ea9803c5fc03ed3aa0ee5f888a76396e5651ab52aee81493fed76fc6eeb894b2

General

Target

Empresa CE Support.exe
Size

3.8MB
MD5

7c951e0b54b91d3f847d9f368f385512
SHA1

d3d2ecd1e4534922453db61fc594a2004c8be4c2
SHA256

ea9803c5fc03ed3aa0ee5f888a76396e5651ab52aee81493fed76fc6eeb894b2
SHA512

9a72a0ecafa5cc05f7ce674bfafde91f0e81f0754fd4f981ad352916926a560e07334a663bbfdfc1c7794d83433f8b1a9f0c322bb6f230140749694d84b69829
SSDEEP

49152:AvdRiSnf0Ts4Nt+9EMtYOWS0bZCGPsBiAa37INDDCLKbxj3jhE0kcVz+e3Zpzx1J:ai8f4s4itYO1d9iAa37INDDhlElcVFFJ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1104	wzsaexxxtbbwfegxnahfyvussgfwmnp-elevate.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4352-0-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-3-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/files/0x00070000000231f6-11.dat	upx
behavioral2/files/0x00070000000231f6-12.dat	upx
behavioral2/memory/1104-16-0x00007FF664430000-0x00007FF665CCC000-memory.dmp	upx
behavioral2/memory/1104-15-0x00007FF664430000-0x00007FF665CCC000-memory.dmp	upx
behavioral2/memory/2328-19-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/2328-30-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-32-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-33-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-34-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-35-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-36-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-37-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-38-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-39-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-40-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-41-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-42-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-43-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-44-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-45-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-46-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-47-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-48-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-49-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-50-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-51-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-52-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-53-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-54-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-55-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-56-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-57-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-58-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-59-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/4352-60-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx
behavioral2/memory/1752-61-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Empresa CE Support.exe = "11001"	Empresa CE Support.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Empresa CE Support.exe = "11001"	Empresa CE Support.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	Empresa CE Support.exe
2328	Empresa CE Support.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4352	Empresa CE Support.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1752	Empresa CE Support.exe
1752	Empresa CE Support.exe
1752	Empresa CE Support.exe
1752	Empresa CE Support.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1752	Empresa CE Support.exe
1752	Empresa CE Support.exe
1752	Empresa CE Support.exe
1752	Empresa CE Support.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 1752	4352	Empresa CE Support.exe	86
PID 4352 wrote to memory of 1752	4352	Empresa CE Support.exe	86

C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe
"C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe
  "C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe" -gpipe \\.\pipe\PCommand97Empresa^CE^Support -gui
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe
  "C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe" -cpipe \\.\pipe\PCommand96Empresa^CE^Support -child
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328

C:\ProgramData\Getscreen.me\wzsaexxxtbbwfegxnahfyvussgfwmnp-elevate.exe
"C:\ProgramData\Getscreen.me\wzsaexxxtbbwfegxnahfyvussgfwmnp-elevate.exe" -elevate \\.\pipe\elevateGS512wzsaexxxtbbwfegxnahfyvussgfwmnp
1⤵
- Executes dropped EXE
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Empresa CE Support\logs\20231211.log

Filesize
685B

MD5
187ed6da5249f01adeef35bbf716f117

SHA1
5def95cef8df1ffd51a0d09556686739bf17a022

SHA256
01f9e505bf9a535b888baf5ba79a10267e81179200d101a21b7a382b75edfa92

SHA512
c04de2a389c40f31fd2c808decec53cb4ffbb214a5e6351207604372c3b82c0d81d7eff64669ed84477e79d6c701f9a1053b0fa3ad1b8b0221d315fd321ab6ce

Download Submit
C:\ProgramData\Empresa CE Support\logs\20231211.log

Filesize
2KB

MD5
0de18d4d737c96fcd2a8425491ae8fc3

SHA1
1c8a566fd11a64f6fcc6e1fcf85f5aa6dc3df800

SHA256
907ca51ee103bbdbc7b5adcbc57c7dc4975a666368ade1ee939c35d108734cc3

SHA512
e6b49d0233e0009f8c2248ca01a2e46518cd021fe5b9db14696020184bb64fa1ae475fdf78fd7ad947aa2c30cad72dac397d111d06903d5d9abd7ebc8eb6a47a

Download Submit
C:\ProgramData\Empresa CE Support\logs\20231211.log

Filesize
267B

MD5
f57c5eda72a151ecc124bd9d7fb2c982

SHA1
44c62df873315d3c4d0a93d82c6e55588dd5a1ea

SHA256
d92b7d817e0ff5fbe5a429594796c3a1f54ecd36fa2b98ff077bfa6a45269455

SHA512
1a3060e3b8c91c3d91df9c67504f4e30dace91f53f5287980ca577710792a507f878fdcf75839a2d9e0f29b245189a260616581803b3433fc2f86eaef2138303

Download Submit
C:\ProgramData\Empresa CE Support\memory\0000pipe0PCommand96Empresa^CE^Support

Filesize
559KB

MD5
c4e0dd526c81f20f88ea1e6232f38ad1

SHA1
9a3c5b64d128ee3f08de9d08f90cd7d862aa527b

SHA256
df2cd615321fc7f171b5086e1bdf5243ec9c8ba8e20d2b2bb8f566ccee7cf213

SHA512
78ee322addc8acced4a0e23de1f986a691546eddd846a43bdb31df8e2fde705c668c638a1e78c0b7e172b72b8141c3aee61bf70817bca2acc47362457e3db1bf

Download Submit
C:\ProgramData\Getscreen.me\wzsaexxxtbbwfegxnahfyvussgfwmnp-elevate.exe

Filesize
403KB

MD5
131bdfab2cebdfa16631c119c14d849b

SHA1
a7c1f4b9d051c1cb501a2cadce82b4d1d24df1a9

SHA256
3d016ed9c951917ff92089c980187408c2e192138bbd8c322f3c5699a579de9e

SHA512
968c4f333d39c39729926269dddc15d9a314f948d5f6347cc0b0f6799ff68deb6e0b62f5be6ebcc758136f2e33f6df7cdd20df8c583802b499b0d5c3534a6352

Download Submit
C:\ProgramData\Getscreen.me\wzsaexxxtbbwfegxnahfyvussgfwmnp-elevate.exe

Filesize
359KB

MD5
aa1b39507957630530f149bf3efd88ff

SHA1
50e29cc693b292e33e86ee546550bd1f7cb23ac1

SHA256
3576813a3d35a793151404fa341b7ec4797c90fc5a09402cde0c438b48669056

SHA512
ca7c9c0bb61c11ee155f91a55afb19f934f30825e2fea373f0c2a0e63369fab98a020a9716924372f87e2087233739f0cd99613b23eb6410bedd0c6c3077950e

Download Submit
memory/1104-16-0x00007FF664430000-0x00007FF665CCC000-memory.dmp

Filesize
24.6MB

Download
memory/1104-15-0x00007FF664430000-0x00007FF665CCC000-memory.dmp

Filesize
24.6MB

Download
memory/1752-61-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-37-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-45-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-49-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-47-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-33-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-59-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-57-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-36-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-3-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-55-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-39-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-53-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-41-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-51-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/1752-43-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/2328-30-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/2328-19-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-40-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-46-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-48-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-44-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-50-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-42-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-52-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-0-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-54-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-38-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-56-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-35-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-58-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-34-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-60-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download
memory/4352-32-0x00007FF671CC0000-0x00007FF67355C000-memory.dmp

Filesize
24.6MB

Download

Analysis

Sharing