cdadb51628834d8bf40d9a276f9936a1fb98c4de1faa71ab1d7523544d7b9d3f

Analysis

max time kernel
104s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eulean.exe
Size

258KB
MD5

1b3b04e73ec90d7a8ddd32594d9b2665
SHA1

278ec0777c849043d5795b32313c2bacf016b0a0
SHA256

cdadb51628834d8bf40d9a276f9936a1fb98c4de1faa71ab1d7523544d7b9d3f
SHA512

dad41af70e6ce4aca5579a2a103e7a34584bb358431b0aad238e70ed36c93fd23c78da1095541356a6784fb91f846ef5442173cbdc86c2ae146afbd59c2ad0cd
SSDEEP

6144:HnQ4i55KyoV2c4xWt5iywJvF1yWy1rohMzmSn:HIAlV2cUW0JGnJoW5n

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1096	eulean.exe
3612	eulean.exe
628	eulean.exe
4260	eulean.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
1096	eulean.exe
1096	eulean.exe
1096	eulean.exe
1096	eulean.exe
1096	eulean.exe
1096	eulean.exe
1096	eulean.exe
1096	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\6C7165048475EECB145FD65712BA8C8292B2FF45\Blob = 02000000000000006c0000001c000000000000000100000020000000000000000000000002000000390038003000660030003500350037002d0064006400310033002d0034006200340061002d0039006200640032002d0061003400650036006200300038003900650034003700380000000000000000002300000000000000140000006c7165048475eecb145fd65712ba8c8292b2ff45	eulean.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys	eulean.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\ACA8CB49A4A7D366FD2A633B0D4F02280CEC96E3	eulean.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\ACA8CB49A4A7D366FD2A633B0D4F02280CEC96E3\Blob = 02000000000000006c0000001c000000000000000100000020000000000000000000000002000000390063003300620033006100300033002d0066006200360033002d0034003500620035002d0039003700380030002d003300310061006100370031006400300064003000660032000000000000000000230000000000000014000000aca8cb49a4a7d366fd2a633b0d4f02280cec96e3	eulean.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys	eulean.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\6C7165048475EECB145FD65712BA8C8292B2FF45	eulean.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4944	PING.EXE
4436	PING.EXE
2072	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1096	eulean.exe
1096	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe
4260	eulean.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
852	eulean.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1096	eulean.exe
4260	eulean.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1096	852	eulean.exe	86
PID 852 wrote to memory of 1096	852	eulean.exe	86
PID 852 wrote to memory of 4200	852	eulean.exe	87
PID 852 wrote to memory of 4200	852	eulean.exe	87
PID 4200 wrote to memory of 2072	4200	cmd.exe	89
PID 4200 wrote to memory of 2072	4200	cmd.exe	89
PID 1096 wrote to memory of 3612	1096	eulean.exe	90
PID 1096 wrote to memory of 3612	1096	eulean.exe	90
PID 3612 wrote to memory of 628	3612	eulean.exe	97
PID 3612 wrote to memory of 628	3612	eulean.exe	97
PID 3612 wrote to memory of 4552	3612	eulean.exe	96
PID 3612 wrote to memory of 4552	3612	eulean.exe	96
PID 4552 wrote to memory of 4944	4552	cmd.exe	98
PID 4552 wrote to memory of 4944	4552	cmd.exe	98
PID 628 wrote to memory of 4260	628	eulean.exe	99
PID 628 wrote to memory of 4260	628	eulean.exe	99
PID 628 wrote to memory of 4416	628	eulean.exe	101
PID 628 wrote to memory of 4416	628	eulean.exe	101
PID 4416 wrote to memory of 4436	4416	cmd.exe	102
PID 4416 wrote to memory of 4436	4416	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\eulean.exe
"C:\Users\Admin\AppData\Local\Temp\eulean.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\eulean.exe
  "C:\Users\Admin\AppData\Local\Temp\eulean.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\eulean.exe
    "C:\Users\Admin\AppData\Local\Temp\eulean.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\eulean.exe_tmp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\eulean.exe
      "C:\Users\Admin\AppData\Local\Temp\eulean.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Users\Admin\AppData\Local\Temp\eulean.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eulean.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4260
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\eulean.exe_tmp"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
      - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        6⤵
        Runs ping.exe
        
        PID:4436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\eulean.exe_tmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
1KB

MD5
81713e4217ff98ad21d900da98522981

SHA1
ee356fe9f2dbd96ca84f049b9d31682aacd363c8

SHA256
039402744510650cbf58c0607c29c66f57db13fa6ebefc7f5e1dec8463d7f938

SHA512
b4c4753254bb48aaf1a3ec0c26fabcf7a792303b2220ab58d36b9d89c83954423d96ed3fd584ee61cded2b607456ae3411e80327c2ed11dc276612ee827d50b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
a76bafe68800e5197aaec9095e9f0897

