1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 14:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
Size

9.9MB
MD5

b96a2b7fd05215f9c8d2f7ba991043f3
SHA1

ef76540e4faf53d30315481ed6f881236587358d
SHA256

1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf
SHA512

ab1eebb2162a9e5bdf239e6b3873efc40ddfeb43bfee3ba1e5bef05f493866a9733f5eb8fa9d77a23738f1d2a9bcc9b3daba9edebc8d5a6cfdf57458f5df138d
SSDEEP

196608:FRoq+mornkDEFBhIOUxXuDkYdwm59JRmd0++I8OxdbHN41jC9SOXP8Vydq0Xyasw:FRoqGrnkwTQtYdrTX+0++I1xN8jIr0Vm

Score

8^/10

discovery execution persistence privilege_escalation upx

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
4036	EasyNotebook.exe
4992	ENoteService.exe
1164	dfkieky.exe
4568	presenitaty.exe
2672	uegnent.exe
208	wempnetwk.exe

Loads dropped DLL 5 IoCs

pid	Process
3116	regsvr32.exe
5080	regsvr32.exe
1124	regsvr32.exe
3228	regsvr32.exe
4992	ENoteService.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1616-0-0x0000000000400000-0x0000000000F65000-memory.dmp	upx
behavioral2/memory/1616-43-0x0000000000400000-0x0000000000F65000-memory.dmp	upx
behavioral2/files/0x00070000000234ed-53.dat	upx
behavioral2/memory/4036-57-0x0000000000400000-0x00000000006E6000-memory.dmp	upx
behavioral2/memory/1616-61-0x0000000000400000-0x0000000000F65000-memory.dmp	upx
behavioral2/memory/4036-94-0x0000000000400000-0x00000000006E6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ENote = "\"C:\\Program Files (x86)\\ENote\\main\\EasyNotebook.exe\" -h"	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ENote\un\uninst000.exe	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\ENote\main\calculator.dll	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File created	C:\Program Files (x86)\ENote\main\data\note.db	EasyNotebook.exe
File opened for modification	C:\Program Files (x86)\main.7z	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\ENote\main\EasyNotebook.exe	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\ENote\main\ENoteService.exe	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\ENote\main\7z.dll	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File created	C:\Program Files (x86)\ENote\main\calculator.dll	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\MicrosofService\TeachService.exe	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\ENote\main\Self.ico	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File created	C:\Program Files (x86)\ENote\main\config.ini	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File created	C:\Program Files (x86)\ENote\main\ENoteService.exe	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File created	C:\Program Files (x86)\ENote\main\Update.exe	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File created	C:\Program Files (x86)\MicrosofService\TeachService.exe	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\ENote\main\Config.ini	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File created	C:\Program Files (x86)\main.7z	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\ENote\main\config.ini	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\ENote\un\uninst000.exe	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\ENote\main\Update.exe	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File created	C:\Program Files (x86)\ENote\main\7z.dll	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File opened for modification	C:\Program Files (x86)\ENote\main\config.ini	EasyNotebook.exe
File created	C:\Program Files (x86)\ENote\main\Self.ico	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
File created	C:\Program Files (x86)\ENote\main\EasyNotebook.exe	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3336	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENoteService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfkieky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	presenitaty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uegnent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wempnetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EasyNotebook.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EasyNotebook.exe = "11000"	EasyNotebook.