c9be0e41a686fc3836c1d117c8b58d763532839ec84cd9024a0185e2c1165f01

Analysis

max time kernel
111s
max time network
96s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef0e411457af2287f0376372fb5ea2d0N.exe
Size

6.7MB
MD5

ef0e411457af2287f0376372fb5ea2d0
SHA1

c68815eb21262a135dd82169498c87f4a44119df
SHA256

c9be0e41a686fc3836c1d117c8b58d763532839ec84cd9024a0185e2c1165f01
SHA512

124ed67ec951a6f97df9d2b60ecfc2d7ec8c10121cf93367eafc5fef6b79f6cc890d18593e498aa2ae94a4ee0d1deb67a22491a5b562e16f64e9aab3ff679c43
SSDEEP

98304:NuX4jhmCbtfUdmhNRcLo2xroQt3UMxvNGQFBDq1O5mhLb5zpAZxBWw2BqsB6nnrY:ZkefxNRcUexQQXKimt5zpAZqlBqsCspN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2440	ef0e411457af2287f0376372fb5ea2d0N.tmp

Loads dropped DLL 4 IoCs

pid	Process
3008	ef0e411457af2287f0376372fb5ea2d0N.exe
2440	ef0e411457af2287f0376372fb5ea2d0N.tmp
2440	ef0e411457af2287f0376372fb5ea2d0N.tmp
2440	ef0e411457af2287f0376372fb5ea2d0N.tmp

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
6	ipinfo.io

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef0e411457af2287f0376372fb5ea2d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef0e411457af2287f0376372fb5ea2d0N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1176	Taskkill.exe
2452	Taskkill.exe
2884	Taskkill.exe
584	Taskkill.exe
2972	Taskkill.exe
2656	Taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ef0e411457af2287f0376372fb5ea2d0N.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ef0e411457af2287f0376372fb5ea2d0N.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	ef0e411457af2287f0376372fb5ea2d0N.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	Taskkill.exe
Token: SeDebugPrivilege	2452	Taskkill.exe
Token: SeDebugPrivilege	2884	Taskkill.exe
Token: SeDebugPrivilege	584	Taskkill.exe
Token: SeDebugPrivilege	2972	Taskkill.exe
Token: SeDebugPrivilege	2656	Taskkill.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2440	3008	ef0e411457af2287f0376372fb5ea2d0N.exe	30
PID 3008 wrote to memory of 2440	3008	ef0e411457af2287f0376372fb5ea2d0N.exe	30
PID 3008 wrote to memory of 2440	3008	ef0e411457af2287f0376372fb5ea2d0N.exe	30
PID 3008 wrote to memory of 2440	3008	ef0e411457af2287f0376372fb5ea2d0N.exe	30
PID 3008 wrote to memory of 2440	3008	ef0e411457af2287f0376372fb5ea2d0N.exe	30
PID 3008 wrote to memory of 2440	3008	ef0e411457af2287f0376372fb5ea2d0N.exe	30
PID 3008 wrote to memory of 2440	3008	ef0e411457af2287f0376372fb5ea2d0N.exe	30
PID 2440 wrote to memory of 1176	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	31
PID 2440 wrote to memory of 1176	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	31
PID 2440 wrote to memory of 1176	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	31
PID 2440 wrote to memory of 1176	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	31
PID 2440 wrote to memory of 2452	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	34
PID 2440 wrote to memory of 2452	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	34
PID 2440 wrote to memory of 2452	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	34
PID 2440 wrote to memory of 2452	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	34
PID 2440 wrote to memory of 2884	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	36
PID 2440 wrote to memory of 2884	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	36
PID 2440 wrote to memory of 2884	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	36
PID 2440 wrote to memory of 2884	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	36
PID 2440 wrote to memory of 584	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	38
PID 2440 wrote to memory of 584	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	38
PID 2440 wrote to memory of 584	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	38
PID 2440 wrote to memory of 584	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	38
PID 2440 wrote to memory of 2972	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	40
PID 2440 wrote to memory of 2972	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	40
PID 2440 wrote to memory of 2972	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	40
PID 2440 wrote to memory of 2972	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	40
PID 2440 wrote to memory of 2656	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	42
PID 2440 wrote to memory of 2656	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	42
PID 2440 wrote to memory of 2656	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	42
PID 2440 wrote to memory of 2656	2440	ef0e411457af2287f0376372fb5ea2d0N.tmp	42

C:\Users\Admin\AppData\Local\Temp\ef0e411457af2287f0376372fb5ea2d0N.exe
"C:\Users\Admin\AppData\Local\Temp\ef0e411457af2287f0376372fb5ea2d0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\is-R4FHK.tmp\ef0e411457af2287f0376372fb5ea2d0N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R4FHK.tmp\ef0e411457af2287f0376372fb5ea2d0N.tmp" /SL5="$4010A,6560080,223744,C:\Users\Admin\AppData\Local\Temp\ef0e411457af2287f0376372fb5ea2d0N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\Taskkill.exe
    "Taskkill.exe" /IM BetterHash.exe /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\SysWOW64\Taskkill.exe
    "Taskkill.exe" /IM UnRAR.exe /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\SysWOW64\Taskkill.exe
    "Taskkill.exe" /IM BetterHash-main.exe /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\SysWOW64\Taskkill.exe
    "Taskkill.exe" /IM BetterHash-main-g.exe /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Windows\SysWOW64\Taskkill.exe
    "Taskkill.exe" /IM pcupd.exe /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\SysWOW64\Taskkill.exe
    "Taskkill.exe" /IM OhGodAnETHlargementPill-r2.exe /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-R4FHK.tmp\ef0e411457af2287f0376372fb5ea2d0N.tmp

Filesize
855KB

MD5
63df8e2e28158591b7d9722f63a92934

SHA1
a133381ad36a2b54dab0d9e64e4a895bbc04e770

SHA256
868e5f4c2dfe86ea63ecc55872f6db4bbd1be2fe355fb75e2bf2578fe7845e27

SHA512
a866d0c69f6f143fbdfb89a2597243697520343152cef9ee938002d6022f4ec3ebfa270fa9f49eb55fc60a991d7971ec46a80623022a35e90c0afcc496be9ed3

Download Submit
\Users\Admin\AppData\Local\Temp\is-U2HQD.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-U2HQD.tmp\analytics_v2.dll

Filesize
4.5MB

MD5
14fbcbb87fe9518680903eb1683dc1be

SHA1
10358e2ba329aef7f6b5e861e818b1b6ef777ce6

SHA256
9485fc765bb9b8bb46dca8fede4c0ddd315febf7b0ac75e56240d6f4ac85883a

SHA512
657e10f44f76c926c191800ad40ed47d678a5463bcca61d4ff4a0c35738dd0257cea4a32031fb9819fc88676915e26ea25920df8f6287812339702fcf15f2f0a

Download Submit
memory/2440-8-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2440-21-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2440-22-0x0000000074ED0000-0x000000007537B000-memory.dmp

Filesize
4.7MB

Download
memory/2440-49-0x0000000074ED0000-0x000000007537B000-memory.dmp

Filesize
4.7MB

Download
memory/3008-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3008-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3008-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download