Overview

overview

8

Static

static

3

e3137bd6e2...2e.exe

windows7-x64

8

e3137bd6e2...2e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2023 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3137bd6e22a93878c8c4472471eeaa969cae3505f33d1bd1955beeca837952e.exe

  • Size

    960KB

  • MD5

    257e4bc646728d28cfc51d7195d8c1fc

  • SHA1

    a60412107010da977de96b5d874f27f10e90b145

  • SHA256

    e3137bd6e22a93878c8c4472471eeaa969cae3505f33d1bd1955beeca837952e

  • SHA512

    65f3e3630e4bdb8a5418323c4c9bdf20e291823c05ebba63cd0476ce052dc093d434a27071779bbdff9bedb53a93883727dcfe974e54f791762133ae0c63e0ae

  • SSDEEP

    24576:jbEg8+TDc11QrGhz66CAL7IP7sjHGuJ7rs3yY0udMJRxJE:jbEiTYrQGhz6JsUP7Ig3R0udsJE

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Program crash 10 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3137bd6e22a93878c8c4472471eeaa969cae3505f33d1bd1955beeca837952e.exe
    "C:\Users\Admin\AppData\Local\Temp\e3137bd6e22a93878c8c4472471eeaa969cae3505f33d1bd1955beeca837952e.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 356
      2⤵
      • Program crash
      PID:5088
    • C:\Users\Admin\AppData\Local\Temp\e3137bd6e22a93878c8c4472471eeaa969cae3505f33d1bd1955beeca837952e.exe
      C:\Users\Admin\AppData\Local\Temp\e3137bd6e22a93878c8c4472471eeaa969cae3505f33d1bd1955beeca837952e.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • System policy modification
      PID:824
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 324
        3⤵
        • Program crash
        PID:2440
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 668
        3⤵
        • Program crash
        PID:3076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 800
        3⤵
        • Program crash
        PID:4868
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 836
        3⤵
        • Program crash
        PID:3592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 812
        3⤵
        • Program crash
        PID:116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 952
        3⤵
        • Program crash
        PID:2724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 960
        3⤵
        • Program crash
        PID:3804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 1276
        3⤵
        • Program crash
        PID:4476
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 1328
        3⤵
        • Program crash
        PID:2100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3844 -ip 3844
    1⤵
      PID:3184
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 824 -ip 824
      1⤵
        PID:820
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 824 -ip 824
        1⤵
          PID:4464
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 824 -ip 824
          1⤵
            PID:1668
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 824 -ip 824
            1⤵
              PID:3368
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 824 -ip 824
              1⤵
                PID:1144
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 824 -ip 824
                1⤵
                  PID:1468
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 824 -ip 824
                  1⤵
                    PID:3588
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 824 -ip 824
                    1⤵
                      PID:2624
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 824 -ip 824
                      1⤵
                        PID:3108
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of WriteProcessMemory
                        PID:2508
                        • C:\Windows\explorer.exe
                          explorer.exe /LOADSAVEDWINDOWS
                          2⤵
                          • Modifies registry class
                          PID:1144
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious behavior: AddClipboardFormatListener
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        PID:2352
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                        1⤵
                        • Suspicious behavior: AddClipboardFormatListener
                        PID:3932
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                        1⤵
                          PID:4008
                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                          1⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:4716
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                          1⤵
                            PID:3728
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:4460
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3516
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:4568
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:320
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:2912
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3488

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TERA0QIF\microsoft.windows[1].xml
                            Filesize

                            97B

                            MD5

                            8d6e57645a3894c78fedfd96931fb799

                            SHA1

                            8fa46e487e762948f191626bc0e39bdf52b4a367

                            SHA256

                            9dceae2923a4265b821c1e66e634f7ad1a2ad12e0f1e41effcc8662aa1980f24

                            SHA512

                            14947e39d023e6e94d6ddfbf2ee971f37ac4ff96a0faa6b3d069b9cc07f6452e99c54f4edfdccbf0c4013a2c9827db200d2cae3ec6e509044c507b6b653fdd59

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133444659457230962.txt
                            Filesize

                            74KB

                            MD5

                            858607c91d7e8bd081cde8374c322ca2

                            SHA1

                            c999d4818f64d30ca2de163674eb48000841ee3c

                            SHA256

                            f4d36020e28833a6cc7002c0dad1089637cbeaa65c7e7c0e64561c50d0832dfb

                            SHA512

                            c42187298415c8168378b8f164dbcce7c752b1f58219dbea02619021da5bb270b2d784d3d8bf3e26aae2ace8b77cece9a91d4faa9c08d71b605a3706bc55fbb4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133444659457230962.txt
                            Filesize

                            74KB

                            MD5

                            858607c91d7e8bd081cde8374c322ca2

                            SHA1

                            c999d4818f64d30ca2de163674eb48000841ee3c

                            SHA256

                            f4d36020e28833a6cc7002c0dad1089637cbeaa65c7e7c0e64561c50d0832dfb

                            SHA512

                            c42187298415c8168378b8f164dbcce7c752b1f58219dbea02619021da5bb270b2d784d3d8bf3e26aae2ace8b77cece9a91d4faa9c08d71b605a3706bc55fbb4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TERA0QIF\microsoft.windows[1].xml
                            Filesize

