e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/EsWebSocketKit.exe
Size

2.0MB
MD5

03608817f4280e182fe17dcc532b78af
SHA1

3810abd4bab3e9b962c96019a2e73422c90fbc31
SHA256

211e3a7eac588949321ab2bafd1317a18b5c33f5064faff26f5b1d409d73e4d3
SHA512

aa1f690f29e893b61a2ae18eb364457aab7086ccfa6394bd46b60e94f6d7834f93b6a5e336a32dae251fb79db0a70265d3ca0703c19cd6d99314aecef6cfae5f
SSDEEP

49152:xQxqVOQPx6T4ooThi+cKS6aWM0A5sT4KV3Bm:xQxqVM4Xi+/7aW3wsNJg

Score

7^/10

discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EsWebSocketKit = "\"C:\\Program Files (x86)\\EsWebSocketKit\\ESWebSocket.exe\""	EsWebSocketKit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EsFtWebSocketKit = "\"C:\\Program Files (x86)\\EsWebSocketKit\\EsFtWebSocket.exe\""	EsWebSocketKit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EsHttpServer = "\"C:\\Program Files (x86)\\EsWebSocketKit\\EsHttpServer.exe\""	EsWebSocketKit.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2500	netsh.exe
2192	netsh.exe
2648	netsh.exe
2768	netsh.exe
1296	netsh.exe
1496	netsh.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EsWebSocketKit\IActiveXCtrl.dll	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\dh.pem	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\cert.key	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\server.crt	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\server.key	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\cert.cer	EsWebSocketKit.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\root_cert_setting_for_websocket.js	EsWebSocketKit.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\root_cert_setting_for_websocket.js	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe	EsWebSocketKit.exe

Executes dropped EXE 15 IoCs

pid	Process
2516	regFirefox64.exe
432	regFirefox64.exe
2404	ESWebSocket.exe
2872	EsHttpServer.exe
1500	FirefoxMOIT.exe
2880	EsFtWebSocket.exe
3016	EsHttpServer.exe
2472	EsFtWebSocket.exe
2596	ESWebSocket.exe
1864	EsFtWebSocket.exe
584	ESWebSocket.exe
1716	EsHttpServer.exe
1352	EsHttpServer.exe
1776	EsFtWebSocket.exe
1772	ESWebSocket.exe

