Analysis
-
max time kernel
127s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
10-02-2024 11:39
Static task
static1
Behavioral task
behavioral1
Sample
ElectronR/Electron.exe
Resource
win10-20231215-en
Behavioral task
behavioral2
Sample
ElectronR/WpfAnimatedGif.dll
Resource
win10-20231220-en
Behavioral task
behavioral3
Sample
ElectronR/binkawin.dll
Resource
win10-20231215-en
Behavioral task
behavioral4
Sample
ElectronR/cef_extensions.js
Resource
win10-20231215-en
Behavioral task
behavioral5
Sample
ElectronR/metod 2/loader.exe
Resource
win10-20231215-en
General
-
Target
ElectronR/Electron.exe
-
Size
250.0MB
-
MD5
db98747f25aaa57cdf0c5024edd63ffb
-
SHA1
40afd52b14e3564fb3a6d7b8c7da58ad0d0352e2
-
SHA256
f5648a7be659a5f7e9f1c240aa2f7d512a462b8a5f9b3185ed5e134aebe34ea4
-
SHA512
8d3bb0d832cb987db4dde7a400449eda0e166cdb553111f6a54f6493400db9863915d09fdfa69c4e15c551fe7a70e390970668aa6e2e8de2e7a217c3e001456f
-
SSDEEP
24576:mus8z4tMW/Sq7ppJbWPPqxQFBRmPEdIS8gHKr0Mi27CBhbX7:xsOtqlpJeqxKBRPtpr27ABL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Portable.pifpid process 2872 Portable.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1384 2872 WerFault.exe Portable.pif 4652 2872 WerFault.exe Portable.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2816 tasklist.exe 3464 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Portable.pifpid process 2872 Portable.pif 2872 Portable.pif 2872 Portable.pif 2872 Portable.pif 2872 Portable.pif 2872 Portable.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2816 tasklist.exe Token: SeDebugPrivilege 3464 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Portable.pifpid process 2872 Portable.pif 2872 Portable.pif 2872 Portable.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Portable.pifpid process 2872 Portable.pif 2872 Portable.pif 2872 Portable.pif -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
Electron.execmd.exedescription pid process target process PID 3336 wrote to memory of 516 3336 Electron.exe cmd.exe PID 3336 wrote to memory of 516 3336 Electron.exe cmd.exe PID 3336 wrote to memory of 516 3336 Electron.exe cmd.exe PID 516 wrote to memory of 2816 516 cmd.exe tasklist.exe PID 516 wrote to memory of 2816 516 cmd.exe tasklist.exe PID 516 wrote to memory of 2816 516 cmd.exe tasklist.exe PID 516 wrote to memory of 4984 516 cmd.exe findstr.exe PID 516 wrote to memory of 4984 516 cmd.exe findstr.exe PID 516 wrote to memory of 4984 516 cmd.exe findstr.exe PID 516 wrote to memory of 3464 516 cmd.exe tasklist.exe PID 516 wrote to memory of 3464 516 cmd.exe tasklist.exe PID 516 wrote to memory of 3464 516 cmd.exe tasklist.exe PID 516 wrote to memory of 4452 516 cmd.exe findstr.exe PID 516 wrote to memory of 4452 516 cmd.exe findstr.exe PID 516 wrote to memory of 4452 516 cmd.exe findstr.exe PID 516 wrote to memory of 4044 516 cmd.exe cmd.exe PID 516 wrote to memory of 4044 516 cmd.exe cmd.exe PID 516 wrote to memory of 4044 516 cmd.exe cmd.exe PID 516 wrote to memory of 4704 516 cmd.exe cmd.exe PID 516 wrote to memory of 4704 516 cmd.exe cmd.exe PID 516 wrote to memory of 4704 516 cmd.exe cmd.exe PID 516 wrote to memory of 4892 516 cmd.exe cmd.exe PID 516 wrote to memory of 4892 516 cmd.exe cmd.exe PID 516 wrote to memory of 4892 516 cmd.exe cmd.exe PID 516 wrote to memory of 2872 516 cmd.exe Portable.pif PID 516 wrote to memory of 2872 516 cmd.exe Portable.pif PID 516 wrote to memory of 2872 516 cmd.exe Portable.pif PID 516 wrote to memory of 2852 516 cmd.exe PING.EXE PID 516 wrote to memory of 2852 516 cmd.exe PING.EXE PID 516 wrote to memory of 2852 516 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ElectronR\Electron.exe"C:\Users\Admin\AppData\Local\Temp\ElectronR\Electron.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Wrote Wrote.bat & Wrote.bat & exit2⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:4984
