e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37

Analysis

max time kernel
143s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/EsWebSocketKit.exe
Size

2.0MB
MD5

03608817f4280e182fe17dcc532b78af
SHA1

3810abd4bab3e9b962c96019a2e73422c90fbc31
SHA256

211e3a7eac588949321ab2bafd1317a18b5c33f5064faff26f5b1d409d73e4d3
SHA512

aa1f690f29e893b61a2ae18eb364457aab7086ccfa6394bd46b60e94f6d7834f93b6a5e336a32dae251fb79db0a70265d3ca0703c19cd6d99314aecef6cfae5f
SSDEEP

49152:xQxqVOQPx6T4ooThi+cKS6aWM0A5sT4KV3Bm:xQxqVM4Xi+/7aW3wsNJg

Score

7^/10

discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsFtWebSocketKit = "\"C:\\Program Files (x86)\\EsWebSocketKit\\EsFtWebSocket.exe\""	EsWebSocketKit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsHttpServer = "\"C:\\Program Files (x86)\\EsWebSocketKit\\EsHttpServer.exe\""	EsWebSocketKit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsWebSocketKit = "\"C:\\Program Files (x86)\\EsWebSocketKit\\ESWebSocket.exe\""	EsWebSocketKit.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1556	netsh.exe
3916	netsh.exe
4644	netsh.exe
3376	netsh.exe
4992	netsh.exe
1596	netsh.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\server.crt	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\IActiveXCtrl.dll	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\dh.pem	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\cert.cer	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\cert.key	EsWebSocketKit.exe
File created	C:\Program Files (x86)\EsWebSocketKit\server.key	EsWebSocketKit.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\root_cert_setting_for_websocket.js	EsWebSocketKit.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\root_cert_setting_for_websocket.js	EsWebSocketKit.exe

Executes dropped EXE 15 IoCs

pid	Process
2076	regFirefox64.exe
4520	regFirefox64.exe
3404	ESWebSocket.exe
4996	EsFtWebSocket.exe
2124	EsHttpServer.exe
4348	FirefoxMOIT.exe
3764	ESWebSocket.exe
5032	EsHttpServer.exe
4784	EsFtWebSocket.exe
3052	ESWebSocket.exe
4496	EsHttpServer.exe
4992	EsFtWebSocket.exe
736	ESWebSocket.exe
2768	EsHttpServer.exe
3696	EsFtWebSocket.exe