Loads dropped DLL 36 IoCs

pid	Process
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2516	regFirefox64.exe
2080	EsWebSocketKit.exe
432	regFirefox64.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
1500	FirefoxMOIT.exe
1500	FirefoxMOIT.exe
1500	FirefoxMOIT.exe
1500	FirefoxMOIT.exe
1500	FirefoxMOIT.exe
1500	FirefoxMOIT.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsWebSocketKit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FirefoxMOIT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3068	taskkill.exe
2932	taskkill.exe
2704	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\07A909A89FC6857FEAD7726BF955F1E4E8EDF922\Blob = 5c00000001000000040000000008000003000000010000001400000007a909a89fc6857fead7726bf955f1e4e8edf922190000000100000010000000b5d296234cf132adc29bb6fec0549c6214000000010000002000000031c1dcb87b45e72861bdea4038e309f052fc83115c30da4cfb5fbfb6ea0ae7770f000000010000002000000098d78429350107d66f9d9a4b7bf2cc0a4d1c75cb2062d1d02fbbd2105dc9880b0400000001000000100000001711793f00ff2d2fb5144003374c02832000000001000000d5030000308203d1308202b9a003020102021100bd261f436c61432fd735c301bb7bfc05300d06092a864886f70d01010b0500307c310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d53616e204672616e636973636f311c301a060355040a0c13776562736f636b6574406c6f63616c686f73743122302006035504030c19746c7363612e776562736f636b6574406c6f63616c686f7374301e170d3137303932323031343134305a170d3237303932303031343134305a307c310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d53616e204672616e636973636f311c301a060355040a0c13776562736f636b6574406c6f63616c686f73743122302006035504030c19746c7363612e776562736f636b6574406c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100bf4c1314166876a6dd73a80cd1777394390922f9edceb0f2cce4a3ddff9641089c2a0649a6de8c6154db3236fc10ba3abe9a8856d218fff49265cafa950d82e94d2cb091a26db2b4eb90489a1f609581ab65da9858c3ccb77fd633e6b23dce343d423ea0318aed787db8435a108bd1336a20ee7ae38be7e9482c82570829da911fa7c74937d38930b78a1b2a6ede1bc07e7bcec5d6280e25bca71006418456e551598472181b8d7d7c475177b2258134d93daa51b7962eded0bd6624f642ff8458c2d76287cb19975a3ceb2671499655a110cfc250c3fe764fbc3d435d9386b78bf05f91c4491c63ff0b81aa98d2e9f42bd2bb6a95f21e8be826f2411c7c598f0203010001a34e304c300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30290603551d0e0422042031c1dcb87b45e72861bdea4038e309f052fc83115c30da4cfb5fbfb6ea0ae777300d06092a864886f70d01010b050003820101000509d1f6bcdc17bdb0b3942023ed6d3518675193959c12d912ac9d4a7e5476781360c75ecf9d3ce96188840fe0bb14f7ec1c3d042d6c1d05106aee718cd5828d62674a8f3f9f6891ae16468d7273c0cbb928ee3dd98afe6e6965123f1451f13609029eceb15ad4b88a1102ce230a7311306f1c6c9a9d6318f909e738b006076e0c37e37e0e2f2de0bc6c7a0e6c105adc4876d8c84c9f825577a4021452f40d73aeabbf4667f67c29bb4b78c91e240bb4f2a7bf0300d81c8abace56e5e1e6c0a246fa9283e660515f355bb53ea43d704b17a4623eb73686643679a7ef3eee39a6a04c7d307810d8996c77d72abcbb3ef4658e069eec2138227b9186d8b3906912	EsWebSocketKit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\5B2CB7BC03D02624FC74258DF56BA16EF1AD7D93	EsWebSocketKit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5B2CB7BC03D02624FC74258DF56BA16EF1AD7D93\Blob = 040000000100000010000000b6ada6ec197166ac670578e5179ea8d30f000000010000002000000027c5042bd2e1421369948ea130e4e7604817c0d13045932ed48a2cb10c8caa0c1400000001000000140000004b9d236fccf3dd4d028b0d1e2f732a102b0768131900000001000000100000002f27ccec88d8b37b4748eb029e5e86730300000001000000140000005b2cb7bc03d02624fc74258df56ba16ef1ad7d935c00000001000000040000000008000020000000010000000703000030820303308201eba003020102021458ec850fc4222148b495042df3060fec709d745d300d06092a864886f70d01010b050030143112301006035504030c096c6f63616c686f7374301e170d3231313032323031313631355a170d3331313032303031313631355a30143112301006035504030c096c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100acf048bf504d5458d7d5f423a75f344bdb725c6d3f66168de6ae5b6d2c1ddc1cf68b2f502c3289b4ad85fff349de511077c574ce25c1f70db80b5af9dc092e48922fe4b4fb1a0dd6aa55fbb35b6b24ab55cc84bc7d5eeaabb27a86a83b5f134c19e6f00b05dbed856645a4ae83f829b7d59e7f396826c05184f161ee5887d63e195070b589c4b51a9953e4112ef501439fb426003bae81bc99a4dd110aaf2122a345e53e96cbf195a365bd4ae7abce44f1e58221bdd2cf0a364611271fd2c83da396e4289cf0ff56b9691371749b1d4b0c358f37c5f62da15133b19775487a17c1ebab90b1122f690708fc29b6fe0fc17d205d6049d4cdd8cc2057dc144d08310203010001a34d304b300b0603551d0f0404030205e030130603551d25040c300a06082b0601050507030130270603551d110420301e82096c6f63616c686f7374820b2a2e6c6f63616c686f737487047f000001300d06092a864886f70d01010b050003820101008fb9b28d4187eda354b68f275b6dd7a0fc3578814230a378a476c0aa73065e552c15b08058c06cbc6eb475d9c567f8740eb984bc6029e532813863e5daf46894b34d4b7d12c3d73f3ba304605a3b60199f773ec824280cc428a63b326dd0e2a15bb442153022f7c776fefea68182dd451e2e3e3c15e01628b0f349ddada030119b31017827042e49d765c079ddd584c0b8b09145e2d7ecee92c2832c1f2f9f5bd91357a890c633faefd7d1270994bfd07fab90b19323d358a7ea0327031b2b50dd965e6050f061256e5e231e526c59da97449cb6f721ea69abdb6e92fe2513230001500f17add84a5434ed657b621f6f0daf2dec22abe700c064642e87680094	EsWebSocketKit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\07A909A89FC6857FEAD7726BF955F1E4E8EDF922	EsWebSocketKit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1032	schtasks.exe