                            97B

                            MD5

                            8d6e57645a3894c78fedfd96931fb799

                            SHA1

                            8fa46e487e762948f191626bc0e39bdf52b4a367

                            SHA256

                            9dceae2923a4265b821c1e66e634f7ad1a2ad12e0f1e41effcc8662aa1980f24

                            SHA512

                            14947e39d023e6e94d6ddfbf2ee971f37ac4ff96a0faa6b3d069b9cc07f6452e99c54f4edfdccbf0c4013a2c9827db200d2cae3ec6e509044c507b6b653fdd59

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TERA0QIF\microsoft.windows[1].xml
                            Filesize

                            97B

                            MD5

                            8d6e57645a3894c78fedfd96931fb799

                            SHA1

                            8fa46e487e762948f191626bc0e39bdf52b4a367

                            SHA256

                            9dceae2923a4265b821c1e66e634f7ad1a2ad12e0f1e41effcc8662aa1980f24

                            SHA512

                            14947e39d023e6e94d6ddfbf2ee971f37ac4ff96a0faa6b3d069b9cc07f6452e99c54f4edfdccbf0c4013a2c9827db200d2cae3ec6e509044c507b6b653fdd59

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TERA0QIF\microsoft.windows[1].xml
                            Filesize

                            97B

                            MD5

                            8d6e57645a3894c78fedfd96931fb799

                            SHA1

                            8fa46e487e762948f191626bc0e39bdf52b4a367

                            SHA256

                            9dceae2923a4265b821c1e66e634f7ad1a2ad12e0f1e41effcc8662aa1980f24

                            SHA512

                            14947e39d023e6e94d6ddfbf2ee971f37ac4ff96a0faa6b3d069b9cc07f6452e99c54f4edfdccbf0c4013a2c9827db200d2cae3ec6e509044c507b6b653fdd59

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TERA0QIF\microsoft.windows[1].xml
                            Filesize

                            97B

                            MD5

                            8d6e57645a3894c78fedfd96931fb799

                            SHA1

                            8fa46e487e762948f191626bc0e39bdf52b4a367

                            SHA256

                            9dceae2923a4265b821c1e66e634f7ad1a2ad12e0f1e41effcc8662aa1980f24

                            SHA512

                            14947e39d023e6e94d6ddfbf2ee971f37ac4ff96a0faa6b3d069b9cc07f6452e99c54f4edfdccbf0c4013a2c9827db200d2cae3ec6e509044c507b6b653fdd59

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TERA0QIF\microsoft.windows[1].xml
                            Filesize

                            97B

                            MD5

                            8d6e57645a3894c78fedfd96931fb799

                            SHA1

                            8fa46e487e762948f191626bc0e39bdf52b4a367

                            SHA256

                            9dceae2923a4265b821c1e66e634f7ad1a2ad12e0f1e41effcc8662aa1980f24

                            SHA512

                            14947e39d023e6e94d6ddfbf2ee971f37ac4ff96a0faa6b3d069b9cc07f6452e99c54f4edfdccbf0c4013a2c9827db200d2cae3ec6e509044c507b6b653fdd59

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\e3137bd6e22a93878c8c4472471eeaa969cae3505f33d1bd1955beeca837952e.exe
                            Filesize

                            960KB

                            MD5

                            9a522ba1d0d383c8faea056b3cc97eb9

                            SHA1

                            454d4a5da715dd94da0b6908fb17285026f5fcdf

                            SHA256

                            8001aafce91b67756a72703274208385fba4cea26fb20ca83af656a318ca87e1

                            SHA512

                            5cdaabbdcb85e6bd0ae300af3df9fe5ff04f4c6f1523d997dbcf70415358b52da88d83e0973e4b8ced9f64707aaecb7477bc58ba74813fb6903a553ade2344a8

                            Download Submit

                          • memory/320-127-0x0000015280C10000-0x0000015280C30000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/320-125-0x0000015280800000-0x0000015280820000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/320-123-0x0000015280840000-0x0000015280860000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/824-16-0x0000000000400000-0x000000000045A000-memory.dmp

                            Filesize

                            360KB

                            Download

                          • memory/824-27-0x0000000000400000-0x000000000045A000-memory.dmp

                            Filesize

                            360KB

                            Download

                          • memory/824-10-0x0000000004F80000-0x0000000004FF2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/824-8-0x0000000000400000-0x000000000045A000-memory.dmp

                            Filesize

                            360KB

                            Download

                          • memory/824-7-0x0000000000400000-0x0000000000472000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2352-36-0x0000000003920000-0x0000000003921000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2912-146-0x0000021F78880000-0x0000021F788A0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/2912-148-0x0000021F78DD0000-0x0000021F78DF0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/2912-144-0x0000021F788C0000-0x0000021F788E0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3488-169-0x000002007D1E0000-0x000002007D200000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3488-167-0x000002007CBD0000-0x000002007CBF0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3488-165-0x000002007CE20000-0x000002007CE40000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3516-72-0x000001E4DD780000-0x000001E4DD7A0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3516-70-0x000001E4DD7C0000-0x000001E4DD7E0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3516-74-0x000001E4DDB90000-0x000001E4DDBB0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3844-6-0x0000000000400000-0x0000000000472000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/3844-0-0x0000000000400000-0x0000000000472000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/4460-42-0x0000021434140000-0x0000021434160000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4460-44-0x0000021434100000-0x0000021434120000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4460-47-0x0000021434510000-0x0000021434530000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4568-106-0x0000026EF6FF0000-0x0000026EF7010000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4568-104-0x0000026EF69E0000-0x0000026EF6A00000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4568-102-0x0000026EF6C20000-0x0000026EF6C40000-memory.dmp

                            Filesize

                            128KB

                            Download