Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 20:24
Static task
static1
Behavioral task
behavioral1
Sample
embergen-latest (1).exe
Resource
win7-20240221-en
General
-
Target
embergen-latest (1).exe
-
Size
78.9MB
-
MD5
bd7a01f57a51c6486e41e93f6891d7d7
-
SHA1
85ea3c5da3ce98f5ece9c4e6dcd826ea67b97cb3
-
SHA256
137f77db24ac5102a538f116472e93100f74df425b2352f0274ae36197cc1326
-
SHA512
f470aa2766906a8983d413df15a42231887e67c9141370b012e86f17714cb5effdd4be0aa66b4a19785bf525e97935cb3cccc0363fbbf98b9f9c7c6bcea8d75e
-
SSDEEP
1572864:9Gea93Dn7mSa6zfdQPpy78WVukd8AWg44YUQveLIfv:9Mr7mlOAPiufTHUqeUv
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000600000002323d-341.dat upx behavioral2/files/0x000600000002323d-431.dat upx behavioral2/memory/4860-438-0x00007FF6AFFF0000-0x00007FF6B2A1C000-memory.dmp upx behavioral2/memory/4860-443-0x00007FF6AFFF0000-0x00007FF6B2A1C000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IHI9D.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-TIJHJ.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-7SSHD.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\is-A31NH.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-60AQU.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-N5M8H.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-8DADC.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-U7SFI.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-7AOLL.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IUU69.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-T4EKV.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-BR8R2.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-4D745.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-GM9C9.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-0E896.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-JH9DM.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-6TI55.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-30P2O.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-C7GAP.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-19Q6N.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-URKK5.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-EDGK7.tmp embergen-latest (1).tmp File opened for modification C:\Program Files\JangaFX\EmberGen\EmberGen.exe embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-LD98I.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-S1SAS.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-HL5PC.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-2MJ4P.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-M5NFE.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-FMPPD.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-5C43A.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-NK5IB.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-CLG01.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-5QNC0.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-NMQ9F.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-G1EEN.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-CJ4BD.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\templates\is-D7HQ8.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-5948B.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-BJT9M.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-6644D.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-5KN4A.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-TH3MD.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-Q26JP.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-FOCVD.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\meshes\is-IIM01.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-T63IT.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-CHS7R.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-9969F.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-228PD.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-CUR9H.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-2L4SN.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-HGH6O.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-GNCLE.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-5DJP0.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-4TJCP.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-HG7EQ.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-S78MH.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-8FNER.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-IG50Q.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-DGFLC.tmp embergen-latest (1).tmp File opened for modification C:\Program Files\JangaFX\EmberGen\TurboFloat.dll embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-0OJ95.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-7CQVR.tmp embergen-latest (1).tmp File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-59KB2.tmp embergen-latest (1).tmp -
