Analysis
-
max time kernel
123s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
Ewpeloxttug.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Ewpeloxttug.exe
Resource
win10v2004-20241007-en
General
-
Target
Ewpeloxttug.exe
-
Size
2.2MB
-
MD5
23c8cb1226c61a164d7518218c837b81
-
SHA1
45ea74832e487bacb788189c04661b29a71e86b5
-
SHA256
21aaa5319a6729df0581203a0782ead837b848387e44cd1844ca8e19882a50af
-
SHA512
8e219108c05966ec8ee6bc2ce2fb40c4aedce6614e65970c356e4f840e88720188c762aaa4451c2f5f1fa1bbc14136ecbcd1f4c9f3b1a5fccc0ab053a37bcc21
-
SSDEEP
24576:wqDdns3FYYhWxL3rc/+rhm+qx6GuQ5qGPVmTy9xMNWgJ/AICqQ9pEsePeHMSPs2f:1iD
Malware Config
Extracted
systembc
claywyaeropumps.com
178.132.2.10
-
dns
5.132.191.104
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
Ewpeloxttug.exeagnwj.exeagnwj.exedescription pid Process procid_target PID 780 created 3448 780 Ewpeloxttug.exe 56 PID 3624 created 3448 3624 agnwj.exe 56 PID 1964 created 3448 1964 agnwj.exe 56 -
Systembc family
-
Drops startup file 1 IoCs
Processes:
Ewpeloxttug.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUtil.vbs Ewpeloxttug.exe -
Executes dropped EXE 4 IoCs
Processes:
agnwj.exeagnwj.exeagnwj.exeagnwj.exepid Process 3624 agnwj.exe 4760 agnwj.exe 1964 agnwj.exe 536 agnwj.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Ewpeloxttug.exeagnwj.exeagnwj.exedescription pid Process procid_target PID 780 set thread context of 4384 780 Ewpeloxttug.exe 93 PID 3624 set thread context of 4760 3624 agnwj.exe 98 PID 1964 set thread context of 536 1964 agnwj.exe 101 -
Drops file in Windows directory 1 IoCs
Processes:
Ewpeloxttug.exedescription ioc Process File created C:\Windows\Tasks\Test Task17.job Ewpeloxttug.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
agnwj.exeagnwj.exeagnwj.exeagnwj.exeEwpeloxttug.exeEwpeloxttug.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agnwj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agnwj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agnwj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agnwj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ewpeloxttug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ewpeloxttug.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Ewpeloxttug.exeagnwj.exeagnwj.exepid Process 780 Ewpeloxttug.exe 3624 agnwj.exe 1964 agnwj.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Ewpeloxttug.exeagnwj.exeagnwj.exedescription pid Process Token: SeDebugPrivilege 780 Ewpeloxttug.exe Token: SeDebugPrivilege 780 Ewpeloxttug.exe Token: SeDebugPrivilege 3624 agnwj.exe Token: SeDebugPrivilege 3624 agnwj.exe Token: SeDebugPrivilege 1964 agnwj.exe Token: SeDebugPrivilege 1964 agnwj.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Ewpeloxttug.exeagnwj.exeagnwj.exedescription pid Process procid_target PID 780 wrote to memory of 4384 780 Ewpeloxttug.exe 93 PID 780 wrote to memory of 4384 780 Ewpeloxttug.exe 93 PID 780 wrote to memory of 4384 780 Ewpeloxttug.exe 93 PID 780 wrote to memory of 4384 780 Ewpeloxttug.exe 93 PID 780 wrote to memory of 4384 780 Ewpeloxttug.exe 93 PID 780 wrote to memory of 4384 780 Ewpeloxttug.exe 93 PID 780 wrote to memory of 4384 780 Ewpeloxttug.exe 93 PID 780 wrote to memory of 4384 780 Ewpeloxttug.exe 93 PID 3624 wrote to memory of 4760 3624 agnwj.exe 98 PID 3624 wrote to memory of 4760 3624 agnwj.exe 98 PID 3624 wrote to memory of 4760 3624 agnwj.exe 98 PID 3624 wrote to memory of 4760 3624 agnwj.exe 98 PID 3624 wrote to memory of 4760 3624 agnwj.exe 98 PID 3624 wrote to memory of 4760 3624 agnwj.exe 98 PID 3624 wrote to memory of 4760 3624 agnwj.exe 98 PID 3624 wrote to memory of 4760 3624 agnwj.exe 98 PID 1964 wrote to memory of 536 1964 agnwj.exe 101 PID 1964 wrote to memory of 536 1964 agnwj.exe 101 PID 1964 wrote to memory of 536 1964 agnwj.exe 101 PID 1964 wrote to memory of 536 1964 agnwj.exe 101 PID 1964 wrote to memory of 536 1964 agnwj.exe 101 PID 1964 wrote to memory of 536 1964 agnwj.exe 101 PID 1964 wrote to memory of 536 1964 agnwj.exe 101 PID 1964 wrote to memory of 536 1964 agnwj.exe 101
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\Ewpeloxttug.exe"C:\Users\Admin\AppData\Local\Temp\Ewpeloxttug.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780
-
-
C:\Users\Admin\AppData\Local\Temp\Ewpeloxttug.exe"C:\Users\Admin\AppData\Local\Temp\Ewpeloxttug.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4384
-
-
C:\ProgramData\lravm\agnwj.exe"C:\ProgramData\lravm\agnwj.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4760
-
-
C:\ProgramData\lravm\agnwj.exe"C:\ProgramData\lravm\agnwj.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536
-
-
C:\ProgramData\lravm\agnwj.exeC:\ProgramData\lravm\agnwj.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624
-
C:\ProgramData\lravm\agnwj.exeC:\ProgramData\lravm\agnwj.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD523c8cb1226c61a164d7518218c837b81
SHA145ea74832e487bacb788189c04661b29a71e86b5
SHA25621aaa5319a6729df0581203a0782ead837b848387e44cd1844ca8e19882a50af
SHA5128e219108c05966ec8ee6bc2ce2fb40c4aedce6614e65970c356e4f840e88720188c762aaa4451c2f5f1fa1bbc14136ecbcd1f4c9f3b1a5fccc0ab053a37bcc21
-
Filesize
234B
MD549a8340e98721c67febc37e5ebce783a
SHA129878b92820f13ea10b763f847b37d69e5454893
SHA25621cc55dc54c79d6a07316d0c84de98dc7ebfcaf0a81f030e47f1afced38dcbe6
SHA512b7b340daedc80ec7391cb7da70aecdaba620236cc1633df7164326ecf4aa651124ec281a0b17a83c9befd17540a4d7da444563b85936d0fea5856399b91b94e4