Overview
overview
8Static
static
3equil/Equil.exe
windows7-x64
8equil/Equil.exe
windows10-2004-x64
8equil/msvcp140.dll
windows7-x64
1equil/msvcp140.dll
windows10-2004-x64
1equil/msvcp140d.dll
windows7-x64
1equil/msvcp140d.dll
windows10-2004-x64
1equil/stup...00.exe
windows7-x64
1equil/stup...00.exe
windows10-2004-x64
1equil/ucrtbased.dll
windows10-2004-x64
1equil/vcru...1d.dll
windows7-x64
1equil/vcru...1d.dll
windows10-2004-x64
1equil/vcru...0d.dll
windows7-x64
1equil/vcru...0d.dll
windows10-2004-x64
1Analysis
-
max time kernel
29s -
max time network
25s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 14:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
equil/Equil.exe
Resource
win7-20240220-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
equil/Equil.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral3
Sample
equil/msvcp140.dll
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
equil/msvcp140.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
equil/msvcp140d.dll
Resource
win7-20240221-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral6
Sample
equil/msvcp140d.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral7
Sample
equil/stupidthing200.exe
Resource
win7-20240221-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral8
Sample
equil/stupidthing200.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral9
Sample
equil/ucrtbased.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
equil/vcruntime140_1d.dll
Resource
win7-20240508-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral11
Sample
equil/vcruntime140_1d.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral12
Sample
equil/vcruntime140d.dll
Resource
win7-20240508-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral13
Sample
equil/vcruntime140d.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
equil/Equil.exe
-
Size
315KB
-
MD5
1072ebb6213cc03ac9e95ba8d9e64e0d
-
SHA1
9f55afff7552396fb06ef40b20a0758a1696e24a
-
SHA256
9bb70607d34ec9888aeda348c1dfa7984d5365586115e0fa6bd0fbf221f6d48b
-
SHA512
6cdc9c53ae2d5195a94338e470ad670dbbc0f65254bc4ab16c21bf4d15ff94c6760de807341ade5c651f1c87a429fea80aab57f72afa5d3ab285102385b72001
-
SSDEEP
3072:WUmTM6EWxDNq4h1SsiupSnq02qRwffb+BqFoDmE70G00QRy1mZ6MXHsFC6fzBjDb:MEYtjSsiupKwfohDRsXNVK
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: mstsc.exe File opened (read-only) \??\X: mstsc.exe File opened (read-only) \??\H: mstsc.exe File opened (read-only) \??\M: mstsc.exe File opened (read-only) \??\N: mstsc.exe File opened (read-only) \??\R: mstsc.exe File opened (read-only) \??\S: mstsc.exe File opened (read-only) \??\F: Equil.exe File opened (read-only) \??\E: mstsc.exe File opened (read-only) \??\J: mstsc.exe File opened (read-only) \??\O: mstsc.exe File opened (read-only) \??\U: mstsc.exe File opened (read-only) \??\V: mstsc.exe File opened (read-only) \??\Y: mstsc.exe File opened (read-only) \??\A: mstsc.exe File opened (read-only) \??\G: mstsc.exe File opened (read-only) \??\L: mstsc.exe File opened (read-only) \??\P: mstsc.exe File opened (read-only) \??\Q: mstsc.exe File opened (read-only) \??\T: mstsc.exe File opened (read-only) \??\W: mstsc.exe File opened (read-only) \??\Z: mstsc.exe File opened (read-only) \??\I: mstsc.exe File opened (read-only) \??\K: mstsc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\Logs\DPX\setupact.log wusa.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log wusa.exe File opened for modification C:\Windows\Logs\RecoveryDisc\RecoveryDisc.0.etl recdisc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 580 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2468 powershell_ise.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1352 explorer.exe 1656 Equil.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1656 Equil.exe Token: SeIncreaseQuotaPrivilege 2584 WMIC.exe Token: SeSecurityPrivilege 2584 WMIC.exe Token: SeTakeOwnershipPrivilege 2584 WMIC.exe Token: SeLoadDriverPrivilege 2584 WMIC.exe Token: SeSystemProfilePrivilege 2584 WMIC.exe Token: SeSystemtimePrivilege 2584 WMIC.exe Token: SeProfSingleProcessPrivilege 2584 WMIC.exe Token: SeIncBasePriorityPrivilege 2584 WMIC.exe Token: SeCreatePagefilePrivilege 2584 WMIC.exe Token: SeBackupPrivilege 2584 WMIC.exe Token: SeRestorePrivilege 2584 WMIC.exe Token: SeShutdownPrivilege 2584 WMIC.exe Token: SeDebugPrivilege 2584 WMIC.exe Token: SeSystemEnvironmentPrivilege 2584 WMIC.exe Token: SeRemoteShutdownPrivilege 2584 WMIC.exe Token: SeUndockPrivilege 2584 WMIC.exe Token: SeManageVolumePrivilege 2584 WMIC.exe Token: 33 2584 WMIC.exe Token: 34 2584 WMIC.exe Token: 35 2584 WMIC.exe Token: SeIncreaseQuotaPrivilege 2584 WMIC.exe Token: SeSecurityPrivilege 2584 WMIC.exe Token: SeTakeOwnershipPrivilege 2584 WMIC.exe Token: SeLoadDriverPrivilege 2584 WMIC.exe Token: SeSystemProfilePrivilege 2584 WMIC.exe Token: SeSystemtimePrivilege 2584 WMIC.exe Token: SeProfSingleProcessPrivilege 2584 WMIC.exe Token: SeIncBasePriorityPrivilege 2584 WMIC.exe Token: SeCreatePagefilePrivilege 2584 WMIC.exe Token: SeBackupPrivilege 2584 WMIC.exe Token: SeRestorePrivilege 2584 WMIC.exe Token: SeShutdownPrivilege 2584 WMIC.exe Token: SeDebugPrivilege 2584 WMIC.exe Token: SeSystemEnvironmentPrivilege 2584 WMIC.exe Token: SeRemoteShutdownPrivilege 2584 WMIC.exe Token: SeUndockPrivilege 2584 WMIC.exe Token: SeManageVolumePrivilege 2584 WMIC.exe Token: 33 2584 WMIC.exe Token: 34 2584 WMIC.exe Token: 35 2584 WMIC.exe Token: SeDebugPrivilege 2468 powershell_ise.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 2660 mip.exe 1352 explorer.exe 1352 explorer.exe -