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:4452
-
C:\Windows\SysWOW64\cmd.execmd /c md 263633⤵PID:4044
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Gas + Hi + Greatest + Tt + Warned 26363\Portable.pif3⤵PID:4704
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Facility + Philippines + Examination 26363\p3⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\26363\Portable.pif26363\Portable.pif 26363\p3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 14564⤵
- Program crash
PID:1384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 14284⤵
- Program crash
PID:4652 -
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
PID:2852
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
1.2MB
MD5528e65e1e3d650999577e6da3c472c68
SHA12b682db1c854de88ff312761e4e0968cfb5972bb
SHA25618c5148029908f7be16be2eb5d99472bb26bc6fc5781bc5e7e6cfceb8325ffa5
SHA5126f99b957915655b19ebc5efa8516f60ae436d2253b94893966e7279e61c357b2e68d98153522f7115c0f9326194f61b7b36e4d283349f3719e169b3c3c09bdc7
-
Filesize
361KB
MD5d683b954389796556a871b4e9b5fd0ca
SHA1af5565a57860d56f026eb1aeecdbceca3fa806f2
SHA25674c62bacca7218617d10309451112db79a7525d9e2f811b4b0b03675d5edb103
SHA5125c217b4d356e7337462c10283a2af8fa9af60d6f810b32bafa0b66aa7a07a0737749d7fc90cdf48d10c764b8a4ce5839b444ffcca2bae1ff2a9c4d25b5e01c1b
-
Filesize
447KB
MD529b4d4a0d9adaa370b145e23869d3b1e
SHA119e622023774ccbccdcc4bc897faacaf02934b2e
SHA25696312e07a3101f9e2b0f5147c19a541e8919fa230205a999f96ea02434803f27
SHA5128347ece2e1a0c44c7c732ecae19d7673ccfa0e0ba83b9a79d2da1363b418176fe497784b923c681959805a78f1c7cb0199655eb053068a99f8bbd88edd02ccb5
-
Filesize
255KB
MD5c8a3569960605d0760396e76fb468359
SHA19befd5b49fd99bf1f861aa4eca9d5174ee1f388c
SHA25661afc1c35e66b0dd1d642ef8f5607695603324a1cda4df52b1453f7e5aa3dd43
SHA5121f79ced4d09635ab6df22422f8fd40bced14a37000602ccb2f7ae81061612220ccd33f3f5d455edccba725101149a6cad934d1a9eb2def5422e93c6659da01f5
-
Filesize
158KB
MD508734786d96a87ff67208bfea37a174c
SHA1d6f5ba711169bcf4d29ca0ffee81caf448203cf4
SHA256eb3b8127bd02ee1f124592f5bf3693cedb898c9465dc3f277ff3f7883a39d0b1
SHA5125e230f0a6656aa29c480f8f03a56c3978dbccb91afe5ebe57d60d858244054f7a3535d6d4c7374c75cee3a8989d69c8c3f0e077aff6b6edd4376afd87f5269ad
-
Filesize
129KB
MD5746cceed20f0a245bb68e83a1fb85c24
SHA153f41ef24cc5e16aa578327f05e32b55bf4da178
SHA256ab5f2634377cb2038e9c1771ff7c79efa1387d829f9477c82f0fd5bec81d19bb
SHA51249dc1914e09b1cd8a61c944f3b65051868630d63b75ebc57ada4a113cd7f2b51b0d5a89ec95860c9fa8a5ae6684f7537865de96a64c284660c787de4e788fdb3
-
Filesize
446KB
MD59ae6eff2ff0cbe4f86ad73b6947735a2
SHA140b276864d298b5d7501d4533952666cb857ff5d
SHA25612f53e5b91579112cfcf9fc608ffca2fe23c64fc054db2218bf612b952034206
SHA5128175300f8d67dcbef65a7d4f9096df234fefa1f5ca7e5028bdb1b5902bed06f35252cdc40872175f1e11639d86f26fe227798defcab707b248e1c6ccec712bf5
-
Filesize
141KB
MD52dd793cf664294992a3c507b075d03a7
SHA1ec24ab070e911b9d87efad7e56fa6f049c20764f
SHA25618bdb7ef83fa5394d7b600cb374a4ebaaebb3ec91823093d46d163d64b501baf
SHA512eacb8043da1bc390b76822f9a73aaa831476e0b0f6e6cb8e8843ffe612314eb390d441f2460f61e7e9b7314b004982859553da303d272b089159da95b7db8567
-
Filesize
241KB
MD5b970e49a663ec8658eef87d7229d0dae
SHA1c6ed196e268aef284d3bd01660fd1d0e459211bb
SHA256189d61ff27e4b697c71029992ab68fd1163449eb30d23e5e056cb7e3ebf4354b
SHA5124d7a7d282a78cbb578806fd9aa38f0f93d8bb7ec3ae6840786ca1388951c1f1aa103838000de54d998d693e2a4addfcd6a6976928ae0e929aed2e544b496e299
-
Filesize
11KB
MD5dd132c1ee49e593d1a79a83821f6249d
SHA11dcd1090567438d2c9688f39e13b6fa09c07f4e4
SHA256c2556187454ede05fd7695c9e0ac0b7a276019aaca9767ae90ee0406c0b2f9c9
SHA5120011ed581f7d16afab56a093b3169c6f88c6e763cfe0d6c50548a13fce5c70fc89e60a51f4cbc7713e5a6ea9bd76a189ff59932fd1687d00e0466a9449b35807