Executes dropped EXE 4 IoCs
pid Process 536 embergen-latest (1).tmp 1248 VC_redist.x64.exe 2576 VC_redist.x64.exe 4860 EmberGen.exe -
Loads dropped DLL 3 IoCs
pid Process 2576 VC_redist.x64.exe 4860 EmberGen.exe 4860 EmberGen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 536 embergen-latest (1).tmp 536 embergen-latest (1).tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 536 embergen-latest (1).tmp -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1644 wrote to memory of 536 1644 embergen-latest (1).exe 90 PID 1644 wrote to memory of 536 1644 embergen-latest (1).exe 90 PID 1644 wrote to memory of 536 1644 embergen-latest (1).exe 90 PID 536 wrote to memory of 1248 536 embergen-latest (1).tmp 94 PID 536 wrote to memory of 1248 536 embergen-latest (1).tmp 94 PID 536 wrote to memory of 1248 536 embergen-latest (1).tmp 94 PID 1248 wrote to memory of 2576 1248 VC_redist.x64.exe 96 PID 1248 wrote to memory of 2576 1248 VC_redist.x64.exe 96 PID 1248 wrote to memory of 2576 1248 VC_redist.x64.exe 96 PID 536 wrote to memory of 4860 536 embergen-latest (1).tmp 97 PID 536 wrote to memory of 4860 536 embergen-latest (1).tmp 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe"C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp"C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp" /SL5="$400E2,81894518,832512,C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe"C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe" /install /quiet /norestart3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\Temp\{02A7ED19-B25A-402E-B565-F27C9AE92F1F}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{02A7ED19-B25A-402E-B565-F27C9AE92F1F}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576
-
-
-
C:\Program Files\JangaFX\EmberGen\EmberGen.exe"C:\Program Files\JangaFX\EmberGen\EmberGen.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.3MB
MD509549bc0868ba15007f508298c2a30fc
SHA1dc11bd53a19acd96e9a9e33611fbe86e28fb153d
SHA256cef745b71e4e2a187f4286aee5e04f0bdb60dfc3b57a4180de1c803463487c1f
SHA5126c710717b3a36c488b972619e119b551a71a6850614e40c919248b4bdb62cf53d71543697557d577961f337f263a122b4d844a52936030f519d3458e96555190
-
Filesize
13.6MB
MD54fca2bb96115a5734b6175db1b7c30b7
SHA19d197229f8ad6b114eff4746ebe5319208c1cbb4
SHA25620c6a765e64f43bda6470a5ec45b07aaa65eb1ebdda4459f6c881526420ebd4e
SHA51275e4193590e8413774115a66f5e4be0bd42ab31115737221b0ec13c02c776e5e61fd78f0fd72cdef124182693f68e8871af8497858f40d501f10ed0c4876adde
-
Filesize
1.3MB
MD55bbec33f549e9e44389be11ceb3c3f02
SHA13aeb71f10f5fa8b5df59358e0c6e3b7a21a23217
SHA256f53487d184b268f5ddcecff98c2f62e5141ec0030b54a65f02cc4e7057d5c7ad
SHA51291df575a850276d9eb4aa19ff32b74e4947a5b5836ee874a95a793603aef3330e7b73e1cca43cfcc432558800f46749e9bb51cb9504847c98e85fdcb81bbe571
-
Filesize
1.2MB
MD5e63679298cbf7273e4ac8f4bf720f68a
SHA1b4ef94f680090e17b46ed1b4f1d3ebc4ee9bf7ea
SHA2561475605b46351616689811a3fbcbbaae1bb40b62612986edfbae5e05df096963
SHA512892e6256d4eaa1e6d31d06b33729def3eb8abfccf2b345dc717ff540a27987956a67bcbf7ad159879ee516beeb2b532676cc220c32f2f36d4cdff37ab470770f
-
Filesize
24.0MB
MD5291e0c486cbe22cb000c5e541c9e8317
SHA164e813bb9024a8e8d5aa64ee20e0d13de97ec7fd
SHA2569b9dd72c27ab1db081de56bb7b73bee9a00f60d14ed8e6fde45dab3e619b5f04
SHA512666da980e006648c8ea5eb09ed1d8bafb59bb8c8e798d18bd1c9b1f523237bb7c0d5937813a34ab37f6e0daefe8f2baf9373b73c0c9262fe3a1d88c0f4eae611
-
Filesize
3.1MB
MD5dd31b033b30ec195841653d64d5398df
SHA17c8c4df7ab82b20e8cf35a52f4258898fb1d6725
SHA25625215efe760b7d32480816783dd80c85e315244c29af3b316a2bc6f342390599
SHA5123b4d13bd873b62658f4c19d25b17cb5fd1e9888fe74a9ff6e61d31e07ce9c388cf4d7c51f73991d7819ebe0ba6e49ad386793d460bb9ae354d0e580055c5380f
-
Filesize
633KB
MD57f28c88875700454d8fb733341658edd
SHA1434159872b168112b86e91cf84f4d9d545ab0410
SHA25692d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9
SHA5127b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2