fa5a0694c2f29bdd6a8e7ccd5d6eaf66f90d87ed82fd88b368c4d940162f042d

Analysis

max time kernel
165s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 18:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

X-Lite_Win32_1002tx_29712.exe
Size

6.1MB
MD5

1e6d1ab7e8aea4e35028e7cc30fc64cc
SHA1

433f94dabe8226dbe12dff6d299890a65496882f
SHA256

fa5a0694c2f29bdd6a8e7ccd5d6eaf66f90d87ed82fd88b368c4d940162f042d
SHA512

6be9940503ef5fd183116bc1dae5260cf451c14c4e7fc41f025fb6df3984edb2c6985aaca18ee7358b6490d8d183ff21f45ac968797afd9060644b6f4767c5e3
SSDEEP

196608:icaCLJ+7g9gQZHEQ3hy1BoATmaX9S17OX4:icaq+7gCgkQRy7/aaX9SROI

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1788	is-H2GJI.tmp
400	x-lite.exe
1676	x-lite.exe

Loads dropped DLL 17 IoCs

pid	Process
2292	X-Lite_Win32_1002tx_29712.exe
1788	is-H2GJI.tmp
1788	is-H2GJI.tmp
1788	is-H2GJI.tmp
1788	is-H2GJI.tmp
1788	is-H2GJI.tmp
1788	is-H2GJI.tmp
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
1676	x-lite.exe
1676	x-lite.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\eyeBeam SIP Client = "\"C:\\Program Files (x86)\\CounterPath\\X-Lite\\x-lite.exe\""	is-H2GJI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\InnoSetupRegFile.0000000001 = "\"C:\\Windows\\is-D6JUO.exe\" /REG"	is-H2GJI.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\is-ON1P2.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\unins000.dat	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\is-R4SPD.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\is-2UK46.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-56A5T.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-4PGJD.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\Common Files\Intel\ataplugin\is-AESLO.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\is-IGVCR.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-RFD0O.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-6FOFA.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-EPG0U.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\is-T3TFV.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-PSU8T.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-HR07D.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-09L13.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\is-L8M0M.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-38P01.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-Q8HIV.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-ML6OR.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\Common Files\Intel\ataplugin\is-CEOMG.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\is-GN2V4.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\is-E9R5G.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\Emoticons\is-7NROL.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\is-0D4HQ.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\is-J0FGF.tmp	is-H2GJI.tmp
File created	C:\Program Files (x86)\CounterPath\X-Lite\is-CH1F6.tmp	is-H2GJI.tmp
File opened for modification	C:\Program Files (x86)\CounterPath\X-Lite\unins000.dat	is-H2GJI.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\is-D6JUO.exe	is-H2GJI.tmp
File created	C:\Windows\is-D6JUO.msg	is-H2GJI.tmp
File created	C:\Windows\is-D6JUO.lst	is-H2GJI.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	x-lite.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	x-lite.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	x-lite.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	x-lite.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	x-lite.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	x-lite.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	x-lite.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sip	is-H2GJI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\shell\open\command	is-H2GJI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\ = "URL:Sip Protocol"	is-H2GJI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/eyebeam\Extension = ".eba"	is-H2GJI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eyeBeam.args\shell\open\command	is-H2GJI.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\eyeBeam.args\EditFlags = d8070100	is-H2GJI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\shell	is-H2GJI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\shell\open	is-H2GJI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\shell\open\command\ = "\"C:\\Program Files (x86)\\CounterPath\\X-Lite\\x-lite.exe\" -dial=\"%1\""	is-H2GJI.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\EditFlags = 02000000	is-H2GJI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eba\Content Type = "application/eyebeam"	is-H2GJI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eba\ = "eyeBeam.args"	is-H2GJI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/eyebeam	is-H2GJI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eyeBeam.args	is-H2GJI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eyeBeam.args\shell	is-H2GJI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eyeBeam.args\shell\open	is-H2GJI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eyeBeam.args\shell\open\command\ = "\"C:\\Program Files (x86)\\CounterPath\\X-Lite\\x-lite.exe\" -argfile=\"%1\""	is-H2GJI.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\URL Protocol	is-H2GJI.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.eba	is-H2GJI.tmp

