0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb

Analysis

max time kernel
141s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2023 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Size

4.7MB
MD5

a38f758e8faa67e2b5966c222d83e0ee
SHA1

c60dc751aae884e2d47b5ef4597064eff2b63f90
SHA256

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb
SHA512

ed940fad36e0774258a29dc8611d415ee10ade17d5ccfc08c35d92185385d92d2951ea3d81492eb5dab801363ef5e3e74a30b5e16a25524fceeab6569c24bf1c
SSDEEP

98304:77wlWac1sIARODoAB7cM90/DXqjF/UOdbu3af5MNtkfhHI+ES1V+R:70/iM8D9cMW/DXqdpK3lNtmhHVh2

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

description ioc process

File opened for modification C:\Windows\ebest.ini 0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\ebest.ini	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

Modifies registry class 9 IoCs

Processes:

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe,1"	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\ = "xadtweblogin Protocol"	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open\command	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe\" \"%1\""	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\URL Protocol	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\DefaultIcon	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

pid	process
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

pid	process
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
5028	0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe

C:\Users\Admin\AppData\Local\Temp\0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe
"C:\Users\Admin\AppData\Local\Temp\0eb41295e7e3e08c31781a6fb91bfd57052d8cc931b366950785cd7921c68fdb.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ebest.ini
Filesize
85B

MD5
d3e5983a21db2a42e56938f92589b64c

SHA1
56a1735cb773af32c57e5ba187cbfea0d4ed9b1f

SHA256
248fadf9fd87f9774bb41b18b0756f54b23b0b8a73eed9abcc9aa913edf40805

SHA512
cbbb72041838794e790564f0ef0135d986c6ed4c0f6a1f3f99746f22a285df9c09e482ca16b9275d2a264135f1f26366cdb080b65262c2babeb0304869c5836e

Download Submit
memory/5028-133-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/5028-134-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/5028-135-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/5028-136-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/5028-137-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/5028-144-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/5028-145-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/5028-153-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/5028-155-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/5028-156-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download