Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/11/2024, 09:27
Static task
static1
Behavioral task
behavioral1
Sample
ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe
Resource
win10v2004-20241007-en
General
-
Target
ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe
-
Size
1.4MB
-
MD5
83e7ad8161455e90c7c32051be5dd529
-
SHA1
443ffb5d55631689b0d5c43d2bd5426f2ce24e59
-
SHA256
ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d
-
SHA512
916a2c9e3f26b9fd6f338adee5eed101c9cb874f952c51fafbe9084ebbccb9ed84faa73d23af4afeeb41861f24553dce7f8cc8c2c19028b5a496ddf455fb3b82
-
SSDEEP
24576:/qDEvCTbMWu7rQYlBQcBiT6rprG8aaf/49lT9X1U0da2vejCBDToJ:/TvC/MTQYxsWR7aafoe6DejCBvo
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Esher.vbs Esher.exe -
Executes dropped EXE 2 IoCs
pid Process 2836 Esher.exe 3064 Esher.exe -
Loads dropped DLL 6 IoCs
pid Process 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2916 WerFault.exe 2916 WerFault.exe 2916 WerFault.exe 2916 WerFault.exe 2916 WerFault.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000f000000016814-8.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3064 set thread context of 2736 3064 Esher.exe 34 -
Program crash 1 IoCs
pid pid_target Process procid_target 2916 3064 WerFault.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Esher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Esher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2736 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2836 Esher.exe 3064 Esher.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2736 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe 2836 Esher.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2836 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 31 PID 2708 wrote to memory of 2836 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 31 PID 2708 wrote to memory of 2836 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 31 PID 2708 wrote to memory of 2836 2708 ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe 31 PID 2836 wrote to memory of 1080 2836 Esher.exe 32 PID 2836 wrote to memory of 1080 2836 Esher.exe 32 PID 2836 wrote to memory of 1080 2836 Esher.exe 32 PID 2836 wrote to memory of 1080 2836 Esher.exe 32 PID 2836 wrote to memory of 1080 2836 Esher.exe 32 PID 2836 wrote to memory of 1080 2836 Esher.exe 32 PID 2836 wrote to memory of 1080 2836 Esher.exe 32 PID 2836 wrote to memory of 3064 2836 Esher.exe 33 PID 2836 wrote to memory of 3064 2836 Esher.exe 33 PID 2836 wrote to memory of 3064 2836 Esher.exe 33 PID 2836 wrote to memory of 3064 2836 Esher.exe 33 PID 3064 wrote to memory of 2736 3064 Esher.exe 34 PID 3064 wrote to memory of 2736 3064 Esher.exe 34 PID 3064 wrote to memory of 2736 3064 Esher.exe 34 PID 3064 wrote to memory of 2736 3064 Esher.exe 34 PID 3064 wrote to memory of 2736 3064 Esher.exe 34 PID 3064 wrote to memory of 2736 3064 Esher.exe 34 PID 3064 wrote to memory of 2736 3064 Esher.exe 34 PID 3064 wrote to memory of 2736 3064 Esher.exe 34 PID 3064 wrote to memory of 2916 3064 Esher.exe 35 PID 3064 wrote to memory of 2916 3064 Esher.exe 35 PID 3064 wrote to memory of 2916 3064 Esher.exe 35 PID 3064 wrote to memory of 2916 3064 Esher.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe"C:\Users\Admin\AppData\Local\Temp\ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Okeghem\Esher.exe"C:\Users\Admin\AppData\Local\Temp\ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d.exe"3⤵PID:1080
-
-
C:\Users\Admin\AppData\Local\Okeghem\Esher.exe"C:\Users\Admin\AppData\Local\Okeghem\Esher.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Okeghem\Esher.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 3244⤵
- Loads dropped DLL
- Program crash
PID:2916
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD583e7ad8161455e90c7c32051be5dd529
SHA1443ffb5d55631689b0d5c43d2bd5426f2ce24e59
SHA256ecf2c99f012a781d235a8a0a4a48915118d5c11cbe50b2e7c698bbb70069dc5d
SHA512916a2c9e3f26b9fd6f338adee5eed101c9cb874f952c51fafbe9084ebbccb9ed84faa73d23af4afeeb41861f24553dce7f8cc8c2c19028b5a496ddf455fb3b82