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dfkieky.exe = "11000"	dfkieky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\presenitaty.exe = "11000"	presenitaty.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49EC6C12-BF1B-4B30-A304-8F7EED67CB71}\ = "DisplayNamesCtxMenuShellExt1 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ShellEx\ContextMenuHandlers\Hello.DisplayNamesIContextMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ShellEx\ContextMenuHandlers\Hello.DisplayNamesIContextMenu\ = "{49EC6C12-BF1B-4B30-A304-8F7EED67CB71}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\ShellEx	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\ShellEx\ContextMenuHandlers\Hello.DisplayNamesIContextMenu\ = "{49EC6C12-BF1B-4B30-A304-8F7EED67CB71}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Hello.DisplayNamesIContextMenu\ = "{49EC6C12-BF1B-4B30-A304-8F7EED67CB71}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49EC6C12-BF1B-4B30-A304-8F7EED67CB71}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\ShellEx\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\ShellEx\ContextMenuHandlers\Hello.DisplayNamesIContextMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49EC6C12-BF1B-4B30-A304-8F7EED67CB71}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Hello.DisplayNamesIContextMenu\ = "{49EC6C12-BF1B-4B30-A304-8F7EED67CB71}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Hello.DisplayNamesIContextMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49EC6C12-BF1B-4B30-A304-8F7EED67CB71}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49EC6C12-BF1B-4B30-A304-8F7EED67CB71}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\KeepHelp\\NoteKeep_64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ShellEx	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ShellEx\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Hello.DisplayNamesIContextMenu	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
4036	EasyNotebook.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4036	EasyNotebook.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
4036	EasyNotebook.exe
4036	EasyNotebook.exe
4036	EasyNotebook.exe
4036	EasyNotebook.exe
4992	ENoteService.exe
1164	dfkieky.exe
1164	dfkieky.exe
4568	presenitaty.exe
4568	presenitaty.exe
2672	uegnent.exe
2672	uegnent.exe
208	wempnetwk.exe
208	wempnetwk.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 3116	1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe	86
PID 1616 wrote to memory of 3116	1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe	86
PID 1616 wrote to memory of 3116	1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe	86
PID 3116 wrote to memory of 5080	3116	regsvr32.exe	87
PID 3116 wrote to memory of 5080	3116	regsvr32.exe	87
PID 1616 wrote to memory of 1124	1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe	88
PID 1616 wrote to memory of 1124	1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe	88
PID 1616 wrote to memory of 1124	1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe	88
PID 1124 wrote to memory of 3228	1124	regsvr32.exe	89
PID 1124 wrote to memory of 3228	1124	regsvr32.exe	89
PID 1616 wrote to memory of 3336	1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe	90
PID 1616 wrote to memory of 3336	1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe	90
PID 1616 wrote to memory of 3336	1616	1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe	90
PID 4036 wrote to memory of 4992	4036	EasyNotebook.exe	100
PID 4036 wrote to memory of 4992	4036	EasyNotebook.exe	100
PID 4036 wrote to memory of 4992	4036	EasyNotebook.exe	100
PID 4992 wrote to memory of 1164	4992	ENoteService.exe	101
PID 4992 wrote to memory of 1164	4992	ENoteService.exe	101
PID 4992 wrote to memory of 1164	4992	ENoteService.exe	101
PID 4992 wrote to memory of 4568	4992	ENoteService.exe	104
PID 4992 wrote to memory of 4568	4992	ENoteService.exe	104
PID 4992 wrote to memory of 4568	4992	ENoteService.exe	104
PID 4992 wrote to memory of 2672	4992	ENoteService.exe	106
PID 4992 wrote to memory of 2672	4992	ENoteService.exe	106
PID 4992 wrote to memory of 2672	4992	ENoteService.exe	106
PID 4992 wrote to memory of 208	4992	ENoteService.exe	107
PID 4992 wrote to memory of 208	4992	ENoteService.exe	107
PID 4992 wrote to memory of 208	4992	ENoteService.exe	107