2320	schtasks.exe
608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2080	EsWebSocketKit.exe
2080	EsWebSocketKit.exe
2404	ESWebSocket.exe
2880	EsFtWebSocket.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3068	2080	EsWebSocketKit.exe	30
PID 2080 wrote to memory of 3068	2080	EsWebSocketKit.exe	30
PID 2080 wrote to memory of 3068	2080	EsWebSocketKit.exe	30
PID 2080 wrote to memory of 3068	2080	EsWebSocketKit.exe	30
PID 2080 wrote to memory of 2932	2080	EsWebSocketKit.exe	33
PID 2080 wrote to memory of 2932	2080	EsWebSocketKit.exe	33
PID 2080 wrote to memory of 2932	2080	EsWebSocketKit.exe	33
PID 2080 wrote to memory of 2932	2080	EsWebSocketKit.exe	33
PID 2080 wrote to memory of 2704	2080	EsWebSocketKit.exe	35
PID 2080 wrote to memory of 2704	2080	EsWebSocketKit.exe	35
PID 2080 wrote to memory of 2704	2080	EsWebSocketKit.exe	35
PID 2080 wrote to memory of 2704	2080	EsWebSocketKit.exe	35
PID 2080 wrote to memory of 2516	2080	EsWebSocketKit.exe	37
PID 2080 wrote to memory of 2516	2080	EsWebSocketKit.exe	37
PID 2080 wrote to memory of 2516	2080	EsWebSocketKit.exe	37
PID 2080 wrote to memory of 2516	2080	EsWebSocketKit.exe	37
PID 2080 wrote to memory of 432	2080	EsWebSocketKit.exe	38
PID 2080 wrote to memory of 432	2080	EsWebSocketKit.exe	38
PID 2080 wrote to memory of 432	2080	EsWebSocketKit.exe	38
PID 2080 wrote to memory of 432	2080	EsWebSocketKit.exe	38
PID 2080 wrote to memory of 2404	2080	EsWebSocketKit.exe	39
PID 2080 wrote to memory of 2404	2080	EsWebSocketKit.exe	39
PID 2080 wrote to memory of 2404	2080	EsWebSocketKit.exe	39
PID 2080 wrote to memory of 2404	2080	EsWebSocketKit.exe	39
PID 2080 wrote to memory of 2880	2080	EsWebSocketKit.exe	40
PID 2080 wrote to memory of 2880	2080	EsWebSocketKit.exe	40
PID 2080 wrote to memory of 2880	2080	EsWebSocketKit.exe	40
PID 2080 wrote to memory of 2880	2080	EsWebSocketKit.exe	40
PID 2080 wrote to memory of 2872	2080	EsWebSocketKit.exe	41
PID 2080 wrote to memory of 2872	2080	EsWebSocketKit.exe	41
PID 2080 wrote to memory of 2872	2080	EsWebSocketKit.exe	41
PID 2080 wrote to memory of 2872	2080	EsWebSocketKit.exe	41
PID 2080 wrote to memory of 1500	2080	EsWebSocketKit.exe	42
PID 2080 wrote to memory of 1500	2080	EsWebSocketKit.exe	42
PID 2080 wrote to memory of 1500	2080	EsWebSocketKit.exe	42
PID 2080 wrote to memory of 1500	2080	EsWebSocketKit.exe	42
PID 2080 wrote to memory of 1500	2080	EsWebSocketKit.exe	42
PID 2080 wrote to memory of 1500	2080	EsWebSocketKit.exe	42
PID 2080 wrote to memory of 1500	2080	EsWebSocketKit.exe	42
PID 2080 wrote to memory of 2180	2080	EsWebSocketKit.exe	43
PID 2080 wrote to memory of 2180	2080	EsWebSocketKit.exe	43
PID 2080 wrote to memory of 2180	2080	EsWebSocketKit.exe	43
PID 2080 wrote to memory of 2180	2080	EsWebSocketKit.exe	43
PID 2080 wrote to memory of 1032	2080	EsWebSocketKit.exe	45
PID 2080 wrote to memory of 1032	2080	EsWebSocketKit.exe	45
PID 2080 wrote to memory of 1032	2080	EsWebSocketKit.exe	45
PID 2080 wrote to memory of 1032	2080	EsWebSocketKit.exe	45
PID 2080 wrote to memory of 1004	2080	EsWebSocketKit.exe	47
PID 2080 wrote to memory of 1004	2080	EsWebSocketKit.exe	47
PID 2080 wrote to memory of 1004	2080	EsWebSocketKit.exe	47
PID 2080 wrote to memory of 1004	2080	EsWebSocketKit.exe	47
PID 2080 wrote to memory of 2320	2080	EsWebSocketKit.exe	49
PID 2080 wrote to memory of 2320	2080	EsWebSocketKit.exe	49
PID 2080 wrote to memory of 2320	2080	EsWebSocketKit.exe	49
PID 2080 wrote to memory of 2320	2080	EsWebSocketKit.exe	49
PID 2080 wrote to memory of 1028	2080	EsWebSocketKit.exe	51
PID 2080 wrote to memory of 1028	2080	EsWebSocketKit.exe	51
PID 2080 wrote to memory of 1028	2080	EsWebSocketKit.exe	51
PID 2080 wrote to memory of 1028	2080	EsWebSocketKit.exe	51
PID 2080 wrote to memory of 608	2080	EsWebSocketKit.exe	53
PID 2080 wrote to memory of 608	2080	EsWebSocketKit.exe	53
PID 2080 wrote to memory of 608	2080	EsWebSocketKit.exe	53
PID 2080 wrote to memory of 608	2080	EsWebSocketKit.exe	53
PID 2080 wrote to memory of 1296	2080	EsWebSocketKit.exe	55

