ed1643d27687cd610bb65efd776b57e3e5c358c8a8713e672496fc2c8ec01444

Resubmissions

19-05-2023 10:03

230519-l3q92sdc28 7

19-05-2023 09:58

230519-lz1z3sdb95 6

Analysis

max time kernel
146s
max time network
36s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-05-2023 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

entry_1_0/Install Build 2017-06.exe
Size

17.9MB
MD5

3c763d4ffef09532d10b517c8c6fa3a2
SHA1

aa436d6dac21a86f7434311c773d1cfa7dd447e7
SHA256

99a6789c272bcee6e09ed2576d978b0297c06f1c4c11baf480bcd022568b98eb
SHA512

96c554e09c9b3b410637546d9256317b90ddf1a73996152afcd7c3500f481921a0aea256fc825e601a3fdf0c7b2ecb412e36b2dca336b9186cf52bfe8c168e71
SSDEEP

393216:SBn0537McfjXyxOQpS8bXhGQjt7XIscaMv9kL0WVc:S87M0CxpS8bXhxhXId9knc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2028	ErgoKinetics.exe
544	ErgoKinetics.exe
364	ErgoKinetics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\Icon.ico	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\support\AnyDesk.exe	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\support\ErgoKinetics Quick Start Manual V2 - Windows.pdf	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\support\TeamViewerQS.exe	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\support\ErgoKinetics Quick Start Manual V2 - MacOS.pdf	Install Build 2017-06.exe
File opened for modification	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\support\ErgoKinetics Quick Start Manual V2 - MacOS.pdf	Install Build 2017-06.exe
File opened for modification	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\support\TeamViewerQS.exe	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\uninstall.dat	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\	Install Build 2017-06.exe
File opened for modification	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\Icon.ico	Install Build 2017-06.exe
File opened for modification	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\support\AnyDesk.exe	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\Uninstall.exe	Install Build 2017-06.exe
File opened for modification	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\Icon.png	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\uninstall_l.ifl	Install Build 2017-06.exe
File opened for modification	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\uninstall_l.ifl	Install Build 2017-06.exe
File created	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe	Install Build 2017-06.exe
File opened for modification	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\Icon.png	Install Build 2017-06.exe
File opened for modification	C:\Program Files (x86)\Amara Solutions\ErgoKinetics\support\ErgoKinetics Quick Start Manual V2 - Windows.pdf	Install Build 2017-06.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1960	Install Build 2017-06.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1260	javaw.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1260	2028	ErgoKinetics.exe	29
PID 2028 wrote to memory of 1260	2028	ErgoKinetics.exe	29
PID 2028 wrote to memory of 1260	2028	ErgoKinetics.exe	29
PID 2028 wrote to memory of 1260	2028	ErgoKinetics.exe	29
PID 1260 wrote to memory of 1692	1260	javaw.exe	30
PID 1260 wrote to memory of 1692	1260	javaw.exe	30
PID 1260 wrote to memory of 1692	1260	javaw.exe	30
PID 1260 wrote to memory of 1712	1260	javaw.exe	33
PID 1260 wrote to memory of 1712	1260	javaw.exe	33
PID 1260 wrote to memory of 1712	1260	javaw.exe	33
PID 544 wrote to memory of 560	544	ErgoKinetics.exe	36
PID 544 wrote to memory of 560	544	ErgoKinetics.exe	36
PID 544 wrote to memory of 560	544	ErgoKinetics.exe	36
PID 544 wrote to memory of 560	544	ErgoKinetics.exe	36
PID 560 wrote to memory of 1004	560	javaw.exe	37
PID 560 wrote to memory of 1004	560	javaw.exe	37
PID 560 wrote to memory of 1004	560	javaw.exe	37
PID 560 wrote to memory of 1308	560	javaw.exe	39
PID 560 wrote to memory of 1308	560	javaw.exe	39
PID 560 wrote to memory of 1308	560	javaw.exe	39
PID 364 wrote to memory of 1140	364	ErgoKinetics.exe	42
PID 364 wrote to memory of 1140	364	ErgoKinetics.exe	42
PID 364 wrote to memory of 1140	364	ErgoKinetics.exe	42
PID 364 wrote to memory of 1140	364	ErgoKinetics.exe	42

C:\Users\Admin\AppData\Local\Temp\entry_1_0\Install Build 2017-06.exe
"C:\Users\Admin\AppData\Local\Temp\entry_1_0\Install Build 2017-06.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1960

C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe
"C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\system32\cscript.exe
    cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\mbserial7276390830791279546.vbs
    3⤵
    PID:1692
- - C:\Windows\system32\cscript.exe
    cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hdserial1638996016515678237.vbs
    3⤵
    PID:1712

C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe
"C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\system32\cscript.exe
    cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\mbserial6614855969870159078.vbs
    3⤵
    PID:1004
- - C:\Windows\system32\cscript.exe
    cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hdserial489557522679988386.vbs
    3⤵
    PID:1308

C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe
"C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe"
  2⤵
  PID:1140

C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe
"C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe"
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe

Filesize
3.5MB

MD5
240519e7a00be23c2c1da0f76d2290b2

SHA1
af49f3b63a26e466b40242a11bff85dc3c8673c6

SHA256
b6e86c6ddf12ade742e4b593067fe57173ba572dfb9739a9c51c3140c112f7fb

SHA512
759da28b39135d8830677f66bc627e684694b3650dfaf60d81ac3afc665f765f0958ff2a469a513c16f1df91f528d09b3d27630b1e08fac8b61513b661a593f4