Loads dropped DLL 46 IoCs

pid	Process
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
2076	regFirefox64.exe
4520	regFirefox64.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
4348	FirefoxMOIT.exe
4348	FirefoxMOIT.exe
4348	FirefoxMOIT.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FirefoxMOIT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsWebSocketKit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsHttpServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESWebSocket.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EsFtWebSocket.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1752	taskkill.exe
5000	taskkill.exe
2656	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\07A909A89FC6857FEAD7726BF955F1E4E8EDF922	EsWebSocketKit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\07A909A89FC6857FEAD7726BF955F1E4E8EDF922\Blob = 5c00000001000000040000000008000003000000010000001400000007a909a89fc6857fead7726bf955f1e4e8edf922190000000100000010000000b5d296234cf132adc29bb6fec0549c6214000000010000002000000031c1dcb87b45e72861bdea4038e309f052fc83115c30da4cfb5fbfb6ea0ae7770f000000010000002000000098d78429350107d66f9d9a4b7bf2cc0a4d1c75cb2062d1d02fbbd2105dc9880b0400000001000000100000001711793f00ff2d2fb5144003374c02832000000001000000d5030000308203d1308202b9a003020102021100bd261f436c61432fd735c301bb7bfc05300d06092a864886f70d01010b0500307c310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d53616e204672616e636973636f311c301a060355040a0c13776562736f636b6574406c6f63616c686f73743122302006035504030c19746c7363612e776562736f636b6574406c6f63616c686f7374301e170d3137303932323031343134305a170d3237303932303031343134305a307c310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d53616e204672616e636973636f311c301a060355040a0c13776562736f636b6574406c6f63616c686f73743122302006035504030c19746c7363612e776562736f636b6574406c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100bf4c1314166876a6dd73a80cd1777394390922f9edceb0f2cce4a3ddff9641089c2a0649a6de8c6154db3236fc10ba3abe9a8856d218fff49265cafa950d82e94d2cb091a26db2b4eb90489a1f609581ab65da9858c3ccb77fd633e6b23dce343d423ea0318aed787db8435a108bd1336a20ee7ae38be7e9482c82570829da911fa7c74937d38930b78a1b2a6ede1bc07e7bcec5d6280e25bca71006418456e551598472181b8d7d7c475177b2258134d93daa51b7962eded0bd6624f642ff8458c2d76287cb19975a3ceb2671499655a110cfc250c3fe764fbc3d435d9386b78bf05f91c4491c63ff0b81aa98d2e9f42bd2bb6a95f21e8be826f2411c7c598f0203010001a34e304c300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30290603551d0e0422042031c1dcb87b45e72861bdea4038e309f052fc83115c30da4cfb5fbfb6ea0ae777300d06092a864886f70d01010b050003820101000509d1f6bcdc17bdb0b3942023ed6d3518675193959c12d912ac9d4a7e5476781360c75ecf9d3ce96188840fe0bb14f7ec1c3d042d6c1d05106aee718cd5828d62674a8f3f9f6891ae16468d7273c0cbb928ee3dd98afe6e6965123f1451f13609029eceb15ad4b88a1102ce230a7311306f1c6c9a9d6318f909e738b006076e0c37e37e0e2f2de0bc6c7a0e6c105adc4876d8c84c9f825577a4021452f40d73aeabbf4667f67c29bb4b78c91e240bb4f2a7bf0300d81c8abace56e5e1e6c0a246fa9283e660515f355bb53ea43d704b17a4623eb73686643679a7ef3eee39a6a04c7d307810d8996c77d72abcbb3ef4658e069eec2138227b9186d8b3906912	EsWebSocketKit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\5B2CB7BC03D02624FC74258DF56BA16EF1AD7D93	EsWebSocketKit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5B2CB7BC03D02624FC74258DF56BA16EF1AD7D93\Blob = 040000000100000010000000b6ada6ec197166ac670578e5179ea8d30f000000010000002000000027c5042bd2e1421369948ea130e4e7604817c0d13045932ed48a2cb10c8caa0c1400000001000000140000004b9d236fccf3dd4d028b0d1e2f732a102b0768131900000001000000100000002f27ccec88d8b37b4748eb029e5e86730300000001000000140000005b2cb7bc03d02624fc74258df56ba16ef1ad7d935c00000001000000040000000008000020000000010000000703000030820303308201eba003020102021458ec850fc4222148b495042df3060fec709d745d300d06092a864886f70d01010b050030143112301006035504030c096c6f63616c686f7374301e170d3231313032323031313631355a170d3331313032303031313631355a30143112301006035504030c096c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100acf048bf504d5458d7d5f423a75f344bdb725c6d3f66168de6ae5b6d2c1ddc1cf68b2f502c3289b4ad85fff349de511077c574ce25c1f70db80b5af9dc092e48922fe4b4fb1a0dd6aa55fbb35b6b24ab55cc84bc7d5eeaabb27a86a83b5f134c19e6f00b05dbed856645a4ae83f829b7d59e7f396826c05184f161ee5887d63e195070b589c4b51a9953e4112ef501439fb426003bae81bc99a4dd110aaf2122a345e53e96cbf195a365bd4ae7abce44f1e58221bdd2cf0a364611271fd2c83da396e4289cf0ff56b9691371749b1d4b0c358f37c5f62da15133b19775487a17c1ebab90b1122f690708fc29b6fe0fc17d205d6049d4cdd8cc2057dc144d08310203010001a34d304b300b0603551d0f0404030205e030130603551d25040c300a06082b0601050507030130270603551d110420301e82096c6f63616c686f7374820b2a2e6c6f63616c686f737487047f000001300d06092a864886f70d01010b050003820101008fb9b28d4187eda354b68f275b6dd7a0fc3578814230a378a476c0aa73065e552c15b08058c06cbc6eb475d9c567f8740eb984bc6029e532813863e5daf46894b34d4b7d12c3d73f3ba304605a3b60199f773ec824280cc428a63b326dd0e2a15bb442153022f7c776fefea68182dd451e2e3e3c15e01628b0f349ddada030119b31017827042e49d765c079ddd584c0b8b09145e2d7ecee92c2832c1f2f9f5bd91357a890c633faefd7d1270994bfd07fab90b19323d358a7ea0327031b2b50dd965e6050f061256e5e231e526c59da97449cb6f721ea69abdb6e92fe2513230001500f17add84a5434ed657b621f6f0daf2dec22abe700c064642e87680094	EsWebSocketKit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4272	schtasks.exe
