Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 18:20
Behavioral task
behavioral1
Sample
EMANNN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
EMANNN.exe
Resource
win10v2004-20241007-en
General
-
Target
EMANNN.exe
-
Size
55KB
-
MD5
6bc49cb82d9f92f4a70cf4c84265c26f
-
SHA1
87f69c48c84f9a701b6800762c69c95dfd181273
-
SHA256
925364c585429e6ae064c4db9c7bf30db036debed7b1f403efc60ea6990da4bf
-
SHA512
3d1f055ec378e244c239debc9832bbd6f56a1b3cb27fa009380a728e769ad870272d90cc940d269a3f985c333380b43eedb4c5d1fbe8be57bd67749bc9419d0c
-
SSDEEP
1536:k+mIDn/NOryWhI0DtwsNMDmXExI3pmjm:SIDnE+v0DtwsNMDmXExI3pm
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f53a2de487461812859f1781af27b20d.exe EMANNN.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f53a2de487461812859f1781af27b20d.exe EMANNN.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f53a2de487461812859f1781af27b20d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\EMANNN.exe\" .." EMANNN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f53a2de487461812859f1781af27b20d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\EMANNN.exe\" .." EMANNN.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EMANNN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2020 cmd.exe 1896 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1896 PING.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3620 EMANNN.exe Token: 33 3620 EMANNN.exe Token: SeIncBasePriorityPrivilege 3620 EMANNN.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3620 wrote to memory of 3024 3620 EMANNN.exe 90 PID 3620 wrote to memory of 3024 3620 EMANNN.exe 90 PID 3620 wrote to memory of 3024 3620 EMANNN.exe 90 PID 3620 wrote to memory of 2020 3620 EMANNN.exe 92 PID 3620 wrote to memory of 2020 3620 EMANNN.exe 92 PID 3620 wrote to memory of 2020 3620 EMANNN.exe 92 PID 2020 wrote to memory of 1896 2020 cmd.exe 94 PID 2020 wrote to memory of 1896 2020 cmd.exe 94 PID 2020 wrote to memory of 1896 2020 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\EMANNN.exe"C:\Users\Admin\AppData\Local\Temp\EMANNN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f2⤵
- System Location Discovery: System Language Discovery
PID:3024
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\EMANNN.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\PING.EXEping 0 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1896
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1