e93845b0415afde51a287be72c4d870c1ffa3384bd439fc025faefb587859cf4

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6e877128b87282e4534d70de7820334.exe
Size

116KB
MD5

d6e877128b87282e4534d70de7820334
SHA1

bca452473d17be00f3be8686e7d3330289f8012e
SHA256

e93845b0415afde51a287be72c4d870c1ffa3384bd439fc025faefb587859cf4
SHA512

84d17adf7635ae683d3b86ea915a262ffb67a3a92f4046c862862cf59da473fcfd99080940271e36ff5cce280884d9626bdc8c217eece3a660e2ebb5544067eb
SSDEEP

3072:98RTVXDNJqxSA5HDc3I3nNoOsRXurRUQzj+5z/U:SZRcx5VMpOKXur2Qf+5z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4220	Ehazya.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Ehazya.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	d6e877128b87282e4534d70de7820334.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	d6e877128b87282e4534d70de7820334.exe
File created	C:\Windows\Ehazya.exe	d6e877128b87282e4534d70de7820334.exe
File opened for modification	C:\Windows\Ehazya.exe	d6e877128b87282e4534d70de7820334.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Ehazya.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main	Ehazya.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\International	Ehazya.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe
4220	Ehazya.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4220	2012	d6e877128b87282e4534d70de7820334.exe	91
PID 2012 wrote to memory of 4220	2012	d6e877128b87282e4534d70de7820334.exe	91
PID 2012 wrote to memory of 4220	2012	d6e877128b87282e4534d70de7820334.exe	91

C:\Users\Admin\AppData\Local\Temp\d6e877128b87282e4534d70de7820334.exe
"C:\Users\Admin\AppData\Local\Temp\d6e877128b87282e4534d70de7820334.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\Ehazya.exe
  C:\Windows\Ehazya.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
C:\Windows\Ehazya.exe

Filesize
116KB

MD5
d6e877128b87282e4534d70de7820334

SHA1
bca452473d17be00f3be8686e7d3330289f8012e

SHA256
e93845b0415afde51a287be72c4d870c1ffa3384bd439fc025faefb587859cf4

SHA512
84d17adf7635ae683d3b86ea915a262ffb67a3a92f4046c862862cf59da473fcfd99080940271e36ff5cce280884d9626bdc8c217eece3a660e2ebb5544067eb

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
362B

MD5
b0235500b8bd378b0bafb856fb580c62

SHA1
29dd18333732cbf21574962100ffc4e484abd722

SHA256
ee3b0f263512dd2e32ef1d79a7a2cfb05a2483759e5db69dd3a7414ac8b8716c

SHA512
6e98acce02d8994b21f063746772f8bd5036b6087ded7d6005ed0cb1810bdf2821cd4ea35ed97b9ad336bd5acbe88a637059aa6067080bd53aaad368639af485

Download Submit
memory/2012-15566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-1-0x0000000002230000-0x0000000002253000-memory.dmp

Filesize
140KB

Download
memory/2012-6726-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-30541-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-73941-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-24403-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-37419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-47575-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-61027-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-9987-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-84435-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-95720-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-108119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-117385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-129548-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-135471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-135472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-135473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download