11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2023, 18:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
Size

4.7MB
MD5

dcebfaecb56da4a0c34cf3f2dc91f7d1
SHA1

1e944390011f10b067d9741bea3760f03e493286
SHA256

11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7
SHA512

ef848c9d4208e216300d890282ea875aae7410e6d6c771fb3adb82f121167c1e53c70eb462ed08fca9e69d7c39126096aec2460c6a7f1c28d22e014eec7d94ad
SSDEEP

98304:R7wlWac1sIARODoADHy7vbu03mhPlG8WNZeeUgoFPfhHvIE:R0/iM8DHUvb/3mh98NTUgoFXhHvIE

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ebest.ini	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\ = "xadtweblogin Protocol"	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\DefaultIcon	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe,1"	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open\command	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe\" \"%1\""	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xadtweblogin\URL Protocol	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
1856	11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe

C:\Users\Admin\AppData\Local\Temp\11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe
"C:\Users\Admin\AppData\Local\Temp\11acadf0a0b7be04876dfd39105e9290390ef922c40077e4c1d25e08fac523c7.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ebest.ini

Filesize
85B

MD5
00321159567f990708ce9faeb76ff324

SHA1
3a5fd38679413acaa65e74f02fab871fbc5618d5

SHA256
d66f19277e885c8e2ed9d55a10cf1337266978a88321e6eaa2c4b42f9fdcfaa5

SHA512
6eebf7aaa2b300a093ac8fd85730109ea36572de7b0ab9cbd222402a0cb219fad2343fcaac750b152ff3209b31280d02eb5557639570ac2ee80484676224f83b

Download Submit
C:\Windows\ebest.ini

Filesize
85B

MD5
de7c394a7582f9be6e4c7495cb8cfaec

SHA1
b1d2f4bc738d68b5e17d6366a6e001a023d3a73d

SHA256
783fdbfd79e22c6bf2eef0ab6905c4c79796d6a4ffa553e656e36457ffdcdab1

SHA512
6db12cd4e77cca89ead788a9deb6cb17a8d877f07e671e79950af7fd4697f8030a4128e6f5a69673d742a00240f2f1d741318e7d542cd0583df9648a290a4588

Download Submit
memory/1856-133-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/1856-134-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/1856-136-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/1856-137-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/1856-139-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/1856-145-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/1856-153-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/1856-154-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download
memory/1856-157-0x0000000000400000-0x000000000182A000-memory.dmp

Filesize
20.2MB

Download