C:\Users\Admin\AppData\Local\Temp\1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe
"C:\Users\Admin\AppData\Local\Temp\1ef8b49e8336bdaf13e438b89cb50fceacc5770ad31af49e4264555016747eaf.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s /u "C:\Users\Admin\AppData\Roaming\KeepHelp\NoteKeep_64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\system32\regsvr32.exe
    /s /u "C:\Users\Admin\AppData\Roaming\KeepHelp\NoteKeep_64.dll"
    3⤵
    - Loads dropped DLL
    PID:5080
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\KeepHelp\NoteKeep_64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Roaming\KeepHelp\NoteKeep_64.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3228
- C:\Windows\SysWOW64\sc.exe
  sc create NetLogWatcher binpath= "C:\Program Files (x86)\MicrosofService\TeachService.exe" start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3336
- C:\Program Files (x86)\ENote\main\EasyNotebook.exe
  C:\Program Files (x86)\ENote\main\EasyNotebook.exe -h
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Program Files (x86)\ENote\main\ENoteService.exe
    "C:\Program Files (x86)\ENote\main\ENoteService.exe" 3341 4036 -h
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Roaming\EMTree\dfkieky.exe
      "C:\Users\Admin\AppData\Roaming\EMTree\dfkieky.exe "
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1164
  - - C:\Users\Admin\AppData\Roaming\EMTree\presenitaty.exe
      "C:\Users\Admin\AppData\Roaming\EMTree\presenitaty.exe "
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4568
  - - C:\Users\Admin\AppData\Roaming\WBService\uegnent.exe
      "C:\Users\Admin\AppData\Roaming\WBService\uegnent.exe "
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2672
  - - C:\Users\Admin\AppData\Roaming\WBService\wempnetwk.exe
      "C:\Users\Admin\AppData\Roaming\WBService\wempnetwk.exe "
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ENote\main\ENoteService.exe

Filesize
5.2MB

MD5
f43846756f5ec01678aa247eb43ee552

SHA1
2e76bbbd30149cbc3f5c1e27029faa17a4336d3c

SHA256
f25a6ba1ffa0c5f934d0d17afabe748da8c9a06398cb9b021af9b6d20d8487ba

SHA512
cc3498eed4ddfc493473e597bf1028732ce4ac4639ae01a70797ee2c1f76272e7a279b94bf485f8df444e13a0319fe73b4a842d37590bda08543cd24318fe899

Download Submit
C:\Program Files (x86)\ENote\main\EasyNotebook.exe

Filesize
1.0MB

MD5
770f059314b043590e93d0dd25efbb31

SHA1
e412e3b41c6c359708aece7c2a0f55c79c9b9ce7

SHA256
3a3b8b9246638e01f2a594765501381111d17e3ccb4ef5b4b250422379a62711

SHA512
30a7bd6694fb504d1b831c70ce072c767939a316ba0f000a8ca4f06e1c67b44f0c1e318ba10a52a54153bae37213fda972a8de74466771f5583beda007493ad5

Download Submit
C:\Program Files (x86)\ENote\main\config.ini

Filesize
89B

MD5
bb002cc22e9f6090280170725a6f3563

SHA1
6fb25aa09ddbc891ecd3baceb5b7339858b4898c

SHA256
47bd9b93e5f1869fd05763b7ba69afef5e01b6ce6830451914a75369a2aa1232

SHA512
8171dcd0e4dd3a31b7e99fb6015e13f20867126abc527986b19f310572f67dbd1e673ef71d380e56ede2ab8e7f82db36c0c102decd88dff6579b0be584d60fb4

Download Submit
C:\Users\Admin\AppData\Roaming\EMTree\config.ini

Filesize
29B

MD5
05e49a4ed845dfe30a8cfc4487969e4a

SHA1
7b332c714e08c84d4290d5772b25e3717cb20ae2

SHA256
0f81e9f511c6739089217e155a24b59dac51c5a5178d83e88ad98a468d821df6

SHA512
2a5099a03c1a89a21f5f1a886bdc9afd3a5455a62520fcf720054b1b5e90fca73216360e786a579240793038fbea8d4924b972e023d6f8fda3ecb17e39e5276c

Download Submit
C:\Users\Admin\AppData\Roaming\EMTree\dfkieky.exe

Filesize
2.5MB

MD5
7b01bacf344033be515514347edcfa57

SHA1
0e9e9fef4c2c1e9b4a3b5380275622369f719e59

SHA256
5a5c2b3c3c5809f0bff6d1b7fe230831b0445dc3d0c7631171b5e887443b0ba8

SHA512
2b1e4f6a2ef597c1b06b4493cf42297f1a4478158a91643aa2d83dd27edc1e3e087ad8f1623b1699b9ac543712dc787a850832e4f99067d354d91d50ab420570