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
400	x-lite.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
400	x-lite.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1788	is-H2GJI.tmp
Token: SeBackupPrivilege	1788	is-H2GJI.tmp

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
400	x-lite.exe
1676	x-lite.exe
1676	x-lite.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1788	2292	X-Lite_Win32_1002tx_29712.exe	28
PID 2292 wrote to memory of 1788	2292	X-Lite_Win32_1002tx_29712.exe	28
PID 2292 wrote to memory of 1788	2292	X-Lite_Win32_1002tx_29712.exe	28
PID 2292 wrote to memory of 1788	2292	X-Lite_Win32_1002tx_29712.exe	28
PID 2292 wrote to memory of 1788	2292	X-Lite_Win32_1002tx_29712.exe	28
PID 2292 wrote to memory of 1788	2292	X-Lite_Win32_1002tx_29712.exe	28
PID 2292 wrote to memory of 1788	2292	X-Lite_Win32_1002tx_29712.exe	28

C:\Users\Admin\AppData\Local\Temp\X-Lite_Win32_1002tx_29712.exe
"C:\Users\Admin\AppData\Local\Temp\X-Lite_Win32_1002tx_29712.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\is-KB5DE.tmp\is-H2GJI.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KB5DE.tmp\is-H2GJI.tmp" /SL4 $50150 "C:\Users\Admin\AppData\Local\Temp\X-Lite_Win32_1002tx_29712.exe" 6119030 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1788

C:\Program Files (x86)\CounterPath\X-Lite\x-lite.exe
"C:\Program Files (x86)\CounterPath\X-Lite\x-lite.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:400

C:\Program Files (x86)\CounterPath\X-Lite\x-lite.exe
"C:\Program Files (x86)\CounterPath\X-Lite\x-lite.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CounterPath\X-Lite\AEC_PC_DLL.dll

Filesize
56KB

MD5
9acbfd87e94d7becde2b9253e0165309

SHA1
22190fa01589df8d0674e54a16b548def6797ed3

SHA256
828d5492244861493c4c1f18b1cf885187c43220af969bbf3bfab4f8ae56fc83

SHA512
8e3d530cd2a9b19cd9257d2cd4dc168a958e30887c14588bbaf97414c74f5c17782a031b24d5b8e96e011f122ad2a978da8e079788a7f4af76d8c98ee6e24042

Download Submit
C:\Program Files (x86)\CounterPath\X-Lite\EYELOOK.DLL

Filesize
1.4MB

MD5
cc318146e4d5b08ceeb0bb044af9ebc8

SHA1
52e43a08c72c680e5e740b8e8ec5edac136378c5

SHA256
0692e535777c220f5d77744b7e4746480049dfa54e7ca4d9fd72c71918eaf1ed

SHA512
a4a16ca9a9b2bb3c6fe5dff5129e96bd495f09066f396d784896c39d51d1479664317de029aa0948a11b7dbeb53d482428617753ded6b1ac3d57846300b84384

Download Submit
C:\Program Files (x86)\CounterPath\X-Lite\PlantronicsDeviceEventSink.dll

Filesize
25KB

MD5
4c3e3381fb5782013627e49ed9519591

SHA1
ce690305acbcf50f52421201d3c1a36eded7554a

SHA256
31d583cb0bdb1f693c58738acaa75af0f5618218291f45657f1d6558e52f3d7f

SHA512
f4932e42ccbb5fc5737ee8396248b23185799ed2c4ad3bc71370edee9b166c7caa361a238c32be8a94faf069981e04136ce03f2fc7a29dc1cf23a018a2fbef94

