Overview

overview

10

Static

static

10

Energetic ...nt.exe

windows10-1703-x64

4

Analysis

  • max time kernel
    100s
  • max time network
    77s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-03-2024 19:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Energetic Bear Implant.exe

  • Size

    1.9MB

  • MD5

    f901c645188f9c80afa8f49174f065ce

  • SHA1

    272bc9298b394760d68e14dcf479233800a098a9

  • SHA256

    9385d7e149bcda79e5a4291ad422c160be8297d029d04ee04c50240fe53aa900

  • SHA512

    8de72f93ab1a507a08a283da4e8948756364d45fa70e8332da424b27a9cb8d6c3ad93cb5062343a6cc8cf0009d7c7d3fef8e209f99fedbe02b7d2d5c010c291c

  • SSDEEP

    24576:7MWHiFDV07ECXo4tu619SbX7ZwwjeJJV+CBqAKngHu8LNZZ/LJCPlyPlVzOCr:WJ6qbroCn8u8jhL0PMtVSCr

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Energetic Bear Implant.exe
    "C:\Users\Admin\AppData\Local\Temp\Energetic Bear Implant.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    PID:2664
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3d4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:164
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1740
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri
    Filesize

    162KB

    MD5

    0d02b03a068d671348931cc20c048422

    SHA1

    67b6deacf1303acfcbab0b158157fdc03a02c8d5

    SHA256

    44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0

    SHA512

    805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.pri
    Filesize

    2KB

    MD5

    a2942665b12ed000cd2ac95adef8e0cc

    SHA1

    ac194f8d30f659131d1c73af8d44e81eccab7fde

    SHA256

    bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374

    SHA512

    4e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cyber.avi
    Filesize

    492KB

    MD5

    979128b6017961ec9f5b961ede4d8fb3

    SHA1

    08163ba22e83273398a851b164c4a2cd364dc809

    SHA256

    989101a0ae548a578aba8612ee89696bea81e899c92f0b697ea31e6db53f10fc

    SHA512

    afc1a8c4f80c57b27cfb764ce6d8354c1700ae90baed4d7562796f235087f900dfeb486ecd7602bf3b50a2ff470e410925f5cdb7ff89fe7a576abaf18621a626

    Download Submit