Overview
overview
7Static
static
3ente-1.7.4-x64.exe
windows11-21h2-x64
7$PLUGINSDI...er.dll
windows11-21h2-x64
3$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3LICENSES.c...m.html
windows11-21h2-x64
3d3dcompiler_47.dll
windows11-21h2-x64
1ente.exe
windows11-21h2-x64
4ffmpeg.dll
windows11-21h2-x64
1libEGL.dll
windows11-21h2-x64
1libGLESv2.dll
windows11-21h2-x64
1resources/...ple.js
windows11-21h2-x64
3resources/...eg.exe
windows11-21h2-x64
1resources/...dex.js
windows11-21h2-x64
3resources/...all.js
windows11-21h2-x64
3resources/....dylib
windows11-21h2-x64
3resources/....dylib
windows11-21h2-x64
3resources/...e.so.1
windows11-21h2-x64
3resources/...ild.js
windows11-21h2-x64
3resources/...all.js
windows11-21h2-x64
3resources/...ack.js
windows11-21h2-x64
3resources/elevate.exe
windows11-21h2-x64
3resources/...magick
windows11-21h2-x64
1vk_swiftshader.dll
windows11-21h2-x64
1vulkan-1.dll
windows11-21h2-x64
1$PLUGINSDI...ec.dll
windows11-21h2-x64
3$PLUGINSDI...7z.dll
windows11-21h2-x64
3$R0/Uninst...te.exe
windows11-21h2-x64
7$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3Analysis
-
max time kernel
120s -
max time network
110s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-09-2024 05:14
Static task
static1
Behavioral task
behavioral1
Sample
ente-1.7.4-x64.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
LICENSES.chromium.html
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
d3dcompiler_47.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
ente.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
ffmpeg.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
libEGL.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
libGLESv2.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
resources/app.asar.unpacked/node_modules/ffmpeg-static/example.js
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
resources/app.asar.unpacked/node_modules/ffmpeg-static/ffmpeg.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
resources/app.asar.unpacked/node_modules/ffmpeg-static/index.js
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
resources/app.asar.unpacked/node_modules/ffmpeg-static/install.js
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
resources/app.asar.unpacked/node_modules/onnxruntime-node/bin/napi-v3/darwin/arm64/libonnxruntime.1.19.0.dylib
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
resources/app.asar.unpacked/node_modules/onnxruntime-node/bin/napi-v3/darwin/x64/libonnxruntime.1.19.0.dylib
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
resources/app.asar.unpacked/node_modules/onnxruntime-node/bin/napi-v3/linux/arm64/libonnxruntime.so.1
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
resources/app.asar.unpacked/node_modules/onnxruntime-node/script/build.js
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
resources/app.asar.unpacked/node_modules/onnxruntime-node/script/install.js
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
resources/app.asar.unpacked/node_modules/onnxruntime-node/script/prepack.js
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
resources/elevate.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
resources/image-magick
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
vk_swiftshader.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
vulkan-1.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
$R0/Uninstall ente.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/WinShell.dll
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240802-en
windows11-21h2-x64
General
-
Target
ente.exe
-
Size
168.6MB
-
MD5
bbd8bf373c3490c05d90effd80bbe440
-
SHA1
404d2f5fbcbc4c5b094ec00a1acd88525d445749
-
SHA256
3409bb6c0c351f3e42f2c9e3e24ee514649380cfd41a4bdb8176f46ddcb5d349
-
SHA512
0be801d032d538b2143286e95841a34dfea57f1a24e293bf7ddd61eceebfa3567fb38a69ab81a849d90e9b559ae0dc53eecf9f0c4842b62f63946b941b247e38
-
SSDEEP
1572864:aT8IPCn2dnmyb10tWkqxAXCZP6pfaAdH4w6rUYWny/lNtij7S07Jxov1bEeyODKy:oCn28VpCyOD
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp ente.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\ente\shell ente.exe Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\ente\shell\open ente.exe Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\ente\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ente.exe\" \"%1\"" ente.exe Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\ente ente.exe Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\ente\URL Protocol ente.exe Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\ente\ = "URL:ente" ente.exe Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\ente\shell\open\command ente.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2652 reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe Token: SeShutdownPrivilege 616 ente.exe Token: SeCreatePagefilePrivilege 616 ente.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 616 ente.exe 616 ente.exe 616 ente.exe 616 ente.exe 616 ente.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 616 ente.exe 616 ente.exe 616 ente.exe 616 ente.exe 616 ente.exe 616 ente.exe 616 ente.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 3804 616 ente.exe 78 PID 616 wrote to memory of 332 616 ente.exe 79 PID 616 wrote to memory of 332 616 ente.exe 79 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80 PID 616 wrote to memory of 3948 616 ente.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\ente.exe"C:\Users\Admin\AppData\Local\Temp\ente.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Temp\ente.exe"C:\Users\Admin\AppData\Local\Temp\ente.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ente" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1692,i,7335361146707097442,6156616919862362067,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1708 /prefetch:22⤵PID:3804
-
-
C:\Users\Admin\AppData\Local\Temp\ente.exe"C:\Users\Admin\AppData\Local\Temp\ente.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ente" --standard-schemes=ente,ente --secure-schemes=ente --cors-schemes=ente --fetch-schemes=ente,stream --service-worker-schemes=ente --field-trial-handle=1920,i,7335361146707097442,6156616919862362067,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1944 /prefetch:32⤵PID:332
-
-
C:\Users\Admin\AppData\Local\Temp\ente.exe"C:\Users\Admin\AppData\Local\Temp\ente.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ente" --standard-schemes=ente,ente --secure-schemes=ente --cors-schemes=ente --fetch-schemes=ente,stream --service-worker-schemes=ente --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2416,i,7335361146707097442,6156616919862362067,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:12⤵PID:3948
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ente2⤵
- Modifies registry key
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
300B
MD522f2f7283a766be14b911c262b1441c9
SHA1cc6805faa4feec4274d25cdee4998bd97abf82ec
SHA256755bdbfadeb2ac370ceac9a31273b74f0139f1becdf0516f54f6e894f4e28d86
SHA512fbe01b56f58176a6adc7a8103d57b14d36dcca45ad35fcc679ef4891b080da7ad4358b3b414cac2d32919cd52ba17a628070cba4a62082f35d0249d56dffa7a0
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a