Download Submit
C:\Users\Admin\AppData\Roaming\EMTree\presenitaty.exe

Filesize
2.4MB

MD5
73fc634a451db0a561781e7204ab7f0d

SHA1
32542d31cc02a5b0339df6eaf43608baf7b3258e

SHA256
9ef944806142c7ba8fd36fbab137f1a1d7f131a9aca0fba92fe72fcda273c03b

SHA512
0c7ac500eb5d21fae490084beeecc2740c4e8d83e8cfaa8889589ca34b065b356f9498e8a08f480c06edd49d2ddf8aa71dae228d897c564a80cf5023d69814e7

Download Submit
C:\Users\Admin\AppData\Roaming\KeepHelp\NoteKeep_64.dll

Filesize
241KB

MD5
22131d90727307767f1d9f018a9e7610

SHA1
dde9ccaca778b8b2fd45ae8bfd948aae91d0db99

SHA256
353f151e06498f23f3b544592df1275a828011305c4dc8423596afa61b03491d

SHA512
a3208038e068e3cf1e02709c533be11d106c49dd23198d2d84062d321df37a3c8e99b3a56124fc0fe8e08588f8e28a96d4aef04426c3657e962698e021be7752

Download Submit
C:\Users\Admin\AppData\Roaming\WBService\reregisty.dll

Filesize
2.9MB

MD5
55c622b1763f320c4a592c0ca72e2e25

SHA1
2174cfd3878f14e1fc4c54a8a404975da460ce40

SHA256
46e3f523ef8360276bec8349804595589d05d5a058015265b2fc4c56a88646d6

SHA512
3ff7624ce487fc5be5d6a41ab14e8fd7a9017fb5dffdfd7d76d5d9ef54d7ac854f19ba60d670f1f4d698c2005414e844e91e03c827d4142537dc77c47d8dfb6f

Download Submit
C:\Users\Admin\AppData\Roaming\WBService\uegnent.exe

Filesize
2.3MB

MD5
90d907091538b67d3603dcb3561e385c

SHA1
3c23da563d7a14fe9354981d1002722a9fccbfab

SHA256
303aa779f4cd96ccb602a190e7c14da21061f1c73768a1a5f29ddbba195ad886

SHA512
97897a1164e2e50d0d397c1c6e4a0cb0e7199c66ed7739f6bd1cf5a8b05b694b1bf7ddd41b177120f296156187643f652a5d2dacee402c71b64e1505f47bcefe

Download Submit
C:\Users\Admin\AppData\Roaming\WBService\wempnetwk.exe

Filesize
3.0MB

MD5
5073b4f0a809abfe858633531269d463

SHA1
09838d0cc92d29471c30f07b1c30a6878e5b0539

SHA256
778fd5accbd8ad7d2bf32bc6d4b0ddc6f3228ba81746efa46ab7a9548f87c937

SHA512
83e82c85fd7e5a06e95b0afbe74b26312b7e057462235e169d28e454cba17fa25fdfe58696f1bdd489ef1ba57f4c7e0ff89a40ffec72c5d0960925b10c864571

Download Submit
memory/1616-43-0x0000000000400000-0x0000000000F65000-memory.dmp

Filesize
11.4MB

Download
memory/1616-61-0x0000000000400000-0x0000000000F65000-memory.dmp

Filesize
11.4MB

Download
memory/1616-0-0x0000000000400000-0x0000000000F65000-memory.dmp

Filesize
11.4MB

Download
memory/4036-57-0x0000000000400000-0x00000000006E6000-memory.dmp

Filesize
2.9MB

Download
memory/4036-94-0x0000000000400000-0x00000000006E6000-memory.dmp

Filesize
2.9MB

Download