Download Submit
\Program Files (x86)\CounterPath\X-Lite\BV32.dll

Filesize
68KB

MD5
9058a6b090206fbbfcffd29dfa99c6fe

SHA1
b7f5dc49a12b84b71fba43365c25d4249094aacc

SHA256
42ddc49eae21bc3f0875f0cb4ccbe7e822ca37ca782e4ae790640b379c2008dc

SHA512
b6fa8d8dfc6a459d390aca4ad2bfceba6a802a5f2add6660d2c429ba6204f646e09d0185b07f93cc2a7413a7eb51a20a75a7e5f09dcb19b5f0e7de2d8bcbc21e

Download Submit
\Program Files (x86)\CounterPath\X-Lite\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
\Program Files (x86)\CounterPath\X-Lite\unins000.exe

Filesize
653KB

MD5
6831e53c1f7aaa8f5f0104e0e0cd6a9e

SHA1
8c9c32dbbb483e68c426feaf24db3ee5aaafedfe

SHA256
a367be631c73a8516beb6f01045100b1dd1c033f7af0d6f94b44a4f95e70ae46

SHA512
6b8951b3411a658d5e3c121399032c3f4c2cfbad2ebffbd3e5139f8dea07f81411eb7ae80e6ba575ef6a111bf62c3b696ae2409853affbc4c590721351f0eac2

Download Submit
\Program Files (x86)\CounterPath\X-Lite\x-lite.exe

Filesize
17.7MB

MD5
782f34e4def13b5c57f65738ad086f6b

SHA1
01c80a9053a60eac4f3ab612e656b7566c3837aa

SHA256
4120959813a895de6e402a313c93b1fad2bd0f5384cf9f9462a6afa647305651

SHA512
3470cf1307cd3b2ac68fc610e154cdd1ce2320850539851c82751b024324dd79ea2e853feb72404875ce54926e3a55a04c06bbf091c4700ae9b3ca7bc243ba2a

Download Submit
\Users\Admin\AppData\Local\Temp\is-INLL1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-INLL1.tmp\psvince.dll

Filesize
36KB

MD5
a4e5c512b047a6d9dc38549161cac4de

SHA1
49d3e74f9604a6c61cda04ccc6d3cda87e280dfb

SHA256
c7f1e7e866834d9024f97c2b145c09d106e447e8abd65a10a1732116d178e44e

SHA512
2edb8a492b8369d56dda735a652c9e08539a5c4709a794efaff91adcae192a636d0545725af16cf8c31b275b34c2f19e4b019b57fb9050b99de65a4c08e3eee1

Download Submit
\Users\Admin\AppData\Local\Temp\is-KB5DE.tmp\is-H2GJI.tmp

Filesize
643KB

MD5
036ef63e2f9b138a42d6adb54ec0cd1e

SHA1
353db5d438205a726a6d54beb62f9c62638f501d

SHA256
71b487f0523f213004766402b22bf86fa0ef9891e940d2a4cb12eba6627e7cc6

SHA512
31b8f6e76c8c4f5323f12384c41f6f2b04e58545c121da71e2a4da947a9c0aea9eb05df4f8199cc6dc89bc238577c4e2d5fb4b66e77e1130bc72b6c38f207cc9

Download Submit
memory/400-105-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/400-102-0x0000000001620000-0x0000000001794000-memory.dmp

Filesize
1.5MB

Download
memory/400-115-0x0000000007190000-0x00000000071A1000-memory.dmp

Filesize
68KB

Download
memory/400-118-0x0000000001620000-0x0000000001794000-memory.dmp

Filesize
1.5MB

Download
memory/1676-135-0x0000000001690000-0x0000000001804000-memory.dmp

Filesize
1.5MB

Download
memory/1676-137-0x0000000001690000-0x0000000001804000-memory.dmp

Filesize
1.5MB

Download
memory/1788-25-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1788-95-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2292-24-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2292-96-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2292-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download