f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05

Analysis

max time kernel
146s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05.exe
Size

3.7MB
MD5

1be3d8dd02bfb17424b29b4682b92a5e
SHA1

7183fb8947bbd08526b10ce05529b5bbf2ecf3f1
SHA256

f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05
SHA512

248c68dad18b4dbb1da91676a7676f8578684d86ca4648df5ba4eb4c051611bfb52e65e0fd4e224871d8fcd487d714a78bf0820fc8688b8a80a8f185e9214cd3
SSDEEP

49152:31akMEEnoAXaLetR9wLm7dEgHghWvU+H/TfgKfiKXHoFcI13+mr2LFIIv:QkMEEULetUm6hhMTgfUoz13x2GIv

Score

9^/10

persistence

Malware Config

Signatures

Detects executables packed with VMProtect. 4 IoCs

resource	yara_rule
behavioral2/memory/3864-0-0x0000000000400000-0x00000000009A5000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/3864-1-0x0000000000400000-0x00000000009A5000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral2/files/0x00090000000233e4-5.dat	INDICATOR_EXE_Packed_VMProtect
behavioral2/memory/4008-10-0x0000000000400000-0x00000000009A5000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
4008	eulxmwk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\qbusxng.dll	eulxmwk.exe
File created	C:\PROGRA~3\Mozilla\eulxmwk.exe	f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05.exe

C:\Users\Admin\AppData\Local\Temp\f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05.exe
"C:\Users\Admin\AppData\Local\Temp\f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05.exe"
1⤵
- Drops file in Program Files directory
PID:3864

C:\PROGRA~3\Mozilla\eulxmwk.exe
C:\PROGRA~3\Mozilla\eulxmwk.exe -govzvci
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\eulxmwk.exe

Filesize
3.7MB

MD5
9ed883420f83c957e4f5dd7185b2415f

SHA1
4b35add0f732e07c4cec5a745d304c9f62cb417d

SHA256
047a3e613a27e5a879c2c0e3576dd2841ed60bf28665ba6f5a6b29569a0b11a4

SHA512
14ad671217398aa5425395c67c454ef9a97a44b643c9759bd2ca76630ab88a0c92e59d99cbef1388ca5cde93df386d57dadf5d2a6a53dde3757058ead6eb561b

Download Submit
memory/3864-0-0x0000000000400000-0x00000000009A5000-memory.dmp

Filesize
5.6MB

Download
memory/3864-1-0x0000000000400000-0x00000000009A5000-memory.dmp

Filesize
5.6MB

Download
memory/3864-2-0x00000000025E0000-0x000000000263C000-memory.dmp

Filesize
368KB

Download
memory/3864-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3864-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3864-9-0x00000000025E0000-0x000000000263C000-memory.dmp

Filesize
368KB

Download
memory/4008-10-0x0000000000400000-0x00000000009A5000-memory.dmp

Filesize
5.6MB

Download
memory/4008-11-0x00000000011A0000-0x00000000011FC000-memory.dmp

Filesize
368KB

Download
memory/4008-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4008-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4008-16-0x00000000011A0000-0x00000000011FC000-memory.dmp

Filesize
368KB

Download