C:\Users\Admin\AppData\Local\Temp\$TEMP\EsWebSocketKit.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\EsWebSocketKit.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\taskkill.exe
  C:\Windows\system32\taskkill.exe /f /im ESWebSocket.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\SysWOW64\taskkill.exe
  C:\Windows\system32\taskkill.exe /f /im EsFtWebSocket.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\SysWOW64\taskkill.exe
  C:\Windows\system32\taskkill.exe /f /im EsHttpServer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe
  C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\Admin\AppData\Local\Temp\cert.cer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe
  C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\Admin\AppData\Local\Temp\ca.crt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:432
- C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
  "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2404
- C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
  "C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
  "C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe
  "C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /TN FT_ESWebSocket_A8B1F6F5477B /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /TN FT_SWebSocket_A8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe'" /sc MINUTE /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /TN 1FT_OneEsHttpServer_B8B1F6F5477B /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1004
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /TN 1FT_OneEsHttpServer_B8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe'" /sc MINUTE /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2320
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /TN 2FT_TwoFtESWebSocket_C8B1F6F5477B /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /TN 2FT_TwoFtESWebSocket_C8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe'" /sc MINUTE /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:608
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=EsFtWebSocket
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1296
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=EsFtWebSocket dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=EsHttpServer
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=EsHttpServer dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=EsWebSocket
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=EsWebSocket dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2768