Download Submit
C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe

Filesize
3.5MB

MD5
240519e7a00be23c2c1da0f76d2290b2

SHA1
af49f3b63a26e466b40242a11bff85dc3c8673c6

SHA256
b6e86c6ddf12ade742e4b593067fe57173ba572dfb9739a9c51c3140c112f7fb

SHA512
759da28b39135d8830677f66bc627e684694b3650dfaf60d81ac3afc665f765f0958ff2a469a513c16f1df91f528d09b3d27630b1e08fac8b61513b661a593f4

Download Submit
C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe

Filesize
3.5MB

MD5
240519e7a00be23c2c1da0f76d2290b2

SHA1
af49f3b63a26e466b40242a11bff85dc3c8673c6

SHA256
b6e86c6ddf12ade742e4b593067fe57173ba572dfb9739a9c51c3140c112f7fb

SHA512
759da28b39135d8830677f66bc627e684694b3650dfaf60d81ac3afc665f765f0958ff2a469a513c16f1df91f528d09b3d27630b1e08fac8b61513b661a593f4

Download Submit
C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe

Filesize
3.5MB

MD5
240519e7a00be23c2c1da0f76d2290b2

SHA1
af49f3b63a26e466b40242a11bff85dc3c8673c6

SHA256
b6e86c6ddf12ade742e4b593067fe57173ba572dfb9739a9c51c3140c112f7fb

SHA512
759da28b39135d8830677f66bc627e684694b3650dfaf60d81ac3afc665f765f0958ff2a469a513c16f1df91f528d09b3d27630b1e08fac8b61513b661a593f4

Download Submit
C:\Program Files (x86)\Amara Solutions\ErgoKinetics\ErgoKinetics.exe

Filesize
3.5MB

MD5
240519e7a00be23c2c1da0f76d2290b2

SHA1
af49f3b63a26e466b40242a11bff85dc3c8673c6

SHA256
b6e86c6ddf12ade742e4b593067fe57173ba572dfb9739a9c51c3140c112f7fb

SHA512
759da28b39135d8830677f66bc627e684694b3650dfaf60d81ac3afc665f765f0958ff2a469a513c16f1df91f528d09b3d27630b1e08fac8b61513b661a593f4

Download Submit
C:\Program Files (x86)\Amara Solutions\ErgoKinetics\uninstall_l.ifl

Filesize
2KB

MD5
dc51022cf78c9b519f2058983a773119

SHA1
56bf6aae50122301617cdaa7c5002c38fa1571a1

SHA256
93e28a5125b4864773f53d1c5f87c1756efa0c2d60d5c3fd6b34aa920080f568

SHA512
dfac8474bf7724b000a530b76152f75e146ae490d7f3d1f4960247226663ef738c88000a2b3c033bf626348db4b33d7b26e0202b840052d80ff6c36bb8e089aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdserial1638996016515678237.vbs

Filesize
155B

MD5
7e489395e787bbc1f686cb0da48e57ef

SHA1
f915ef73b4cfc20d21c536cfa14a35ced6aef1d1

SHA256
e8a9f9c558304d66782332598c350ee351a9f8e7601576d5841b7dbf3a08ec30

SHA512
6bed3869c36b6dc985b0fe1a8aa09b3e5dbdb01b4eb4c5917ac7673958307cd2e0d894b8eb545057136fd41b7e8330f0c168e33b83021de28e39f0ffe52d4bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdserial489557522679988386.vbs

Filesize
155B

MD5
7e489395e787bbc1f686cb0da48e57ef

SHA1
f915ef73b4cfc20d21c536cfa14a35ced6aef1d1

SHA256
e8a9f9c558304d66782332598c350ee351a9f8e7601576d5841b7dbf3a08ec30

SHA512
6bed3869c36b6dc985b0fe1a8aa09b3e5dbdb01b4eb4c5917ac7673958307cd2e0d894b8eb545057136fd41b7e8330f0c168e33b83021de28e39f0ffe52d4bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbserial6614855969870159078.vbs

Filesize
252B

MD5
4c20cf9f87dc609f71e5a6d184d02bb0

SHA1
5cad0686a19c14f75d0ed26108ceb7a314d54f7a

SHA256
2b327a612af1361361211129f71022ce23a9abe628e948c897316f2175a63496

SHA512
d6fb3a1d4a0d1cad1c3390550f34a658253e42d20b40767265079ca9aeff767082b34a78358df23105d8cc4a9988a18418686cd6784f44b67f9669c07eddc689

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbserial7276390830791279546.vbs

Filesize
252B

MD5
4c20cf9f87dc609f71e5a6d184d02bb0

SHA1
5cad0686a19c14f75d0ed26108ceb7a314d54f7a

SHA256
2b327a612af1361361211129f71022ce23a9abe628e948c897316f2175a63496

SHA512
d6fb3a1d4a0d1cad1c3390550f34a658253e42d20b40767265079ca9aeff767082b34a78358df23105d8cc4a9988a18418686cd6784f44b67f9669c07eddc689

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1563773381-2037468142-1146002597-1000\83aa4cc77f591dfc2374580bbd95f6ba_b2297557-1764-4c87-9db5-9b6890ebc138

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/364-167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/544-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/560-148-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1260-157-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1260-134-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2028-113-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download