4188	schtasks.exe
5024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
3180	EsWebSocketKit.exe
4996	EsFtWebSocket.exe
4996	EsFtWebSocket.exe
3404	ESWebSocket.exe
3404	ESWebSocket.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 1752	3180	EsWebSocketKit.exe	86
PID 3180 wrote to memory of 1752	3180	EsWebSocketKit.exe	86
PID 3180 wrote to memory of 1752	3180	EsWebSocketKit.exe	86
PID 3180 wrote to memory of 5000	3180	EsWebSocketKit.exe	90
PID 3180 wrote to memory of 5000	3180	EsWebSocketKit.exe	90
PID 3180 wrote to memory of 5000	3180	EsWebSocketKit.exe	90
PID 3180 wrote to memory of 2656	3180	EsWebSocketKit.exe	92
PID 3180 wrote to memory of 2656	3180	EsWebSocketKit.exe	92
PID 3180 wrote to memory of 2656	3180	EsWebSocketKit.exe	92
PID 3180 wrote to memory of 3332	3180	EsWebSocketKit.exe	94
PID 3180 wrote to memory of 3332	3180	EsWebSocketKit.exe	94
PID 3180 wrote to memory of 3332	3180	EsWebSocketKit.exe	94
PID 3180 wrote to memory of 2076	3180	EsWebSocketKit.exe	96
PID 3180 wrote to memory of 2076	3180	EsWebSocketKit.exe	96
PID 3180 wrote to memory of 4520	3180	EsWebSocketKit.exe	99
PID 3180 wrote to memory of 4520	3180	EsWebSocketKit.exe	99
PID 3180 wrote to memory of 3404	3180	EsWebSocketKit.exe	100
PID 3180 wrote to memory of 3404	3180	EsWebSocketKit.exe	100
PID 3180 wrote to memory of 3404	3180	EsWebSocketKit.exe	100
PID 3180 wrote to memory of 4996	3180	EsWebSocketKit.exe	101
PID 3180 wrote to memory of 4996	3180	EsWebSocketKit.exe	101
PID 3180 wrote to memory of 4996	3180	EsWebSocketKit.exe	101
PID 3180 wrote to memory of 2124	3180	EsWebSocketKit.exe	102
PID 3180 wrote to memory of 2124	3180	EsWebSocketKit.exe	102
PID 3180 wrote to memory of 2124	3180	EsWebSocketKit.exe	102
PID 3180 wrote to memory of 4348	3180	EsWebSocketKit.exe	103
PID 3180 wrote to memory of 4348	3180	EsWebSocketKit.exe	103
PID 3180 wrote to memory of 4348	3180	EsWebSocketKit.exe	103
PID 3180 wrote to memory of 2024	3180	EsWebSocketKit.exe	105
PID 3180 wrote to memory of 2024	3180	EsWebSocketKit.exe	105
PID 3180 wrote to memory of 2024	3180	EsWebSocketKit.exe	105
PID 3180 wrote to memory of 4272	3180	EsWebSocketKit.exe	107
PID 3180 wrote to memory of 4272	3180	EsWebSocketKit.exe	107
PID 3180 wrote to memory of 4272	3180	EsWebSocketKit.exe	107
PID 3180 wrote to memory of 5032	3180	EsWebSocketKit.exe	109
PID 3180 wrote to memory of 5032	3180	EsWebSocketKit.exe	109
PID 3180 wrote to memory of 5032	3180	EsWebSocketKit.exe	109
PID 3180 wrote to memory of 4188	3180	EsWebSocketKit.exe	111
PID 3180 wrote to memory of 4188	3180	EsWebSocketKit.exe	111
PID 3180 wrote to memory of 4188	3180	EsWebSocketKit.exe	111
PID 3180 wrote to memory of 4484	3180	EsWebSocketKit.exe	113
PID 3180 wrote to memory of 4484	3180	EsWebSocketKit.exe	113
PID 3180 wrote to memory of 4484	3180	EsWebSocketKit.exe	113
PID 3180 wrote to memory of 5024	3180	EsWebSocketKit.exe	115
PID 3180 wrote to memory of 5024	3180	EsWebSocketKit.exe	115
PID 3180 wrote to memory of 5024	3180	EsWebSocketKit.exe	115
PID 3180 wrote to memory of 1556	3180	EsWebSocketKit.exe	117
PID 3180 wrote to memory of 1556	3180	EsWebSocketKit.exe	117
PID 3180 wrote to memory of 1556	3180	EsWebSocketKit.exe	117
PID 3180 wrote to memory of 3916	3180	EsWebSocketKit.exe	119
PID 3180 wrote to memory of 3916	3180	EsWebSocketKit.exe	119
PID 3180 wrote to memory of 3916	3180	EsWebSocketKit.exe	119
PID 3180 wrote to memory of 4644	3180	EsWebSocketKit.exe	121
PID 3180 wrote to memory of 4644	3180	EsWebSocketKit.exe	121
PID 3180 wrote to memory of 4644	3180	EsWebSocketKit.exe	121
PID 3180 wrote to memory of 3376	3180	EsWebSocketKit.exe	123
PID 3180 wrote to memory of 3376	3180	EsWebSocketKit.exe	123
PID 3180 wrote to memory of 3376	3180	EsWebSocketKit.exe	123
PID 3180 wrote to memory of 4992	3180	EsWebSocketKit.exe	126
PID 3180 wrote to memory of 4992	3180	EsWebSocketKit.exe	126
PID 3180 wrote to memory of 4992	3180	EsWebSocketKit.exe	126
PID 3180 wrote to memory of 1596	3180	EsWebSocketKit.exe	128
PID 3180 wrote to memory of 1596	3180	EsWebSocketKit.exe	128
PID 3180 wrote to memory of 1596	3180	EsWebSocketKit.exe	128