SHA1
291605d788932972834e518d8e23195c2b7fb42b

SHA256
6e3200dc66c566ce62ae26a54221736c513acf84f7cb58d25d43e84c3ecc9b4f

SHA512
64e5be059871f9799088520a1567dc590e411eb7f708f599cc90608e06c6e8f7c6cf3d221d8d00170581894137428dfd2dcb0735e4569b4cc47365c5ebe706ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
e7a2d3288bbe86676658bf87f5fe5973

SHA1
fc123c9a6d5fdf32acce6d063cf8280737775b5f

SHA256
2a27b8f4855b7e380d8e8e88a288129c9435237055572c3fd9eaceed525eef6f

SHA512
023568c5d57a72c7939ec4cfc63dc906f0f58fe52284ef69dc574c07a2e6387b2b35b965cfca6a822f82bf039a8deed8ef06ee87d40ad0c3652a41fbf75e065c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
438B

MD5
58183396b6755a500d3f01e20567bc59

SHA1
bc72d96ef7cf1401ba56ac397e1ba0869e559f14

SHA256
5dfe4c4cb693000d136596650b12a7c5bf89d29f6e56cbeed349d9ab0b6e9f5a

SHA512
999a7ff32f57be89eeaffef067d6e21eaef3b5e7f3bbef4d41ebcc21f1503b5c78b3f02e7dbe5c4e8f6f7ca75f503370c8184b8dae90e0cdc25f4545ded940d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
bb8008300116ba76fe2e0874b87bb646

SHA1
aa3ba8045775c9eef8fbe3f8a41a0e0fc02db526

SHA256
b396a5cd3cbed31727de5258dadf58a9170458b6576f018fe9fdb632b0c14b30

SHA512
bf27568c14ac5a905d8067c24a2c8d003c7d7d4b8e8b67d2c13c3b2266a96e05588c70ab6d7e2c68b468b1881cd7260ab4b5ba395df6eeef2f74817b973aaf15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
1c782015fa52e03b1973a1fde5214685

SHA1
71225e973acdea6bf3a6347bea7c799c6f77fb13

SHA256
1ed92d3baccde767231f9a3e18f68c7f52705e2a4cff167bac70e5f7a706f96c

SHA512
85e0685e4581685b4e71f247e810d9cb2ba5779dc8c3a561cc98335458b4cda22dc6bb309a8ee3fbfa73cb3b985a08be54c7e447e0ef1b4bcede443feaf3fff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QPBAQNGM\loader_prod[1].exe

Filesize
86KB

MD5
070f50ec995033516b639c9408f18cb9

SHA1
56b6f7dab1b43f2e619ada413e7ec98778ff037f

SHA256
ecd11d02fdb058c0425ffb018e37857fe777c0670ebbefaae906a26223a2281f

SHA512
14a89b0ac3a149b7143b9b2fbf368d002dfd8d9a7843e877c2474cffe28ba26489e9eb9bcfd5190a5bfe2c0887221d099673e8eecc1684d5647538baba34f1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eulean.exe

Filesize
7.9MB

MD5
4addf56ca23671625c35a89f3acf6aab

SHA1
4af19b6dcd4c0f0a48bbd9613593cdea8755b5a9

SHA256
4effcbf0a19f596455b14397c6dd7179e802482f5a5e79db313cf2f9c8df125c

SHA512
09189c8a7873f69d6cee4ca4635be48e3f9fe429b9b15012f356d897417d82ffabf82155da6a1217b8b883b42fc37843cc4bf3113ce7f0c2f72a31d74319e4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eulean.exe

Filesize
8.4MB

MD5
5c13478e82c44d0c6eef34255ab00dc1

SHA1
b91c1c9c8836a7a0bfa1548e372282b4643977b1

SHA256
56e73c143a8768714a496b9251ccd1db3e0622d2fa96a32f7bc42b4a9c103871

SHA512
e2f72ace7d8bfcb9b7d25e8db21be5b25c27317bba25e6f5b696cd1504c436b418c68d747262a92239212b1cb74099aef69e1849beb0a07adfc22a781636d8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eulean.exe

Filesize
250KB

MD5
f34ed34924d2eb8aa673ea4a2229056d

SHA1
562388b6ad4d3459b1baa0bf9904261435b25faf

SHA256
e0e5b48793176d15a6418e6d0e35fc42f00eec096ce3b97e7bdce8d5e9c7a338

SHA512
650634472b5ba8c64bba96a1c27ca0aec0590029732398cbf31fd86b817980e81df307f72c282be22864be2ca38a1db622e02d25aaf38f8d2ef7a9d51d8cf2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\eulean.exe

