Analysis

  • max time kernel
    143s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 06:28

General

  • Target

    $TEMP/EsWebSocketKit.exe

  • Size

    2.0MB

  • MD5

    03608817f4280e182fe17dcc532b78af

  • SHA1

    3810abd4bab3e9b962c96019a2e73422c90fbc31

  • SHA256

    211e3a7eac588949321ab2bafd1317a18b5c33f5064faff26f5b1d409d73e4d3

  • SHA512

    aa1f690f29e893b61a2ae18eb364457aab7086ccfa6394bd46b60e94f6d7834f93b6a5e336a32dae251fb79db0a70265d3ca0703c19cd6d99314aecef6cfae5f

  • SSDEEP

    49152:xQxqVOQPx6T4ooThi+cKS6aWM0A5sT4KV3Bm:xQxqVM4Xi+/7aW3wsNJg

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Modifies Windows Firewall 2 TTPs 6 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 46 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 3 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\EsWebSocketKit.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\EsWebSocketKit.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3180
    • C:\Windows\SysWOW64\taskkill.exe
      C:\Windows\system32\taskkill.exe /f /im ESWebSocket.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Windows\SysWOW64\taskkill.exe
      C:\Windows\system32\taskkill.exe /f /im EsFtWebSocket.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
    • C:\Windows\SysWOW64\taskkill.exe
      C:\Windows\system32\taskkill.exe /f /im EsHttpServer.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\SysWOW64\CheckNetIsolation.exe
      CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3332
    • C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe
      C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\Admin\AppData\Local\Temp\cert.cer
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2076
    • C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe
      C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe /init /cert C:\Users\Admin\AppData\Local\Temp\ca.crt
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4520
    • C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
      "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3404
    • C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
      "C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4996
    • C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
      "C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2124
    • C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe
      "C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4348
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /TN FT_ESWebSocket_A8B1F6F5477B /F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2024
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /TN FT_SWebSocket_A8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe'" /sc MINUTE /mo 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4272
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /TN 1FT_OneEsHttpServer_B8B1F6F5477B /F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5032
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /TN 1FT_OneEsHttpServer_B8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe'" /sc MINUTE /mo 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4188
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /TN 2FT_TwoFtESWebSocket_C8B1F6F5477B /F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4484
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /TN 2FT_TwoFtESWebSocket_C8B1F6F5477B /tr "'C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe'" /sc MINUTE /mo 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:5024
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name=EsFtWebSocket
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1556
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name=EsFtWebSocket dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe" enable=yes profile=public,private
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:3916
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name=EsHttpServer
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:4644
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name=EsHttpServer dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe" enable=yes profile=public,private
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:3376
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name=EsWebSocket
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:4992
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name=EsWebSocket dir=in action=allow program="C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe" enable=yes profile=public,private
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1596
  • C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
    "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:3764
  • C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
    "C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:5032
  • C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
    "C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:4784
  • C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
    "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:3052
  • C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
    "C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:4496
  • C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
    "C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:4992
  • C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe
    "C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:736
  • C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe
    "C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2768
  • C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe
    "C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:3696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\EsWebSocketKit\EsFtWebSocket.exe

    Filesize

    2.1MB

    MD5

    e88fcf35be36ccf3fa8ca6d441be74ac

    SHA1

    2fa310e1b8a0a1474b73c66c34a6feec2aa47c0f

    SHA256

    bb07c4b20e879b1feb42d8206f95ddf6c012871d8f5fe9773b47089f7772a712

    SHA512

    78cb8de754863f34e5add22e22e1307b51298462abd585c410e520e10f56502564e548189df3abd506b878640cfbf14ad4df4c11091f463b81231a2505ab7f59