C:\Users\Admin\AppData\Local\Temp\$TEMP\EsWebSocketKit.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\EsWebSocketKit.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\taskkill.exe
  C:\Windows\system32\taskkill.exe /f /im ESWebSocket.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  C:\Windows\system32\taskkill.exe /f /im EsFtWebSocket.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\SysWOW64\taskkill.exe
  C:\Windows\system32\taskkill.exe /f /im EsHttpServer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\CheckNetIsolation.exe
  CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3332
- C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe
  C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\Admin\AppData\Local\Temp\cert.cer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe
  C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\Admin\AppData\Local\Temp\ca.crt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4520
- C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
  "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3404
- C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
  "C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
  "C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2124
- C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe
  "C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /TN FT_ESWebSocket_A8B1F6F5477B /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /TN FT_SWebSocket_A8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe'" /sc MINUTE /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4272
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /TN 1FT_OneEsHttpServer_B8B1F6F5477B /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /TN 1FT_OneEsHttpServer_B8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe'" /sc MINUTE /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4188
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /TN 2FT_TwoFtESWebSocket_C8B1F6F5477B /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /TN 2FT_TwoFtESWebSocket_C8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe'" /sc MINUTE /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5024
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=EsFtWebSocket
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1556
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=EsFtWebSocket dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3916
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=EsHttpServer
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4644
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=EsHttpServer dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3376
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name=EsWebSocket
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4992
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=EsWebSocket dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1596

