ea9803c5fc03ed3aa0ee5f888a76396e5651ab52aee81493fed76fc6eeb894b2

Analysis

max time kernel
2s
max time network
138s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
11/12/2023, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Empresa CE Support.exe
Size

3.8MB
MD5

7c951e0b54b91d3f847d9f368f385512
SHA1

d3d2ecd1e4534922453db61fc594a2004c8be4c2
SHA256

ea9803c5fc03ed3aa0ee5f888a76396e5651ab52aee81493fed76fc6eeb894b2
SHA512

9a72a0ecafa5cc05f7ce674bfafde91f0e81f0754fd4f981ad352916926a560e07334a663bbfdfc1c7794d83433f8b1a9f0c322bb6f230140749694d84b69829
SSDEEP

49152:AvdRiSnf0Ts4Nt+9EMtYOWS0bZCGPsBiAa37INDDCLKbxj3jhE0kcVz+e3Zpzx1J:ai8f4s4itYO1d9iAa37INDDhlElcVFFJ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
480	Process not Found
3044	nboodcfvpmxmuldkjykyhrcelgqwcep-elevate.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2208-6-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-0-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/3044-19-0x000000013F0D0000-0x000000014096C000-memory.dmp	upx
behavioral1/files/0x00080000000147f7-14.dat	upx
behavioral1/files/0x00080000000147f7-8.dat	upx
behavioral1/files/0x00080000000147f7-7.dat	upx
behavioral1/memory/2400-22-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2400-33-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-35-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-36-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-37-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-38-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-40-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-41-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-44-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-45-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-46-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-47-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-48-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-49-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-51-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-52-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-53-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-54-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-55-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-56-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-57-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-58-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-59-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-60-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-61-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-62-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-64-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-65-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-66-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2996-67-0x000000013F960000-0x00000001411FC000-memory.dmp	upx
behavioral1/memory/2208-68-0x000000013F960000-0x00000001411FC000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Empresa CE Support.exe
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main	Empresa CE Support.exe
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Empresa CE Support.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Empresa CE Support.exe = "11001"	Empresa CE Support.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Empresa CE Support.exe = "11001"	Empresa CE Support.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2400	Empresa CE Support.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2996	Empresa CE Support.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2208	Empresa CE Support.exe
2208	Empresa CE Support.exe
2208	Empresa CE Support.exe
2208	Empresa CE Support.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2208	Empresa CE Support.exe
2208	Empresa CE Support.exe
2208	Empresa CE Support.exe
2208	Empresa CE Support.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2208	2996	Empresa CE Support.exe	19
PID 2996 wrote to memory of 2208	2996	Empresa CE Support.exe	19
PID 2996 wrote to memory of 2208	2996	Empresa CE Support.exe	19

C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe
"C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe
  "C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe" -gpipe \\.\pipe\PCommand97Empresa^CE^Support -gui
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe
  "C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe" -cpipe \\.\pipe\PCommand96Empresa^CE^Support -child
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2400

C:\ProgramData\Getscreen.me\nboodcfvpmxmuldkjykyhrcelgqwcep-elevate.exe
"C:\ProgramData\Getscreen.me\nboodcfvpmxmuldkjykyhrcelgqwcep-elevate.exe" -elevate \\.\pipe\elevateGS512nboodcfvpmxmuldkjykyhrcelgqwcep
1⤵
- Executes dropped EXE
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Empresa CE Support\logs\20231211.log

Filesize
685B

MD5
6afcf341d501dfdf47a91ee85b0aba35

SHA1
9429977eef65f8832bdbb275d93e043ed24289b4

SHA256
2fbb14fd098f38d807fd134ec8025cfbac26d7f3cd6e13ecfbde607cb3ce22b0

SHA512
63668c99f483399cb019a510f7297cc0fceea7b4ec690d78c6a0165a3011e21c76f667e625d32be2b9f4c288d8bce8fab860bc6f8198a2d988ff44e1f803f1b0

Download Submit
C:\ProgramData\Getscreen.me\nboodcfvpmxmuldkjykyhrcelgqwcep-elevate.exe

Filesize
91KB

MD5
17ce9d3985addc074230b3e498abdaf5

SHA1
6426f249b0812f76839aaeb59e27d03a279802ea

SHA256
105dfc26456a1d1cc7113e28824a3217cbed45ad1c00ed4c6bbfa8d79c3287f3

SHA512
384d3b3afcfa3a1f0e9f12db46e0a6baaac85635ef7d0f86cf6914829d766e66eb42744a17fe0a7f35ad12000fa1b53c06b6da205951d5da151fde04bb1a87ab

Download Submit
C:\ProgramData\Getscreen.me\nboodcfvpmxmuldkjykyhrcelgqwcep-elevate.exe

Filesize
386KB

MD5
bdd0b75d7bc5bdaa23ac1acb87827930

SHA1
d0abb3b4ea2b0d66b7ab65bd621992d16717dc19

SHA256
a4dc7f16f59af4533937237e78503ae26cd4ee62cc46c9d84f434d0983c8edc6

SHA512
d86811948a3bcd2f10296f1738315e36a62a51b202ca4286ff61d8559bdad61b703c640ba60ab65d3ff4b819d61ee15aa0e6dbc3c9980a506a19a61e907cde43

Download Submit
\ProgramData\Getscreen.me\nboodcfvpmxmuldkjykyhrcelgqwcep-elevate.exe

Filesize
407KB

MD5
2b15c3fae41f1e81204b17882805a3fe

SHA1
155531cac8e5d8e9d6da08d0a061a6b3f2053975

SHA256
993537577469ee62618105662dc4cf112bb3ba1a36eeed2879f5e822638801ab

SHA512
d2ac2b71dbccdffadf5a6d8fbd59a9950d76ba1fb544d61433a309d76ec81c6fd5452539fc69b04737d33e54602f20496e442b40eb5aef0c6cd163138d5e7282

Download Submit
memory/2208-62-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-58-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-20-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/2208-66-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-68-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-47-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-6-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-60-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-36-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-64-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-38-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-56-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-54-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-42-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/2208-41-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-52-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-49-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2208-45-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2400-33-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2400-22-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-37-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-59-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-51-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-46-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-53-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-40-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-55-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-39-0x0000000002A70000-0x000000000430C000-memory.dmp

Filesize
24.6MB

Download
memory/2996-44-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-57-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-0-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-35-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-61-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-48-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-13-0x0000000002A70000-0x000000000430C000-memory.dmp

Filesize
24.6MB

Download
memory/2996-65-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/2996-67-0x000000013F960000-0x00000001411FC000-memory.dmp

Filesize
24.6MB

Download
memory/3044-19-0x000000013F0D0000-0x000000014096C000-memory.dmp

Filesize
24.6MB

Download
memory/3044-43-0x000000013F0D0000-0x000000014096C000-memory.dmp

Filesize
24.6MB

Download