Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2023, 16:43
Behavioral task
behavioral1
Sample
ebae09af0151622f220b7ee8064888d3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ebae09af0151622f220b7ee8064888d3.exe
Resource
win10v2004-20231215-en
General
-
Target
ebae09af0151622f220b7ee8064888d3.exe
-
Size
1.7MB
-
MD5
ebae09af0151622f220b7ee8064888d3
-
SHA1
6389eee71107af709c1ebb9da83c56f6b85497d6
-
SHA256
84d08bdfdf8412eb1991c35edc00539d55634d9f994af7bb8830deb103da64a9
-
SHA512
301132361cc323a4191888ab19ead3a1795aedb5ee46af9c205fdab69dfbeb3abbe4d6578ce263005bf2ee69e932ece8eb067d24450ed30c4ccfbb0a17b83061
-
SSDEEP
49152:fU6BpvNqcepKVqbwXahdZAD0LcQp/f2RxIfr5:c6neKV0jX2Xa5
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1464 emPcTW9.exe 3420 Explorer.EXE -
Loads dropped DLL 1 IoCs
pid Process 1464 emPcTW9.exe -
resource yara_rule behavioral2/memory/4856-0-0x00000000007E0000-0x0000000000B47000-memory.dmp vmprotect behavioral2/memory/4856-1-0x00000000007E0000-0x0000000000B47000-memory.dmp vmprotect behavioral2/files/0x000600000002322a-11.dat vmprotect behavioral2/files/0x000600000002322a-13.dat vmprotect behavioral2/memory/1464-14-0x00007FF674230000-0x00007FF6742AA000-memory.dmp vmprotect behavioral2/memory/1464-12-0x00007FF674230000-0x00007FF6742AA000-memory.dmp vmprotect behavioral2/memory/4856-24-0x00000000007E0000-0x0000000000B47000-memory.dmp vmprotect behavioral2/memory/1464-22-0x00007FF674230000-0x00007FF6742AA000-memory.dmp vmprotect -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum ebae09af0151622f220b7ee8064888d3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ebae09af0151622f220b7ee8064888d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Explorer.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Explorer.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\lz_scby.txt ebae09af0151622f220b7ee8064888d3.exe File opened for modification \??\c:\windows\SysWOW64\lz_scby.txt ebae09af0151622f220b7ee8064888d3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4856 ebae09af0151622f220b7ee8064888d3.exe 1464 emPcTW9.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SCBYDL\ ebae09af0151622f220b7ee8064888d3.exe File created C:\Windows\SCBYDL\cacca45129260643620919a9e451f8a3 ebae09af0151622f220b7ee8064888d3.exe File created C:\Windows\SCBYDL\w2hQBUR.dll ebae09af0151622f220b7ee8064888d3.exe File created C:\Windows\SCBYDL\emPcTW9.exe ebae09af0151622f220b7ee8064888d3.exe File opened for modification C:\Windows\xS2Vp\ Explorer.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4856 ebae09af0151622f220b7ee8064888d3.exe 4856 ebae09af0151622f220b7ee8064888d3.exe 4856 ebae09af0151622f220b7ee8064888d3.exe 4856 ebae09af0151622f220b7ee8064888d3.exe 4856 ebae09af0151622f220b7ee8064888d3.exe 4856 ebae09af0151622f220b7ee8064888d3.exe 4856 ebae09af0151622f220b7ee8064888d3.exe 4856 ebae09af0151622f220b7ee8064888d3.exe 4856 ebae09af0151622f220b7ee8064888d3.exe 4856 ebae09af0151622f220b7ee8064888d3.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1464 emPcTW9.exe Token: 33 3420 Explorer.EXE Token: SeIncBasePriorityPrivilege 3420 Explorer.EXE Token: 33 3420 Explorer.EXE Token: SeIncBasePriorityPrivilege 3420 Explorer.EXE Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3420 Explorer.EXE 3420 Explorer.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3420 Explorer.EXE 3420 Explorer.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4856 wrote to memory of 1464 4856 ebae09af0151622f220b7ee8064888d3.exe 92 PID 4856 wrote to memory of 1464 4856 ebae09af0151622f220b7ee8064888d3.exe 92 PID 1464 wrote to memory of 3420 1464 emPcTW9.exe 46
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\ebae09af0151622f220b7ee8064888d3.exe"C:\Users\Admin\AppData\Local\Temp\ebae09af0151622f220b7ee8064888d3.exe"2⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SCBYDL\emPcTW9.exeC:/Windows/SCBYDL/emPcTW9.exe /runp2p:C:/Windows/SCBYDL/w2hQBUR.dll3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221KB
MD523941cd38ad33bd42f149f90d3fd4cc0
SHA1db169b2db5da6590965c48d573a4036fdedce564
SHA256d2eb0c5eff5caa20023871dd779bb6406efda880d8743d27bc2be46d2a854cc8
SHA51267447a26152242b38194e2aab51bbdfd377a2af774a89ce801ac6fc7e15353027859c7edcce3ed3a86268c606a9213f9c9124eede60e1b62171322d3e0c60b2d
-
Filesize
162KB
MD5de3d19dde816cca8943d098c861ceb43
SHA1a1365f8840277050e75ab9b6078859dcfd91840b
SHA256412d08e4c7ae96db0a6e252cdd2e592479388b652e3c88b06563a4b2dd3c956e
SHA512cf9586ae84d9eaa8eca90361ab71348d8a6a1b647f32793ec8ee207d001e6b477d3da2eac476c51d457298412976b19215d7e62036baead524fea74d74756497
-
Filesize
87KB
MD56d94f59e751c69a34b63fa1cd818fd93
SHA19cd28e1e4b0292e6bb7bad2240e3db580f01c06b
SHA256fc434b3493c84a95942d919bb3cf089aee24dae928e55801340f392c1d7b7750
SHA512f87e658ad110c530571605797cce7307f8c5d8f86004d4986d11523ee233671a89597e34c20e7680440428858251b7a877aa753b8c7ca95e4947d789235877e0
-
Filesize
169KB
MD5d5bb07276776da60f878cea5128f20d0
SHA12d9346b2d6ca0599ab6b994b650fe0a47a992a4a
SHA256a84f4465d022efb5e77089066de6ca04058d892edf6a98e32f3a25b3f1fd17f2
SHA5120a3f306ad7293849a49aef5747594c6a3f5a4ed6e16be6b63fd67a1e59bca10b2dd414059215e8a3773365308404c63c12849464645e337821e002408dc7a159
-
Filesize
113KB
MD5f209c15dbe40df760950815d568ceb41
SHA199108c048829f3091a56deb6ba0cdd7a9665cda8
SHA256b025eb3b48b85c8596e074adea513ffaf9c84b462aafae47d4a61f3972b936cf
SHA51273120e710501b28e22a6b7e1d060083f0de87176d567eb509ab780438c33487b0f97daccae9fd8228a135d7bf7b7c66f490d636bfd4024feb093b994c790fa3c
-
Filesize
189KB
MD56cfaacc0bfa820a97654c88d357ce002
SHA12fa2991b6b2cd6063843b5748d0b7cdf1a42505c
SHA2564ee493d20adb4fa7eb58d0ac5a83a6165094aa97729ca6f14804fee2c4115716
SHA5126a0ccd4ac635d7f9de8cd3b28c56e24716cd66a9b373763a98942ecc8869ddae3f2f399a1fc3ea6c48cbec465c61a0fd14827a85003fbc36f75d7178fc817d6c