C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3764

C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
"C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5032

C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4784

C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052

C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
"C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4496

C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992

C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736

C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
"C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768

C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
"C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe

Filesize
2.1MB

MD5
e88fcf35be36ccf3fa8ca6d441be74ac

SHA1
2fa310e1b8a0a1474b73c66c34a6feec2aa47c0f

SHA256
bb07c4b20e879b1feb42d8206f95ddf6c012871d8f5fe9773b47089f7772a712

SHA512
78cb8de754863f34e5add22e22e1307b51298462abd585c410e520e10f56502564e548189df3abd506b878640cfbf14ad4df4c11091f463b81231a2505ab7f59

Download Submit
C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe

Filesize
2.5MB

MD5
17ab752429d2e81d75cb6f09fb0583bc

SHA1
86dd820cce0902abbb1a840b0a1668b8938e6ae6

SHA256
3120f4bcc4b6e0d7ddf8245a51604219bdaa01ed94890ca0705c5588a1a254f6

SHA512
b0e5260997b52c6449506a911d5bc0605fb1293d4c6fa69dd70e27152327e6466437fdda0ab00b4112985b424893667fe97f2d95457affc3e42df88db9210532

Download Submit
C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe

Filesize
2.1MB

MD5
f766dace38bac14936a1b955661b6876

SHA1
44b99d1eda89d91f022387168460dadd3e6409c0

SHA256
ea44506c86426feed0ac905a1e23f02ed20c7a33623bec9c8fc0a0986a3f02b0

SHA512
3c35536226078d305fd557a92c132e1b28a2ba420270a0f10eb3e9849655e5b471b40c71f6ee03c98845c12eb656e3c4b57ab5b6b80c45d7e0942d78baf6186c

Download Submit
C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe

Filesize
91KB

MD5
a391daff8d9634979d0105b47a4138bf

SHA1
29f15a6f0b60d31ceca9fb2bfff7347ab8534ddf

SHA256
9d2532c5e809ee72ef1f277d1161073f8501f1b1d814627fbd62ae0447ccca1a

SHA512
3d299217a3f50b53c208d0265b8ce349d66661e5de451ac8050148710ee6931517667dd2562245764c1f104c568c877f4a984bec313169cb0475ed0347b96e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca.crt

Filesize
1KB

MD5
2c4f4a547771e088e61346836dd1cfb3

SHA1
33cd72b6e1f1157d6a536a75bad6d4e0d91c5b86

SHA256
040072b3367930ac96b7bfc1f7366272ee9c18e85f5110119a4d7d07556eb296

SHA512
661266cf2c936e63558d6cd66d4fe51e4325287b293bb6bd06cae282bb14a31764baaed9914d79ec3a8e03d8c89f17180cc58da1384efcfb9c8df4c54f8644a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cert.cer

Filesize
1KB

MD5
9d537451e919743026967da200358440

SHA1
5a782f53bf8b9f487221e6d7e3b528612ae6883f

SHA256
27544f1e19e23eb009dbe88006b010eac236d54c3de73cc26b1ffe0372cef59a

SHA512
344d275eb14330dbcdf490eed437c12312b7e4f5aae02229d702fe07040a94b73bd15b0c1e99f03207444404f2c7d3b3192a674d13700cfd454ef6a660ef4a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl87A1.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl87A1.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl87A2.tmp

