4af21202e1ff48c3c17b45a067f991a0dc6a2a397b76ac33cb26baa814c21cb0

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efcw680.exe
Size

5.5MB
MD5

e4b193544ccb24afd8194364db8b1087
SHA1

bd97c9ddea5f74c006379e3d08030b7d2900c366
SHA256

442320e35e1d83644539366c9f216a8e600a92162a8690fbd62e5149bc3ba04b
SHA512

f5bd6d5857ea72955d9b97b68b3a20953e47e064b0c7afd450e8acb316d41e867e8466ecde0f6750c1601772a7ee1193ff5721a4f2f703137cec35fabfc6054b
SSDEEP

98304:wz2LGHSzu49IRIlFgwae0h3zJ8e23ARPgF5hPfBxKl+8fJVJTLusotwkb9T:wz2qHSzu49MIR6J8e2QRIuVL8twk

Score

7^/10

discovery upx

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2144	efcw680.exe
2144	efcw680.exe
2144	efcw680.exe
2144	efcw680.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2144-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2144-40-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x0006000000016d56-149.dat	upx
behavioral1/memory/2144-166-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_DE.CHM	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\ORDER.HTM	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_TW.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\LICENSE.TXT	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_HU.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_LT.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_SE.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_UA.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\7ZIP.DLL	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_CZ.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_EA.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_IT.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_MK.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_NL.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_ES.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_FR.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_KR.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\7ZIP.DLL	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\UNINST.EXE	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\BESTELL.HTM	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\ORDER.HTM	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_DE.CHM	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCWRES.DLL	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFUSB.DLL	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFWSOCK.DLL	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\sqx20u.dll	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\sqx20u.dll	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_NL.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_SP.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_TC.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_UA.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\efcw.exe.manifest	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\efcw.exe.manifest	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFWCER.DLL	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFEP.EXE	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_BR.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_FR.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_JA.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\LICENSE.TXT	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\FILE_ID.DIZ	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\UNACEV2.DLL	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_CZ.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_EA.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_SE.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_TC.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_US.CHM	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCWRES.DLL	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\BESTELL.HTM	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_BR.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_DK.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_GL.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_SP.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_CN.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_RU.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_CA.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_DK.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_PL.LNG	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFCW_TW.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFWSOCK.DLL	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\UNACEV2.DLL	efcw680.exe
File opened for modification	C:\Program Files (x86)\EF Commander\EFEP.EXE	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_GA.LNG	efcw680.exe
File created	C:\Program Files (x86)\EF Commander\EFCW_HR.LNG	efcw680.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\efcw680.exe
"C:\Users\Admin\AppData\Local\Temp\efcw680.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EF Commander\EFCW.EXE

Filesize
1.3MB

MD5
d12303aca8fbed3ad48c9e5d0598db4d

SHA1
5b41fde9d247dc478da819183ebaaefd0882cc3d

SHA256
3743a6bd3d27e3676b9df85b6758ad72f9e348e637f2b808f9feed74b8d2615d

SHA512
8a69b65739e427d78d947901d02d8ed20e807503284d210167092bea69d4dbf7b4688ec94e3369aedb43452fd036aec144de883fd016c967b442d013dd1f687a

Download Submit
C:\Program Files (x86)\EF Commander\UNINST.EXE

Filesize
16KB

MD5
896b7127f8d598e2cfe0ccd7d0c08342

SHA1
e6452b98bffa12d1f0d20fb6c0cd0ab4d9328bfb

SHA256
4aeeedbb1eb84e7f168eef7cd0191a63153bc609135d020b93be358dadcb6ae8

SHA512
e4c35817d6aba7213f33b1175cecfb1bf9e8134dcc027359e528dca6cdc7ba3a23ddfdc10a71bdea05409e13b671388de2c2951f584a6e0720db6dd6bd273161

Download Submit
memory/2144-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2144-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2144-150-0x0000000002080000-0x0000000002084000-memory.dmp

Filesize
16KB

Download
memory/2144-166-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download