  • C:\Program Files (x86)\EsWebSocketKit\EsHttpServer.exe

    Filesize

    2.5MB

    MD5

    17ab752429d2e81d75cb6f09fb0583bc

    SHA1

    86dd820cce0902abbb1a840b0a1668b8938e6ae6

    SHA256

    3120f4bcc4b6e0d7ddf8245a51604219bdaa01ed94890ca0705c5588a1a254f6

    SHA512

    b0e5260997b52c6449506a911d5bc0605fb1293d4c6fa69dd70e27152327e6466437fdda0ab00b4112985b424893667fe97f2d95457affc3e42df88db9210532

  • C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exe

    Filesize

    2.1MB

    MD5

    f766dace38bac14936a1b955661b6876

    SHA1

    44b99d1eda89d91f022387168460dadd3e6409c0

    SHA256

    ea44506c86426feed0ac905a1e23f02ed20c7a33623bec9c8fc0a0986a3f02b0

    SHA512

    3c35536226078d305fd557a92c132e1b28a2ba420270a0f10eb3e9849655e5b471b40c71f6ee03c98845c12eb656e3c4b57ab5b6b80c45d7e0942d78baf6186c

  • C:\Program Files (x86)\EsWebSocketKit\FirefoxMOIT.exe

    Filesize

    91KB

    MD5

    a391daff8d9634979d0105b47a4138bf

    SHA1

    29f15a6f0b60d31ceca9fb2bfff7347ab8534ddf

    SHA256

    9d2532c5e809ee72ef1f277d1161073f8501f1b1d814627fbd62ae0447ccca1a

    SHA512

    3d299217a3f50b53c208d0265b8ce349d66661e5de451ac8050148710ee6931517667dd2562245764c1f104c568c877f4a984bec313169cb0475ed0347b96e0b

  • C:\Users\Admin\AppData\Local\Temp\ca.crt

    Filesize

    1KB

    MD5

    2c4f4a547771e088e61346836dd1cfb3

    SHA1

    33cd72b6e1f1157d6a536a75bad6d4e0d91c5b86

    SHA256

    040072b3367930ac96b7bfc1f7366272ee9c18e85f5110119a4d7d07556eb296

    SHA512

    661266cf2c936e63558d6cd66d4fe51e4325287b293bb6bd06cae282bb14a31764baaed9914d79ec3a8e03d8c89f17180cc58da1384efcfb9c8df4c54f8644a9

  • C:\Users\Admin\AppData\Local\Temp\cert.cer

    Filesize

    1KB

    MD5

    9d537451e919743026967da200358440

    SHA1

    5a782f53bf8b9f487221e6d7e3b528612ae6883f

    SHA256

    27544f1e19e23eb009dbe88006b010eac236d54c3de73cc26b1ffe0372cef59a

    SHA512

    344d275eb14330dbcdf490eed437c12312b7e4f5aae02229d702fe07040a94b73bd15b0c1e99f03207444404f2c7d3b3192a674d13700cfd454ef6a660ef4a69

  • C:\Users\Admin\AppData\Local\Temp\nsl87A1.tmp\System.dll

    Filesize

    11KB

    MD5

    959ea64598b9a3e494c00e8fa793be7e

    SHA1

    40f284a3b92c2f04b1038def79579d4b3d066ee0

    SHA256

    03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

    SHA512

    5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

  • C:\Users\Admin\AppData\Local\Temp\nsl87A1.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    08e9796ca20c5fc5076e3ac05fb5709a

    SHA1

    07971d52dcbaa1054060073571ced046347177f7

    SHA256

    8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

    SHA512

    02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

  • C:\Users\Admin\AppData\Local\Temp\nsl87A2.tmp

    Filesize

    26KB

    MD5

    8e83b78d2e265d29a6751df565646da6

    SHA1

    f9a54b5f68d75a68391ebe8e56f2d4e6cffd6f69

    SHA256

    cd7b928678e0ad3c6a325103aaba21d00d4bac58fdf726f38c282f4f93def1b1

    SHA512

    7243a2487675b2f223747b77548be6fb337f3d92c82ec854becf422c84005096ed16e27d1ab7c6784f0b7bfe215c90eb65f0e2da07ec31eb38219b48d4c54424

