Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-11-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
Ewpeloxttug.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Ewpeloxttug.exe
Resource
win10v2004-20241007-en
General
-
Target
Ewpeloxttug.exe
-
Size
2.2MB
-
MD5
23c8cb1226c61a164d7518218c837b81
-
SHA1
45ea74832e487bacb788189c04661b29a71e86b5
-
SHA256
21aaa5319a6729df0581203a0782ead837b848387e44cd1844ca8e19882a50af
-
SHA512
8e219108c05966ec8ee6bc2ce2fb40c4aedce6614e65970c356e4f840e88720188c762aaa4451c2f5f1fa1bbc14136ecbcd1f4c9f3b1a5fccc0ab053a37bcc21
-
SSDEEP
24576:wqDdns3FYYhWxL3rc/+rhm+qx6GuQ5qGPVmTy9xMNWgJ/AICqQ9pEsePeHMSPs2f:1iD
Malware Config
Extracted
systembc
claywyaeropumps.com
178.132.2.10
-
dns
5.132.191.104
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
Ewpeloxttug.exegddf.exegddf.exedescription pid Process procid_target PID 2480 created 3264 2480 Ewpeloxttug.exe 53 PID 3220 created 3264 3220 gddf.exe 53 PID 2040 created 3264 2040 gddf.exe 53 -
Systembc family
-
Drops startup file 1 IoCs
Processes:
Ewpeloxttug.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUtil.vbs Ewpeloxttug.exe -
Executes dropped EXE 4 IoCs
Processes:
gddf.exegddf.exegddf.exegddf.exepid Process 3220 gddf.exe 3532 gddf.exe 2040 gddf.exe 2932 gddf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Ewpeloxttug.exegddf.exegddf.exedescription pid Process procid_target PID 2480 set thread context of 4976 2480 Ewpeloxttug.exe 78 PID 3220 set thread context of 3532 3220 gddf.exe 80 PID 2040 set thread context of 2932 2040 gddf.exe 82 -
Drops file in Windows directory 1 IoCs
Processes:
Ewpeloxttug.exedescription ioc Process File created C:\Windows\Tasks\Test Task17.job Ewpeloxttug.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ewpeloxttug.exeEwpeloxttug.exegddf.exegddf.exegddf.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ewpeloxttug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ewpeloxttug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gddf.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Ewpeloxttug.exegddf.exegddf.exepid Process 2480 Ewpeloxttug.exe 3220 gddf.exe 2040 gddf.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Ewpeloxttug.exegddf.exegddf.exedescription pid Process Token: SeDebugPrivilege 2480 Ewpeloxttug.exe Token: SeDebugPrivilege 2480 Ewpeloxttug.exe Token: SeDebugPrivilege 3220 gddf.exe Token: SeDebugPrivilege 3220 gddf.exe Token: SeDebugPrivilege 2040 gddf.exe Token: SeDebugPrivilege 2040 gddf.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Ewpeloxttug.exegddf.exegddf.exedescription pid Process procid_target PID 2480 wrote to memory of 4976 2480 Ewpeloxttug.exe 78 PID 2480 wrote to memory of 4976 2480 Ewpeloxttug.exe 78 PID 2480 wrote to memory of 4976 2480 Ewpeloxttug.exe 78 PID 2480 wrote to memory of 4976 2480 Ewpeloxttug.exe 78 PID 2480 wrote to memory of 4976 2480 Ewpeloxttug.exe 78 PID 2480 wrote to memory of 4976 2480 Ewpeloxttug.exe 78 PID 2480 wrote to memory of 4976 2480 Ewpeloxttug.exe 78 PID 2480 wrote to memory of 4976 2480 Ewpeloxttug.exe 78 PID 3220 wrote to memory of 3532 3220 gddf.exe 80 PID 3220 wrote to memory of 3532 3220 gddf.exe 80 PID 3220 wrote to memory of 3532 3220 gddf.exe 80 PID 3220 wrote to memory of 3532 3220 gddf.exe 80 PID 3220 wrote to memory of 3532 3220 gddf.exe 80 PID 3220 wrote to memory of 3532 3220 gddf.exe 80 PID 3220 wrote to memory of 3532 3220 gddf.exe 80 PID 3220 wrote to memory of 3532 3220 gddf.exe 80 PID 2040 wrote to memory of 2932 2040 gddf.exe 82 PID 2040 wrote to memory of 2932 2040 gddf.exe 82 PID 2040 wrote to memory of 2932 2040 gddf.exe 82 PID 2040 wrote to memory of 2932 2040 gddf.exe 82 PID 2040 wrote to memory of 2932 2040 gddf.exe 82 PID 2040 wrote to memory of 2932 2040 gddf.exe 82 PID 2040 wrote to memory of 2932 2040 gddf.exe 82 PID 2040 wrote to memory of 2932 2040 gddf.exe 82
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\Ewpeloxttug.exe"C:\Users\Admin\AppData\Local\Temp\Ewpeloxttug.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\Ewpeloxttug.exe"C:\Users\Admin\AppData\Local\Temp\Ewpeloxttug.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4976
-
-
C:\ProgramData\eavtt\gddf.exe"C:\ProgramData\eavtt\gddf.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3532
-
-
C:\ProgramData\eavtt\gddf.exe"C:\ProgramData\eavtt\gddf.exe"2⤵
- Executes dropped EXE
PID:2932
-
-
C:\ProgramData\eavtt\gddf.exeC:\ProgramData\eavtt\gddf.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220
-
C:\ProgramData\eavtt\gddf.exeC:\ProgramData\eavtt\gddf.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD523c8cb1226c61a164d7518218c837b81
SHA145ea74832e487bacb788189c04661b29a71e86b5
SHA25621aaa5319a6729df0581203a0782ead837b848387e44cd1844ca8e19882a50af
SHA5128e219108c05966ec8ee6bc2ce2fb40c4aedce6614e65970c356e4f840e88720188c762aaa4451c2f5f1fa1bbc14136ecbcd1f4c9f3b1a5fccc0ab053a37bcc21
-
Filesize
232B
MD543030dc35b3b14135b670f9efc6a8383
SHA138ccbb209993231b374ae19ca6fd49e2eefb7837
SHA25640d3519d2b4e7ef39e1e8bcc56c8d17e178f85e57a380728ed297dd8427c4cc5
SHA512f756e6a79f16f5d01cd552a67fc53ae5f43cccff724eff86b93ce8d1c32a3169ba0ffb374c64b384ce3262a9ae647df1561166f030ce1e951332fb6712c9c9f4