Overview

overview

7

Static

static

7

eulen_xd.exe

windows7-x64

1

eulen_xd.exe

windows10-2004-x64

1

Resubmissions

02-06-2024 21:08

240602-zzb8lsgb86 7

Analysis

  • max time kernel
    149s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eulen_xd.exe

  • Size

    9.4MB

  • MD5

    3e0626776b371dd6a66c3b4578e78163

  • SHA1

    b0aed638b9fbf390264d83b96e4e9541a590d71b

  • SHA256

    1eb354f77b02b77742214adb31c9ff750bf354d2b550f1abab87321b822c480c

  • SHA512

    032f19b2c20c52dfb0ba1858a7bd9ccf0c24b2f2fd103e6bc9185275920ccaf4e3d9e2ee08fa50540c9dd1f2dc4266c90527d9ff3c5b1de2c2c1b434e03de45f

  • SSDEEP

    196608:YuDyC/FH1Vh4aEE5sek6+eFqITshwPIP1hsd4cQDBUBE6sqw:BNFHIE5sekyfghl9hsd43K+

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eulen_xd.exe
    "C:\Users\Admin\AppData\Local\Temp\eulen_xd.exe"
    1⤵
      PID:2708
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2908
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1744
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.0.479149432\121935959" -parentBuildID 20230214051806 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {246fe71d-b545-4086-81ba-4bed9587faac} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 1900 195ffd0f258 gpu
            3⤵
              PID:4268
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.1.2056190943\93099739" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2448 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93aac9f1-b659-4ce5-9a42-72ec4c6da246} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 2468 19588369a58 socket
              3⤵
              • Checks processor information in registry
              PID:4724
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.2.709154112\457964264" -childID 1 -isForBrowser -prefsHandle 2964 -prefMapHandle 2960 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfcb9c7d-2b02-47c1-ae7d-dac14975c6b1} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 2976 1958a9ec758 tab
              3⤵
                PID:3724
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.3.978219148\1050646047" -childID 2 -isForBrowser -prefsHandle 3848 -prefMapHandle 3844 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aba6812-fc47-4de2-843d-ad1841352611} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 3860 1958cbd1358 tab
                3⤵
                  PID:5092
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.4.1703298824\627215914" -childID 3 -isForBrowser -prefsHandle 5212 -prefMapHandle 5208 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {beab21de-26e1-43a4-b6e4-0cbfe982b613} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 5236 1958eb24958 tab
                  3⤵
                    PID:1052
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.5.861810175\2116925387" -childID 4 -isForBrowser -prefsHandle 5380 -prefMapHandle 5384 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {582fad0f-635b-4175-b404-08524e9ea685} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 5368 1958f78c858 tab
                    3⤵
                      PID:3144
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.6.2142621992\1102995134" -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5600 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6c73013-d607-4323-9b72-6bd278afadbc} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 5548 1958fca1558 tab
                      3⤵
                        PID:4648

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    24KB

                    MD5

                    8b11a1476a98e75ab50a1c1c9849e98a

                    SHA1

                    d3025daf69da85bc98c0b9d3a9eb2dff48bb869b

                    SHA256

                    3125d138650c0716a670e6f2a3386017a0349b5324753812b8575fb38edada60

                    SHA512

                    6d7f2084ad0c778c430437136a360fa686c88ba567d6cacabf5d6e4d0e580d1cbc4196f0f752f026f37d8ec913dc100aa614c70005cd824b0e427a3ad7241981

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    3fa4d587cea94872384b8c45148d89a8

                    SHA1

                    a6ef18e6f491dc3a80337460ee1a9f65fb89515d

                    SHA256

                    e87a040d35b4fac948fac47a453afbe6555c3c63e7eca0ce3eead262ba7a254e

                    SHA512

                    822429e5f4d7c63d8be3f23e294fa54d6011fd27909fa15e42efff2d69b708681bbd69c0fb5b45403248da39f80ba81aea589fed7ec22f447bae3901f0c72806

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    dfcc46e00f1810167f6e0e89fa11a2e5

                    SHA1

                    f4f34f25a703d2b06115bf7f02f5eaef9225c9f0

                    SHA256

                    b2faa30b2f91ff223d7c3488d1b153edc2e5b678e30e18ab4da4758461159359

                    SHA512

                    84eb1e7e1d9d5a1ac48c1830c5ed65337ad38e1b3370fd8222f998f2ea6a77843ea34a4af05478c08c042a927027d1881f5dee7c725efabf0369a9017838b55e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore.jsonlz4
                    Filesize

                    906B

                    MD5

                    a5de865833e9d25f32e82daa4862b7f7

                    SHA1

                    b98563d0f1bfff2994cfbcff68f19fffe51c4561

                    SHA256

                    7f7f64b2cdaa5517bedefd6731aecc99843b83d59f21343d92f13562050aacc7

                    SHA512

                    19fba836492e1206e4c04ff531fe495086fe8db9bac2479104688763d9998d4fb2a8017430f4f6849c85e0b1f40833c9426564f6fc5495db061332babe4edeab

                    Download Submit