Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2023 19:35
Behavioral task
behavioral1
Sample
29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe
Resource
win10v2004-20230221-en
General
-
Target
29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe
-
Size
4.6MB
-
MD5
507a9b2df878a7b0744af87d5a07e68e
-
SHA1
4f79d9691b4c289981a731b091f90dcff64c6c01
-
SHA256
29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a
-
SHA512
7d8c2578d98e83715250dbd602f253b15844d1e56de72c9857954bf46cc473ac62196f62596b49449c08c5aeeafbfc2daf02c47ca4eac06445b93fa0a4ba29d5
-
SSDEEP
98304:IBpxYloFQVm/BDWlNj8ZRlLxewDE2L79R0Ff7U5VBKbFVk:y/YeFQVm5DWlR83lLLv701Q5V+FVk
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exedescription ioc process File opened for modification C:\Windows\ebest.ini 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open\command 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe\" \"%1\"" 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\ = "xadtweblogin Protocol" 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe,1" 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\URL Protocol 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\DefaultIcon 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exepid process 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exepid process 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe 1468 29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe"C:\Users\Admin\AppData\Local\Temp\29ce09d8d7cfd28753d07db275c0071d9bff9ecdbaeb35e8b5d5798382c4db0a.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\ebest.iniFilesize
85B
MD500321159567f990708ce9faeb76ff324
SHA13a5fd38679413acaa65e74f02fab871fbc5618d5
SHA256d66f19277e885c8e2ed9d55a10cf1337266978a88321e6eaa2c4b42f9fdcfaa5
SHA5126eebf7aaa2b300a093ac8fd85730109ea36572de7b0ab9cbd222402a0cb219fad2343fcaac750b152ff3209b31280d02eb5557639570ac2ee80484676224f83b
-
C:\Windows\ebest.iniFilesize
85B
MD5de7c394a7582f9be6e4c7495cb8cfaec
SHA1b1d2f4bc738d68b5e17d6366a6e001a023d3a73d
SHA256783fdbfd79e22c6bf2eef0ab6905c4c79796d6a4ffa553e656e36457ffdcdab1
SHA5126db12cd4e77cca89ead788a9deb6cb17a8d877f07e671e79950af7fd4697f8030a4128e6f5a69673d742a00240f2f1d741318e7d542cd0583df9648a290a4588
-
memory/1468-133-0x0000000000400000-0x0000000001827000-memory.dmpFilesize
20.2MB
-
memory/1468-134-0x0000000000400000-0x0000000001827000-memory.dmpFilesize
20.2MB
-
memory/1468-135-0x0000000000400000-0x0000000001827000-memory.dmpFilesize
20.2MB
-
memory/1468-136-0x0000000000400000-0x0000000001827000-memory.dmpFilesize
20.2MB
-
memory/1468-137-0x0000000000400000-0x0000000001827000-memory.dmpFilesize
20.2MB
-
memory/1468-144-0x00000000035A0000-0x00000000035A1000-memory.dmpFilesize
4KB
-
memory/1468-145-0x0000000000400000-0x0000000001827000-memory.dmpFilesize
20.2MB
-
memory/1468-154-0x0000000000400000-0x0000000001827000-memory.dmpFilesize
20.2MB
-
memory/1468-155-0x0000000000400000-0x0000000001827000-memory.dmpFilesize
20.2MB
-
memory/1468-157-0x0000000000400000-0x0000000001827000-memory.dmpFilesize
20.2MB