Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2024, 07:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d06b11ec4baa8004d9259e08bbd6470N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
9d06b11ec4baa8004d9259e08bbd6470N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
9d06b11ec4baa8004d9259e08bbd6470N.exe
-
Size
884KB
-
MD5
9d06b11ec4baa8004d9259e08bbd6470
-
SHA1
513904d42f17558642a90ad6e4158f33834dfdc8
-
SHA256
4aeb2549db11cf0d3bc89eb2cb7d40a9e1269dd71a2d3711054fba5ecb2b7411
-
SHA512
62723fc40248242cad528af98cb08e1ed5ed124cf4fdad2e9932b34bd064f7542fe21e45d5d431eb272b6f5ff0e7b6e06b14601e10d4aaba53998940bff9745d
-
SSDEEP
12288:s8kxNhOZElO5kkWjhD4A45lGUN8kxNhOZElO5kkWjhD4A45lGU:DqEkfFmkUeqEkfFmkU
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1616 EYJXNZA.EXE -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 9d06b11ec4baa8004d9259e08bbd6470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "F:\\$RECYCLE.BIN\\TWPQFZT.EXE \"%1\" %*" 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open EYJXNZA.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EZQQ.EXE = "C:\\Program Files (x86)\\EZQQ.EXE" 9d06b11ec4baa8004d9259e08bbd6470N.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\P: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\Q: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\M: EYJXNZA.EXE File opened (read-only) \??\Q: EYJXNZA.EXE File opened (read-only) \??\L: EYJXNZA.EXE File opened (read-only) \??\U: EYJXNZA.EXE File opened (read-only) \??\H: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\K: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\R: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\O: EYJXNZA.EXE File opened (read-only) \??\G: EYJXNZA.EXE File opened (read-only) \??\S: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\V: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\G: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\E: EYJXNZA.EXE File opened (read-only) \??\I: EYJXNZA.EXE File opened (read-only) \??\K: EYJXNZA.EXE File opened (read-only) \??\R: EYJXNZA.EXE File opened (read-only) \??\E: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\L: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\N: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\H: EYJXNZA.EXE File opened (read-only) \??\P: EYJXNZA.EXE File opened (read-only) \??\J: EYJXNZA.EXE File opened (read-only) \??\N: EYJXNZA.EXE File opened (read-only) \??\S: EYJXNZA.EXE File opened (read-only) \??\I: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\J: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\M: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\T: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\U: 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened (read-only) \??\T: EYJXNZA.EXE File opened (read-only) \??\V: EYJXNZA.EXE -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\MKMHW.EXE 9d06b11ec4baa8004d9259e08bbd6470N.exe File opened for modification C:\Program Files (x86)\MKMHW.EXE 9d06b11ec4baa8004d9259e08bbd6470N.exe File created C:\Program Files (x86)\EZQQ.EXE 9d06b11ec4baa8004d9259e08bbd6470N.exe File created C:\Program Files\XRLM.EXE EYJXNZA.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\EDOWEMP.EXE EYJXNZA.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d06b11ec4baa8004d9259e08bbd6470N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EYJXNZA.EXE -
Modifies registry class 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command 9d06b11ec4baa8004d9259e08bbd6470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "F:\\$RECYCLE.BIN\\TWPQFZT.EXE \"%1\" %*" 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell EYJXNZA.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files (x86)\\MKMHW.EXE \"%1\"" 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile EYJXNZA.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files (x86)\\MKMHW.EXE %1" 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell 9d06b11ec4baa8004d9259e08bbd6470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files (x86)\\MKMHW.EXE \"%1\"" 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command EYJXNZA.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files (x86)\\MKMHW.EXE %1" 9d06b11ec4baa8004d9259e08bbd6470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command EYJXNZA.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open EYJXNZA.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1068 wrote to memory of 1616 1068 9d06b11ec4baa8004d9259e08bbd6470N.exe 83 PID 1068 wrote to memory of 1616 1068 9d06b11ec4baa8004d9259e08bbd6470N.exe 83 PID 1068 wrote to memory of 1616 1068 9d06b11ec4baa8004d9259e08bbd6470N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d06b11ec4baa8004d9259e08bbd6470N.exe"C:\Users\Admin\AppData\Local\Temp\9d06b11ec4baa8004d9259e08bbd6470N.exe"1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068 -
F:\$RECYCLE.BIN\EYJXNZA.EXEF:\$RECYCLE.BIN\EYJXNZA.EXE2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1616
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
885KB
MD5a11a8c4e3992b051f3d65d56bb3993c3
SHA1ef17f2e716f5692a05e041489722f455b478050a
SHA256184b5156711ba2683114c19b694aa5aeaa97cf7d884191cbca4bd545bc0c1815
SHA51272a19abf1c006d16bc60ee4609c97e65b58d07b3f559b421ebd0d7671dc3e64921db029072a715a73f3f1650dcc7935270fa0e2c1dde6c03f3066e0caa95d3c9
-
Filesize
885KB
MD53ed8885e9e060aabe7cb0aadac4d56e1
SHA1c55f4dcaaef1f395646b20aa3a5e10b6b5932cfa
SHA256645dcb2ea91b569ef4883d8e767bff0d6624bfc9fc789b01ee804d7bf5e0f3cf
SHA512319f37631c4ab51b11b4dec6c7b30ddc4d220f8eee680a7c25a8326a590e8873d0a6a343a77fa127ce6ce7d0e91e6654420de4629d03f6edf4163f17cb57b31e