C:\Windows\system32\taskeng.exe
taskeng.exe {9CD9286E-BD9B-48BA-B759-C09293B06691} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
1⤵
PID:2704
- C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
  "C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
  "C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
  "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
  "C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
  "C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1716
- C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
  "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:584
- C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
  "C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
  "C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1352
- C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
  "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe

Filesize
2.5MB

MD5
17ab752429d2e81d75cb6f09fb0583bc

SHA1
86dd820cce0902abbb1a840b0a1668b8938e6ae6

SHA256
3120f4bcc4b6e0d7ddf8245a51604219bdaa01ed94890ca0705c5588a1a254f6

SHA512
b0e5260997b52c6449506a911d5bc0605fb1293d4c6fa69dd70e27152327e6466437fdda0ab00b4112985b424893667fe97f2d95457affc3e42df88db9210532

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca.crt

Filesize
1KB

MD5
2c4f4a547771e088e61346836dd1cfb3

SHA1
33cd72b6e1f1157d6a536a75bad6d4e0d91c5b86

SHA256
040072b3367930ac96b7bfc1f7366272ee9c18e85f5110119a4d7d07556eb296

SHA512
661266cf2c936e63558d6cd66d4fe51e4325287b293bb6bd06cae282bb14a31764baaed9914d79ec3a8e03d8c89f17180cc58da1384efcfb9c8df4c54f8644a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cert.cer

Filesize
1KB

MD5
9d537451e919743026967da200358440

SHA1
5a782f53bf8b9f487221e6d7e3b528612ae6883f

SHA256
27544f1e19e23eb009dbe88006b010eac236d54c3de73cc26b1ffe0372cef59a

SHA512
344d275eb14330dbcdf490eed437c12312b7e4f5aae02229d702fe07040a94b73bd15b0c1e99f03207444404f2c7d3b3192a674d13700cfd454ef6a660ef4a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFirefox64.dll

Filesize
99KB

MD5
f9d5e26985f3373c0cf6c81fc77282aa

SHA1
eb583db51757159aeac8f763eb47769e00a1697e

SHA256
563a0662dc1fe246cd228a822d11ea3d00a7582b382e991c2aa6efa1d8e44407

SHA512
85b5ab236ef0977e879638e6fbd0d7157bc030c5e5f63151a6373bd024e48228ab970b220a993ce59481b922ac9bb9891a9c69109d5bb29020d27bc4eca51e99

Download Submit
C:\Users\Admin\AppData\Roaming\mozilla\firefox\Profiles\pzuz3epu.default-release\cert9.db

Filesize
224KB

MD5
f9b0e0d3dd42b3ff041def94467cf2c2

SHA1
7b49da07fd43d81fdbe65afd1691288ac97c10aa

SHA256
5d5d64f5d22ef45e0c0f06357a69658193804318ee1663c8b8a77d3328a58a3e

SHA512
37515f203834cb4ac54ae3586c55196324bf64459c0ab211042117f332e6998fff770126a0cbe424541cd7d2d38fe5acb91cc495259167491d85c8962a2edff8

Download Submit
C:\Users\Admin\AppData\Roaming\mozilla\firefox\Profiles\pzuz3epu.default-release\key4.db

Filesize
288KB

MD5
7bee53229b241b70b35df38e5339cb4f

SHA1
99fe6b88dc265b72d69cbbc050ffd95f3756d54b

SHA256
822a448832b2144b056454819fb9e59c195511e03b4972efdb7bbdaa0a4807b8

SHA512
bb2e89c67b7ec587557a4903b3985f77938d44689a214cf8ec7318b5e3f25d526024b4d546529dacbdc09ceeb2b51220187ff8b78e2679ecd9633c2176d06df0

