5dae1887c9219823ef4465936e5b45137132eb48fb0dc2197a54ee2e31f0dbdb

Analysis

max time kernel
1800s
max time network
1802s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23/02/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

elol.exe
Size

214KB
MD5

faba0d141987f243c5996bacbde9c24a
SHA1

5059d4e64df99075da4b0dd75290ae0d504ef2d6
SHA256

5dae1887c9219823ef4465936e5b45137132eb48fb0dc2197a54ee2e31f0dbdb
SHA512

9e478196cf230ce41982014206bd5c683814620a2b60560e5b4354f818c6842163fc33fb5cdbb1bbae602078f6d6ca2a6bd75ec50adb39049ba38e4fd90a3e9c
SSDEEP

6144:6Iz9zjvM92B+64kQ2EJam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTTo6:6INs2B+64kQHam2dNREz9FdOZMJwGuEu

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	elol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	elol.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	elol.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	ff1ffef9fae342449b161a9392c55326.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\elol.exe\" .."	elol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\elol.exe\" .."	elol.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	0.tcp.eu.ngrok.io
10	0.tcp.eu.ngrok.io
27	0.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
4028	TASKKILL.exe
648	TASKKILL.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	ff1ffef9fae342449b161a9392c55326.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{27F561C5-6409-4417-A261-2BB6B627D9A1}	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe
2160	elol.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2160	elol.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	elol.exe
Token: SeDebugPrivilege	648	TASKKILL.exe
Token: SeDebugPrivilege	4028	TASKKILL.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe
Token: SeIncBasePriorityPrivilege	2160	elol.exe
Token: 33	2160	elol.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 4028	2160	elol.exe	81
PID 2160 wrote to memory of 4028	2160	elol.exe	81
PID 2160 wrote to memory of 4028	2160	elol.exe	81
PID 2160 wrote to memory of 648	2160	elol.exe	82
PID 2160 wrote to memory of 648	2160	elol.exe	82
PID 2160 wrote to memory of 648	2160	elol.exe	82
PID 2160 wrote to memory of 2864	2160	elol.exe	98
PID 2160 wrote to memory of 2864	2160	elol.exe	98
PID 2160 wrote to memory of 2864	2160	elol.exe	98

C:\Users\Admin\AppData\Local\Temp\elol.exe
"C:\Users\Admin\AppData\Local\Temp\elol.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM cmd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Users\Admin\AppData\Local\Temp\ff1ffef9fae342449b161a9392c55326.exe
  "C:\Users\Admin\AppData\Local\Temp\ff1ffef9fae342449b161a9392c55326.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"
    3⤵
    - Enumerates connected drives
    - Modifies registry class
    PID:1000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
128KB

MD5
47e00da9a0c06c61ec5dff2fc9fe6dc6

SHA1
c8bba8363dafee1265075162104cb860834152a7

SHA256
a5f2527a1adc9ada55bb0daa29ed96f3974eeeac2099e1000d7f11fceaafaec6

SHA512
609330ce4556611272994cd463ff70bad83eed573d55844d38ba02487d701f5813ffa5c89c97b923617396e8d7410fe1f5d6fb72c859798c1239c923e6d3045f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff1ffef9fae342449b161a9392c55326.exe

Filesize
417KB

MD5
ce016dac7becf882e7f17190457ee568

SHA1
f2b1262fa3f78de8cc88062a36e98ce4e50e8967

SHA256
c0a140b3a484617da0127159e7cce955d6749019dffaae2e1c3b0ed65ad8b9b4

SHA512
007775b3a61cee71c30f40f274714b7fc86704904ea0b587649e19638718a9f13fd9e1491dd6eb0688c00d9cc03806c60594adcf52687e681918fb4cd14a7a8c

Download Submit
memory/1000-33-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/1000-31-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/1000-36-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/1000-34-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/1000-35-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/1000-32-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/1000-29-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/1000-30-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/2160-2-0x0000000001370000-0x0000000001380000-memory.dmp

Filesize
64KB

Download
memory/2160-0-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/2160-9-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/2160-8-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/2160-11-0x0000000001370000-0x0000000001380000-memory.dmp

Filesize
64KB

Download
memory/2160-10-0x0000000001370000-0x0000000001380000-memory.dmp

Filesize
64KB

Download
memory/2160-1-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download