Overview
overview
7Static
static
7EA Crypto ...T4.rar
windows10-2004-x64
7EA Crypto ...r .ex4
windows10-2004-x64
3EA Crypto ...eX.jpg
windows10-2004-x64
3EA Crypto ...eX.txt
windows10-2004-x64
1EA Crypto ...or.jpg
windows10-2004-x64
3EA Crypto ...32.zip
windows10-2004-x64
1msimg32.dll
windows10-2004-x64
7EA Crypto ...32.dll
windows10-2004-x64
7Analysis
-
max time kernel
90s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2024 01:50
Behavioral task
behavioral1
Sample
EA Crypto Hunter v4.0 MT4.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
EA Crypto Hunter v4.0 MT4/Experts/EA Crypto Hunter .ex4
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
EA Crypto Hunter v4.0 MT4/GNR-ForeX.jpg
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
EA Crypto Hunter v4.0 MT4/GNR-ForeX.txt
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
EA Crypto Hunter v4.0 MT4/Gendor.jpg
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
EA Crypto Hunter v4.0 MT4/msimg32.dll - Build 1335-1350/msimg32.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
msimg32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
EA Crypto Hunter v4.0 MT4/msimg32.dll - Build 1335-1350/msimg32/msimg32.dll
Resource
win10v2004-20240226-en
General
-
Target
EA Crypto Hunter v4.0 MT4.rar
-
Size
10.8MB
-
MD5
1137667d7029b58692250444ce1368e8
-
SHA1
2caecddf632e35f74608e6dec91e01ea44ee330c
-
SHA256
c738e6735c575421100a31108799e1c577d83e0feeae0cc8e974d10f642fc5c8
-
SHA512
cb907117844309ef74e477f5536292b924a04e7ee7a9cf2a479106fe7d6afe576112c0dd3f20cd6892396fe0cb7ceeb4c5ce26d602555b2e8c2d363a6a1a199b
-
SSDEEP
196608:dYQ3xZrRuwHp6OrF4Wr3JjEFgoEbaHpQxXYNPU6ECy6lyHYdSNCQCEQP:1x9xJvFZJoDExYNPUdQAYq5QP
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
cmd.exemspaint.exemspaint.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
mspaint.exemspaint.exepid process 1708 mspaint.exe 1708 mspaint.exe 4652 mspaint.exe 4652 mspaint.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 1600 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 1600 7zFM.exe Token: 35 1600 7zFM.exe Token: SeSecurityPrivilege 1600 7zFM.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
7zFM.exepid process 1600 7zFM.exe 1600 7zFM.exe 1600 7zFM.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mspaint.exeOpenWith.exemspaint.exeOpenWith.exepid process 1708 mspaint.exe 2200 OpenWith.exe 4652 mspaint.exe 3244 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 4644 wrote to memory of 1600 4644 cmd.exe 7zFM.exe PID 4644 wrote to memory of 1600 4644 cmd.exe 7zFM.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\EA Crypto Hunter v4.0 MT4.rar"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\EA Crypto Hunter v4.0 MT4.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1600
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5116
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\EA Crypto Hunter v4.0 MT4\Gendor.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:3652
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2200
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\EA Crypto Hunter v4.0 MT4\GNR-ForeX.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4652
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3244
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EA Crypto Hunter v4.0 MT4\GNR-ForeX.txt1⤵PID:2136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD563e423d22b8f61ec17d43f192c422076
SHA14578ac191df355c513e965a0f8794a5ff7c3d505
SHA256c4810ecd8d59adea29cc143d73841dbd0632f8b9db5c97e6436751ff70132342
SHA512832ebf6412bcc00196092f607edc7aac82c9709fdd64957552e10a3a095d2e8a54cab18fc9a3be2d0b91d4ec53f448540f1da39f0d3a0d02c02ff87d365877ce
-
Filesize
652B
MD505ee1d9ffc8b8d2a8acec93d2de221c4
SHA104652a41cda8c14535bb3898a1f224155b2ba982
SHA256a0a205719bb86362376dea048c739180fd2fe374c00e3cefcde2a3d1fe15a772
SHA512adef8cf7810b2659ca32013373e684728d490aba7942ade33188a5767f7be5dcd1f815ef819b312d28b4be9a7e507f5fcf22efb98637c808d797d42a0f389aa3
-
Filesize
77KB
MD5adc01c8b915b26dfca3f96c2161a38f8
SHA159f56d1380ad57b661fc36d8bbf40b7be07865f7
SHA256fe977e58d2d592ddff2c72bb517a4c7216f04a2b6c73e40591a4ffc08cbe20da
SHA512c9f4f960a28cf67bb609060b782f8c78c52cc8de4f44e8f28e9f2d90cb62d85204d0f47657261580730b7ec751b6fa99f8669efc700af0517528d14d8d91b67f