\ = "open"	eMule0.50a-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\DefaultIcon\ = "C:\\Program Files (x86)\\eMule\\eMule.exe,0"	eMule0.50a-Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\shell\open\command	eMule0.50a-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eMule\ = "eMule Collection"	eMule0.50a-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eMule\shell\open\command\ = "\"C:\\Program Files (x86)\\eMule\\eMule.exe\" \"%1\""	eMule0.50a-Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eMule\DefaultIcon	eMule0.50a-Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k	eMule0.50a-Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\ed2k\shell	emule.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\shell\open\command\ = "\"C:\\Program Files (x86)\\eMule\\eMule.exe\" \"%1\""	eMule0.50a-Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eMule\shell\open\command	eMule0.50a-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eMule\DefaultIcon\ = "C:\\Program Files (x86)\\eMule\\eMule.exe,1"	eMule0.50a-Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\ed2k\shell\open	emule.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\ = "URL: ed2k Protocol"	eMule0.50a-Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eMule\shell	eMule0.50a-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eMule\shell\ = "open"	eMule0.50a-Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\ed2k	emule.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.emulecollection	eMule0.50a-Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\DefaultIcon	eMule0.50a-Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\shell\open	eMule0.50a-Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.emulecollection\ = "eMule"	eMule0.50a-Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eMule	eMule0.50a-Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eMule\shell\open	eMule0.50a-Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\ed2k\shell\open\command	emule.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\ed2k\DefaultIcon	emule.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\shell	eMule0.50a-Installer.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4544	emule.exe
4544	emule.exe
4544	emule.exe
4544	emule.exe
4544	emule.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4544	emule.exe
4544	emule.exe
4544	emule.exe
4544	emule.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4544	emule.exe
4544	emule.exe
4544	emule.exe
4544	emule.exe
4544	emule.exe

C:\Users\Admin\AppData\Local\Temp\eMule0.50a-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\eMule0.50a-Installer.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:4912

C:\Program Files (x86)\eMule\emule.exe
"C:\Program Files (x86)\eMule\emule.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\eMule\emule.exe

Filesize
5.5MB

MD5
f3f709c2d49dd6636f4ede5c2cae5448

SHA1
8e0ea03e4c38199e10a2bc12db8b2df70484111d

SHA256
06cdf814387f627a4bd05a0c68211f715bfa952423e8e8a462e1f47c11a4d20e

SHA512
7a0df912b5ddc149d770260a2e1a3f55e58ac2e9ef02883e8baa08e79261075b82955bc8e57641bb2c16983abcada2581850fafc11b92a133605127bda80513e

Download Submit
C:\Program Files (x86)\eMule\emule.exe

Filesize
5.5MB

MD5
f3f709c2d49dd6636f4ede5c2cae5448

SHA1
8e0ea03e4c38199e10a2bc12db8b2df70484111d

SHA256
06cdf814387f627a4bd05a0c68211f715bfa952423e8e8a462e1f47c11a4d20e

SHA512
7a0df912b5ddc149d770260a2e1a3f55e58ac2e9ef02883e8baa08e79261075b82955bc8e57641bb2c16983abcada2581850fafc11b92a133605127bda80513e

Download Submit
C:\Program Files (x86)\eMule\lang\es_ES_T.dll

Filesize
112KB

MD5
42fec9ce8a768a77615a0084b32b58c3

SHA1
32ec157749a427e650c7f1c769ebc0d9ca0a4c5a

SHA256
1b3be18ea610cb507849388bbaf2c5ef64e6d788eded1d0fae942fe768f281f1

SHA512
d866aa8c7cc5d0b6f8fe8b8237341ad9f254e5864251ab89749e55711d87954613debb5c27e699c71290da5df2a76884a52b63351ceec5e361f3c91c10d6ad16

Download Submit
C:\Program Files (x86)\eMule\lang\es_ES_T.dll

Filesize
112KB

MD5
42fec9ce8a768a77615a0084b32b58c3

SHA1
32ec157749a427e650c7f1c769ebc0d9ca0a4c5a

SHA256
1b3be18ea610cb507849388bbaf2c5ef64e6d788eded1d0fae942fe768f281f1

SHA512
d866aa8c7cc5d0b6f8fe8b8237341ad9f254e5864251ab89749e55711d87954613debb5c27e699c71290da5df2a76884a52b63351ceec5e361f3c91c10d6ad16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjEAB4.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjEAB4.tmp\InstallOptions.dll

Filesize
14KB

MD5
14c212bb2fa90fe52a6424b955c86ad6

SHA1
9e94f8ad17ff9b6b31e5f029ee5f726e307ac8ee

SHA256
1854afccace3053dca2707b10609ea78a30f0ee853bdb9f251c076317ee53120

SHA512
d42fa579f93b98d1446daf3d0734c19838fa310ef27cd05344e25d9f86ba37a5fa1752236e5de4df7c9f414236538bd7431bffda126fb9c74fd112539de0e713

