5f47ae16a1c3e72e95728815213a3bb5b16145abbc7185b479dd39f1f7fc0239

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a930e926429d1fee94ffcc384e4cf67.exe
Size

1.0MB
MD5

3a930e926429d1fee94ffcc384e4cf67
SHA1

a2361501619953e7af4be0a6745422b6115eb015
SHA256

5f47ae16a1c3e72e95728815213a3bb5b16145abbc7185b479dd39f1f7fc0239
SHA512

03a08ab5660c06a4beebbb7571ad1571e6a0fae7d89edb667e8fb301bbb77badfaf28353aaa96f4df2e02ca278269d9c7cfd4f04496a5fb6f8727a9d145103cc
SSDEEP

24576:70VY6+YCSJQStoVouBGg+n16m0fiGF80TpUrh9DZfZzC:70VSYCSBG3GgwAXf801+NfN

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2336	3a930e926429d1fee94ffcc384e4cf67.exe
2336	3a930e926429d1fee94ffcc384e4cf67.exe
2336	3a930e926429d1fee94ffcc384e4cf67.exe
2336	3a930e926429d1fee94ffcc384e4cf67.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL.EXE	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_EA.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_GA.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_TW.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFEP.EXE	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_BG.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_CA.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_GL.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_HU.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_HU.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_US.CHM	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_GL.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_HR.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWLRES.DLL	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\UNINST.EXE	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\ORDER.HTM	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\FILE_ID.DIZ	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL.EXE	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\BESTELL.HTM	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_CZ.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_NL.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_TW.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\LICENSE.TXT	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWLRES.DLL	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFUSB.DLL	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_DK.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_KR.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_LT.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_MK.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_UA.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_US.CHM	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_FR.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_IT.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_JA.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_KR.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\BESTELL.HTM	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_IT.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_MK.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_RO.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_RU.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\LICENSE.TXT	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_CN.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_PL.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_SP.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_TC.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_TC.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_BR.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_GA.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\ORDER.HTM	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_CA.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_CN.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_PL.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_RO.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_CZ.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_EA.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_LT.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_SE.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFUSB.DLL	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFEP.EXE	3a930e926429d1fee94ffcc384e4cf67.exe
File opened for modification	C:\Program Files (x86)\EF Commander Lite\EFCWL_ES.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_FR.LNG	3a930e926429d1fee94ffcc384e4cf67.exe
File created	C:\Program Files (x86)\EF Commander Lite\EFCWL_LV.LNG	3a930e926429d1fee94ffcc384e4cf67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\3a930e926429d1fee94ffcc384e4cf67.exe
"C:\Users\Admin\AppData\Local\Temp\3a930e926429d1fee94ffcc384e4cf67.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EF Commander Lite\UNINST.EXE

Filesize
58KB

MD5
39227e25886383396fb11828ef07a664

SHA1
43e061fddd870ebd9661942a6ccb18225aad21cf

SHA256
f00080610cd78234618f3b5177363bbe0d9c4cb24bde226be5e384b0ab359174

SHA512
2bbef96ab7701354674310d615c4e867d7c0b930c9cc1321ae3447310f3239e43395bb975ed4905ccf245112dfac07005bda0dfae75d7c77a51c21a0d1bf9c68

Download Submit
\Program Files (x86)\EF Commander Lite\EFCWL.EXE

Filesize
556KB

MD5
273bd8f354b1584df3577530e0f1fa02

SHA1
89b816e55aed5cde6e75c4e2279de801e3adee72

SHA256
286748352b4585642aad65cb9c324c11f9274e5a98e517206761a91f4a932411

SHA512
1bc283cb85a06041a025a9fde460f442a4445ad5165d9adf1845c7c89df3743c0a37ec3a1eefd0da81cbaeae73846bb67823bd9f4ab6b514ad8fc9540747efe2

Download Submit