Filesize
2.0MB

MD5
a61045522a6ad25052725ebb12f1fdca

SHA1
72febe830a3464d6601017d5c6534a10f5feb288

SHA256
c35b12e4c43d8ba56993cb08298d8bcafa280b1947efbe7926439e4a946f0f6a

SHA512
d70c20018ae2526b809bc25840e0d7de2795868d0e472256470b1ae27be812439dcbb143f25ed48cc1606728b10e58edd759626be877f8e940c0708e0e5bdf82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eulean.exe

Filesize
1.5MB

MD5
704edf338488a19666a23026d082c661

SHA1
5cc0aa6c2ab2d9c99057c72f4bb3533329e1a47f

SHA256
0bd3d36e3b9c34365b1a288a6756e10c60f273b1d9df6f7f558f98778d1d276f

SHA512
b3fe0308c05b6f73639ef435f641be20a6df44e421e7ad36f9c0f0d75992b222c597df10096a43e502246c7294c543a93cfbef2b8a0cb3e5748b2779b480158f

Download Submit
C:\Users\Admin\AppData\Local\Temp\stuff3.tmp

Filesize
8.9MB

MD5
463656f9a9c297a697f77643b45860a7

SHA1
f36b153a55966429be12a3bc736e1839bb710a3f

SHA256
b359ff9d5cbfc0b28172e26bd08aa43e4cce7a63be8af333ee5d8517dcff847d

SHA512
5c8d793ef9d5f8033b1d0c4979291fc676aff6971647302f219ec88017e750bba577957fd85e967416a72394d2bce3882180e703378d7b40b2599b348c57b7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\stuff3.tmp

Filesize
405KB

MD5
a90e5a9f288d9f4c5635a7d7f00642b6

SHA1
dfa3e3e8bb23fcca2ae2da035812447e5024013a

SHA256
509e55145fa98f68b256cb775bcc25c0e16856424be4bb01a33101f5a243e908

SHA512
f90bcefc8cfb64902b7371bc525a9a656eb5fd2fd15b817cfaa91c2a5e69d15e9a4185c9be5b021d27fa2f52db4de1786b24894508f855c1659a033067197c10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\3942961AE1A0ABA4D9C600CC4F722524006FCE33

Filesize
984B

MD5
8c0bc7c0090f189ff9ceb380705901c1

SHA1
12b4d4ac36a2cdf4ed012673bf41ca037fa796f4

SHA256
8f9b6eb2ad0d930b48d2394f4a2271a519c55fd7623952df5af23a3bc3c6729f

SHA512
659ab2e13a76ccae9e1c31d422b2a5deced17a4f92cd80458bfbb5cf5f27e6241a58bc3ed2ae3ef48cd0ef81f00c35bcf86a8cdf44da0dc83d298b48d42d73cd

Download Submit
memory/628-73-0x00007FF60B010000-0x00007FF60B056000-memory.dmp

Filesize
280KB

Download
memory/852-22-0x0000000140000000-0x0000000140048000-memory.dmp

Filesize
288KB

Download
memory/1096-27-0x0000000140000000-0x00000001423DE000-memory.dmp

Filesize
35.9MB

Download
memory/1096-26-0x00007FFE59480000-0x00007FFE59482000-memory.dmp

Filesize
8KB

Download
memory/1096-25-0x00007FFE59470000-0x00007FFE59472000-memory.dmp

Filesize
8KB

Download
memory/1096-24-0x0000000140000000-0x00000001423DE000-memory.dmp

Filesize
35.9MB

Download
memory/1096-48-0x0000000140000000-0x00000001423DE000-memory.dmp

Filesize
35.9MB

Download
memory/4260-76-0x00007FFE59480000-0x00007FFE59482000-memory.dmp

Filesize
8KB

Download
memory/4260-121-0x0000000140000000-0x0000000142DD2000-memory.dmp

Filesize
45.8MB

Download
memory/4260-77-0x0000000140000000-0x0000000142DD2000-memory.dmp

Filesize
45.8MB

Download
memory/4260-75-0x00007FFE59470000-0x00007FFE59472000-memory.dmp

Filesize
8KB

Download
memory/4260-90-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-91-0x00007FFE58900000-0x00007FFE589BE000-memory.dmp

Filesize
760KB

Download
memory/4260-92-0x00007FFE581C0000-0x00007FFE58361000-memory.dmp

Filesize
1.6MB

Download
memory/4260-93-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-96-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-99-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-102-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-115-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-118-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-78-0x0000000140000000-0x0000000142DD2000-memory.dmp

Filesize
45.8MB

Download
memory/4260-122-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-125-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-128-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-131-0x0000000140000000-0x0000000142DD2000-memory.dmp

Filesize
45.8MB

Download
memory/4260-132-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-135-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-157-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-160-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-163-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-166-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/4260-169-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download