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjEAB4.tmp\InstallOptions.dll

Filesize
14KB

MD5
14c212bb2fa90fe52a6424b955c86ad6

SHA1
9e94f8ad17ff9b6b31e5f029ee5f726e307ac8ee

SHA256
1854afccace3053dca2707b10609ea78a30f0ee853bdb9f251c076317ee53120

SHA512
d42fa579f93b98d1446daf3d0734c19838fa310ef27cd05344e25d9f86ba37a5fa1752236e5de4df7c9f414236538bd7431bffda126fb9c74fd112539de0e713

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjEAB4.tmp\InstallOptions.dll

Filesize
14KB

MD5
14c212bb2fa90fe52a6424b955c86ad6

SHA1
9e94f8ad17ff9b6b31e5f029ee5f726e307ac8ee

SHA256
1854afccace3053dca2707b10609ea78a30f0ee853bdb9f251c076317ee53120

SHA512
d42fa579f93b98d1446daf3d0734c19838fa310ef27cd05344e25d9f86ba37a5fa1752236e5de4df7c9f414236538bd7431bffda126fb9c74fd112539de0e713

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjEAB4.tmp\LangDLL.dll

Filesize
5KB

MD5
7e856702410e5598296a9c056c273db2

SHA1
1711125771f4e364717079aae5e4419ac3d69a5d

SHA256
394d7d46b5e1ea621cfcc4f0bc8609d5ad8d42074186cddb737f3abe10874403

SHA512
34ae337e44a5ce9dd17e4c726977f895b90614e02df09d9db46d7e6905850b05b44a4951508c07272acc2683454c1bc949ee1f83e14592e7400bdeae2033c886

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjEAB4.tmp\System.dll

Filesize
10KB

MD5
4c0c6163b636f627e0d505deda672c90

SHA1
2eae4e6f00673a03ae2434f1b22dc9218e4761a8

SHA256
bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb

SHA512
e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjEAB4.tmp\System.dll

Filesize
10KB

MD5
4c0c6163b636f627e0d505deda672c90

SHA1
2eae4e6f00673a03ae2434f1b22dc9218e4761a8

SHA256
bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb

SHA512
e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjEAB4.tmp\System.dll

Filesize
10KB

MD5
4c0c6163b636f627e0d505deda672c90

SHA1
2eae4e6f00673a03ae2434f1b22dc9218e4761a8

SHA256
bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb

SHA512
e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef

Download Submit
C:\Users\Admin\AppData\Local\eMule\config\preferences.ini

Filesize
24B

MD5
dd847fefd36e410a3e9adb3aff690892

SHA1
17ef3b6ef709cdf8930eff82da9b691cbc8dd59c

SHA256
2fb0c469f249477b38ade65b5b930accaac645249bb6d2e1d8a1d544e6dc8acc

SHA512
19b6e79bbd45d5308461ad74d64bb8cb5fd9c11c20f1866eba2a2b11a6f73e3fc8a624411f143151536803e0802758bfb1fb1287d0d7cd26ede9e42daa8f922a

Download Submit
C:\Users\Admin\AppData\Local\eMule\config\server.met

Filesize
389B

MD5
e90d2ac37dcdad552cb715a1dc279dd6

SHA1
fe9ac87fe5cfbd9e061dbe2918a6f679bc601905

SHA256
35b6bb358c094db327478310652ac5a24fc8a8c64e241f2c7948b9f6bc7149e4

SHA512
c043a64a245dead7a3b999ec88f8c549018b6d3eede8b66f20613424fcd3e3ad0ab753a3beb1060ceb8e3cd03e16a283f2e0397a131d0e16d1395b2fe4bb6bec

Download Submit
C:\Users\Admin\AppData\Local\eMule\config\staticservers.dat

Filesize
284B

MD5
248858a6725ce0629276e7814c9b9981

SHA1
02e2012007fc42756d00a017635801b0e290ca45

SHA256
a6520b0ce2711f7d71e9b12dcf15d7ea5bc6489125057b654fd183de38f4cbf3

SHA512
05b9cdad4a91b6ee5cbcb5c08f9034546974b0fc0d005eedd7cabbe5c0a9e8aea0058313eb2dcc9b6e63f3adf34547979e66018c7c1b64204c87145bbe99cf28

Download Submit
memory/4544-146-0x0000000000D97000-0x0000000000D9C000-memory.dmp

Filesize
20KB

Download
memory/4912-137-0x00000000039B1000-0x00000000039B3000-memory.dmp

Filesize
8KB

Download