Suspicious use of SendNotifyMessage 63 IoCs
pid Process 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 2660 mip.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 580 mstsc.exe 1484 WISPTIS.EXE 2660 mip.exe 2448 mspaint.exe 2448 mspaint.exe 2448 mspaint.exe 2448 mspaint.exe 1352 explorer.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2584 1656 Equil.exe 29 PID 1656 wrote to memory of 2584 1656 Equil.exe 29 PID 1656 wrote to memory of 2584 1656 Equil.exe 29 PID 1656 wrote to memory of 2468 1656 Equil.exe 30 PID 1656 wrote to memory of 2468 1656 Equil.exe 30 PID 1656 wrote to memory of 2468 1656 Equil.exe 30 PID 1656 wrote to memory of 708 1656 Equil.exe 36 PID 1656 wrote to memory of 708 1656 Equil.exe 36 PID 1656 wrote to memory of 708 1656 Equil.exe 36 PID 1656 wrote to memory of 2008 1656 Equil.exe 38 PID 1656 wrote to memory of 2008 1656 Equil.exe 38 PID 1656 wrote to memory of 2008 1656 Equil.exe 38 PID 1656 wrote to memory of 580 1656 Equil.exe 39 PID 1656 wrote to memory of 580 1656 Equil.exe 39 PID 1656 wrote to memory of 580 1656 Equil.exe 39 PID 1656 wrote to memory of 2660 1656 Equil.exe 41 PID 1656 wrote to memory of 2660 1656 Equil.exe 41 PID 1656 wrote to memory of 2660 1656 Equil.exe 41 PID 1656 wrote to memory of 1748 1656 Equil.exe 40 PID 1656 wrote to memory of 1748 1656 Equil.exe 40 PID 1656 wrote to memory of 1748 1656 Equil.exe 40 PID 2660 wrote to memory of 1484 2660 mip.exe 42 PID 2660 wrote to memory of 1484 2660 mip.exe 42 PID 2660 wrote to memory of 1484 2660 mip.exe 42 PID 1656 wrote to memory of 2472 1656 Equil.exe 43 PID 1656 wrote to memory of 2472 1656 Equil.exe 43 PID 1656 wrote to memory of 2472 1656 Equil.exe 43 PID 1656 wrote to memory of 1220 1656 Equil.exe 45 PID 1656 wrote to memory of 1220 1656 Equil.exe 45 PID 1656 wrote to memory of 1220 1656 Equil.exe 45 PID 1656 wrote to memory of 1220 1656 Equil.exe 45 PID 1656 wrote to memory of 1220 1656 Equil.exe 45 PID 1656 wrote to memory of 1244 1656 Equil.exe 46 PID 1656 wrote to memory of 1244 1656 Equil.exe 46 PID 1656 wrote to memory of 1244 1656 Equil.exe 46 PID 1656 wrote to memory of 2448 1656 Equil.exe 47 PID 1656 wrote to memory of 2448 1656 Equil.exe 47 PID 1656 wrote to memory of 2448 1656 Equil.exe 47 PID 1656 wrote to memory of 2608 1656 Equil.exe 49 PID 1656 wrote to memory of 2608 1656 Equil.exe 49 PID 1656 wrote to memory of 2608 1656 Equil.exe 49 PID 1656 wrote to memory of 1452 1656 Equil.exe 50 PID 1656 wrote to memory of 1452 1656 Equil.exe 50 PID 1656 wrote to memory of 1452 1656 Equil.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\equil\Equil.exe"C:\Users\Admin\AppData\Local\Temp\equil\Equil.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process where name='explorer.exe' delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" àâæçèêëïîôœ€àâæàâæê2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\dfrgui.exe"C:\Windows\System32\dfrgui.exe"2⤵PID:708
-
-
C:\Windows\System32\tabcal.exe"C:\Windows\System32\tabcal.exe" /42⤵PID:2008
-
-
C:\Windows\System32\mstsc.exe"C:\Windows\System32\mstsc.exe" -v Iæêgæêd_æêîæêî_alloca2⤵
- Enumerates connected drives
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:580
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe"C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe"2⤵PID:1748
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe"C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SYSTEM32\WISPTIS.EXE"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;3⤵
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
-
C:\Windows\System32\msinfo32.exe"C:\Windows\System32\msinfo32.exe" <2⤵PID:2472
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" <2⤵PID:1220
-
-
C:\Windows\System32\msra.exe"C:\Windows\System32\msra.exe" <2⤵PID:1244
-
-
C:\Windows\System32\mspaint.exe"C:\Windows\System32\mspaint.exe" <2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2448
-
-
C:\Windows\System32\wusa.exe"C:\Windows\System32\wusa.exe" <2⤵
- Drops file in Windows directory
PID:2608
-
-
C:\Windows\System32\recdisc.exe"C:\Windows\System32\recdisc.exe" <2⤵
- Drops file in Windows directory
PID:1452
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1352