Filesize
26KB

MD5
8e83b78d2e265d29a6751df565646da6

SHA1
f9a54b5f68d75a68391ebe8e56f2d4e6cffd6f69

SHA256
cd7b928678e0ad3c6a325103aaba21d00d4bac58fdf726f38c282f4f93def1b1

SHA512
7243a2487675b2f223747b77548be6fb337f3d92c82ec854becf422c84005096ed16e27d1ab7c6784f0b7bfe215c90eb65f0e2da07ec31eb38219b48d4c54424

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp92EA.tmp\System.dll

Filesize
11KB

MD5
301a9c8739ed3ed955a1bdc472d26f32

SHA1
a830ab9ae6e8d046b7ab2611bea7a0a681f29a43

SHA256
6ec9fde89f067b1807325b05089c3ae4822ce7640d78e6f32dbe52f582de1d92

SHA512
41d88489ecb5ec64191493a1ed2ed7095678955d9fa72cccea2ae76dd794e62e7b5bd3aa2c313fb4bdf41c2f89f29e4cafe43d564ecad80fce1bf0a240b1e094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFirefox.dll

Filesize
68KB

MD5
dd3a47083df04500bbed296cad50c17a

SHA1
8479a361c83ff6a1aeec222409f630d10b97abab

SHA256
057301b32288b473d16d494fad6a933f1d80bda5dedded6700dcfb98c0997ec3

SHA512
074715818bde2c659c34c87cfe251e634365ab6b309a2150b1a50ba97291148286789c70d3f2ab7f0a09a3f7119f90fac814590f1b49b88126df4eafaf86eb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFirefox64.dll

Filesize
99KB

MD5
f9d5e26985f3373c0cf6c81fc77282aa

SHA1
eb583db51757159aeac8f763eb47769e00a1697e

SHA256
563a0662dc1fe246cd228a822d11ea3d00a7582b382e991c2aa6efa1d8e44407

SHA512
85b5ab236ef0977e879638e6fbd0d7157bc030c5e5f63151a6373bd024e48228ab970b220a993ce59481b922ac9bb9891a9c69109d5bb29020d27bc4eca51e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe

Filesize
45KB

MD5
8b26d23ed0026eaf0a58b3a082195ae2

SHA1
5b97c588f10cf7cf81fb6364247a94d59db0f908

SHA256
39e74e20de6b3be080f1454293546a50d0ef2f3a78b96b23c02bb35003a62833

SHA512
5853af3874fc4fa2a93b1f8ef3e42a78ed6451a13476696fbff188311099addbd9dabd87688a1c2bba75c8f57624aa5913cc37659d753969e20cdbd073854ecb

Download Submit
C:\Users\Admin\AppData\Roaming\mozilla\firefox\Profiles\zrrtvxky.default-release\cert9.db

Filesize
224KB

MD5
ad3e3ec0bd71bc67c751e7c81390ff1f

SHA1
0f9d0a62dafb24ab956f122777aa7d9656a0ac02

SHA256
ddf258bc97c1946f1c16e55aa78e6cce67db9514c003535a43720da21b896762

SHA512
50eb0b78d888446593fc6fd69afe468519dfcc1343ab4eb561f58c61b50b196381fdd33f763647d4ad5cfff81c7a1bff1b7f3f2ce5f98df3faeff112cb5eac40

Download Submit
C:\Users\Admin\AppData\Roaming\mozilla\firefox\Profiles\zrrtvxky.default-release\key4.db

Filesize
288KB

MD5
903d48d613698850b9647b3301b55310

SHA1
6e4100663fe8b3cb64ac172f43f945b7b1e3098e

SHA256
37cf1fc5394f3dbff8ac8803507557ea3ae8b447b4f0e863242395a34faef561

SHA512
f0171970806362474f06e1cc9b9151d76db6ac6a1ea5bebdabd60fbaa6ae787b426a9ffaac8f410217ee77443396b748cbddc86637d4154c04eee8ec11febc52

Download Submit
memory/3180-9-0x00000000023C0000-0x00000000023CA000-memory.dmp

Filesize
40KB

Download