Download Submit
\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe

Filesize
2.1MB

MD5
e88fcf35be36ccf3fa8ca6d441be74ac

SHA1
2fa310e1b8a0a1474b73c66c34a6feec2aa47c0f

SHA256
bb07c4b20e879b1feb42d8206f95ddf6c012871d8f5fe9773b47089f7772a712

SHA512
78cb8de754863f34e5add22e22e1307b51298462abd585c410e520e10f56502564e548189df3abd506b878640cfbf14ad4df4c11091f463b81231a2505ab7f59

Download Submit
\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe

Filesize
2.1MB

MD5
f766dace38bac14936a1b955661b6876

SHA1
44b99d1eda89d91f022387168460dadd3e6409c0

SHA256
ea44506c86426feed0ac905a1e23f02ed20c7a33623bec9c8fc0a0986a3f02b0

SHA512
3c35536226078d305fd557a92c132e1b28a2ba420270a0f10eb3e9849655e5b471b40c71f6ee03c98845c12eb656e3c4b57ab5b6b80c45d7e0942d78baf6186c

Download Submit
\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe

Filesize
91KB

MD5
a391daff8d9634979d0105b47a4138bf

SHA1
29f15a6f0b60d31ceca9fb2bfff7347ab8534ddf

SHA256
9d2532c5e809ee72ef1f277d1161073f8501f1b1d814627fbd62ae0447ccca1a

SHA512
3d299217a3f50b53c208d0265b8ce349d66661e5de451ac8050148710ee6931517667dd2562245764c1f104c568c877f4a984bec313169cb0475ed0347b96e0b

Download Submit
\Users\Admin\AppData\Local\Temp\nse82E9.tmp

Filesize
26KB

MD5
8e83b78d2e265d29a6751df565646da6

SHA1
f9a54b5f68d75a68391ebe8e56f2d4e6cffd6f69

SHA256
cd7b928678e0ad3c6a325103aaba21d00d4bac58fdf726f38c282f4f93def1b1

SHA512
7243a2487675b2f223747b77548be6fb337f3d92c82ec854becf422c84005096ed16e27d1ab7c6784f0b7bfe215c90eb65f0e2da07ec31eb38219b48d4c54424

Download Submit
\Users\Admin\AppData\Local\Temp\nssFirefox.dll

Filesize
68KB

MD5
dd3a47083df04500bbed296cad50c17a

SHA1
8479a361c83ff6a1aeec222409f630d10b97abab

SHA256
057301b32288b473d16d494fad6a933f1d80bda5dedded6700dcfb98c0997ec3

SHA512
074715818bde2c659c34c87cfe251e634365ab6b309a2150b1a50ba97291148286789c70d3f2ab7f0a09a3f7119f90fac814590f1b49b88126df4eafaf86eb0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsz82C9.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nsz82C9.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsz9696.tmp\System.dll

Filesize
11KB

MD5
301a9c8739ed3ed955a1bdc472d26f32

SHA1
a830ab9ae6e8d046b7ab2611bea7a0a681f29a43

SHA256
6ec9fde89f067b1807325b05089c3ae4822ce7640d78e6f32dbe52f582de1d92

SHA512
41d88489ecb5ec64191493a1ed2ed7095678955d9fa72cccea2ae76dd794e62e7b5bd3aa2c313fb4bdf41c2f89f29e4cafe43d564ecad80fce1bf0a240b1e094

Download Submit
\Users\Admin\AppData\Local\Temp\regFirefox64.exe

Filesize
45KB

MD5
8b26d23ed0026eaf0a58b3a082195ae2

SHA1
5b97c588f10cf7cf81fb6364247a94d59db0f908

SHA256
39e74e20de6b3be080f1454293546a50d0ef2f3a78b96b23c02bb35003a62833

SHA512
5853af3874fc4fa2a93b1f8ef3e42a78ed6451a13476696fbff188311099addbd9dabd87688a1c2bba75c8f57624aa5913cc37659d753969e20cdbd073854ecb

Download Submit
memory/2080-7-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download