0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb

Analysis

max time kernel
140s
max time network
65s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
23-06-2023 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Size

4.7MB
MD5

a38f758e8faa67e2b5966c222d83e0ee
SHA1

c60dc751aae884e2d47b5ef4597064eff2b63f90
SHA256

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb
SHA512

ed940fad36e0774258a29dc8611d415ee10ade17d5ccfc08c35d92185385d92d2951ea3d81492eb5dab801363ef5e3e74a30b5e16a25524fceeab6569c24bf1c
SSDEEP

98304:77wlWac1sIARODoAB7cM90/DXqjF/UOdbu3af5MNtkfhHI+ES1V+R:70/iM8D9cMW/DXqdpK3lNtmhHVh2

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

description ioc process

File opened for modification C:\Windows\ebest.ini 0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\ebest.ini	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

Modifies registry class 9 IoCs

Processes:

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\DefaultIcon	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open\command	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\ = "xadtweblogin Protocol"	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\URL Protocol	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe,1"	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe\" \"%1\""	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

pid	process
2040	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
2040	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
2040	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
2040	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

pid	process
2040	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
2040	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
2040	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

C:\Users\Admin\AppData\Local\Temp\0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
"C:\Users\Admin\AppData\Local\Temp\0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ebest.ini

Filesize
85B

MD5
d3e5983a21db2a42e56938f92589b64c

SHA1
56a1735cb773af32c57e5ba187cbfea0d4ed9b1f

SHA256
248fadf9fd87f9774bb41b18b0756f54b23b0b8a73eed9abcc9aa913edf40805

SHA512
cbbb72041838794e790564f0ef0135d986c6ed4c0f6a1f3f99746f22a285df9c09e482ca16b9275d2a264135f1f26366cdb080b65262c2babeb0304869c5836e

Download Submit
memory/2040-54-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/2040-55-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/2040-56-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/2040-57-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/2040-64-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/2040-65-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2040-66-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/2040-78-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/2040-80-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download