  • C:\Users\Admin\AppData\Local\Temp\nsp92EA.tmp\System.dll

    Filesize

    11KB

    MD5

    301a9c8739ed3ed955a1bdc472d26f32

    SHA1

    a830ab9ae6e8d046b7ab2611bea7a0a681f29a43

    SHA256

    6ec9fde89f067b1807325b05089c3ae4822ce7640d78e6f32dbe52f582de1d92

    SHA512

    41d88489ecb5ec64191493a1ed2ed7095678955d9fa72cccea2ae76dd794e62e7b5bd3aa2c313fb4bdf41c2f89f29e4cafe43d564ecad80fce1bf0a240b1e094

  • C:\Users\Admin\AppData\Local\Temp\nssFirefox.dll

    Filesize

    68KB

    MD5

    dd3a47083df04500bbed296cad50c17a

    SHA1

    8479a361c83ff6a1aeec222409f630d10b97abab

    SHA256

    057301b32288b473d16d494fad6a933f1d80bda5dedded6700dcfb98c0997ec3

    SHA512

    074715818bde2c659c34c87cfe251e634365ab6b309a2150b1a50ba97291148286789c70d3f2ab7f0a09a3f7119f90fac814590f1b49b88126df4eafaf86eb0c

  • C:\Users\Admin\AppData\Local\Temp\nssFirefox64.dll

    Filesize

    99KB

    MD5

    f9d5e26985f3373c0cf6c81fc77282aa

    SHA1

    eb583db51757159aeac8f763eb47769e00a1697e

    SHA256

    563a0662dc1fe246cd228a822d11ea3d00a7582b382e991c2aa6efa1d8e44407

    SHA512

    85b5ab236ef0977e879638e6fbd0d7157bc030c5e5f63151a6373bd024e48228ab970b220a993ce59481b922ac9bb9891a9c69109d5bb29020d27bc4eca51e99

  • C:\Users\Admin\AppData\Local\Temp\regFirefox64.exe

    Filesize

    45KB

    MD5

    8b26d23ed0026eaf0a58b3a082195ae2

    SHA1

    5b97c588f10cf7cf81fb6364247a94d59db0f908

    SHA256

    39e74e20de6b3be080f1454293546a50d0ef2f3a78b96b23c02bb35003a62833

    SHA512

    5853af3874fc4fa2a93b1f8ef3e42a78ed6451a13476696fbff188311099addbd9dabd87688a1c2bba75c8f57624aa5913cc37659d753969e20cdbd073854ecb

  • C:\Users\Admin\AppData\Roaming\mozilla\firefox\Profiles\zrrtvxky.default-release\cert9.db

    Filesize

    224KB

    MD5

    ad3e3ec0bd71bc67c751e7c81390ff1f

    SHA1

    0f9d0a62dafb24ab956f122777aa7d9656a0ac02

    SHA256

    ddf258bc97c1946f1c16e55aa78e6cce67db9514c003535a43720da21b896762

    SHA512

    50eb0b78d888446593fc6fd69afe468519dfcc1343ab4eb561f58c61b50b196381fdd33f763647d4ad5cfff81c7a1bff1b7f3f2ce5f98df3faeff112cb5eac40

  • C:\Users\Admin\AppData\Roaming\mozilla\firefox\Profiles\zrrtvxky.default-release\key4.db

    Filesize

    288KB

    MD5

    903d48d613698850b9647b3301b55310

    SHA1

    6e4100663fe8b3cb64ac172f43f945b7b1e3098e

    SHA256

    37cf1fc5394f3dbff8ac8803507557ea3ae8b447b4f0e863242395a34faef561

    SHA512

    f0171970806362474f06e1cc9b9151d76db6ac6a1ea5bebdabd60fbaa6ae787b426a9ffaac8f410217ee77443396b748cbddc86637d4154c04eee8ec11febc52

  • memory/3180-9-0x00000000023C0000-0x00000000023CA000-memory.dmp

    Filesize

    40KB