hxxps://github[.]com/ek4o/fake-exodus/releases/tag/ekoTools

Resubmissions

03/03/2025, 16:00

250303-tf222asjz2 5

03/03/2025, 15:28

250303-swbpca1nz4 10

02/03/2025, 14:26

250302-rr1x1awygx 10

Analysis

max time kernel
480s
max time network
487s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02/03/2025, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ek4o/fake-exodus/releases/tag/ekoTools

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2080	msedge.exe
2080	msedge.exe
4640	msedge.exe
4640	msedge.exe
3720	identity_helper.exe
3720	identity_helper.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1880	4640	msedge.exe	84
PID 4640 wrote to memory of 1880	4640	msedge.exe	84
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 3836	4640	msedge.exe	85
PID 4640 wrote to memory of 2080	4640	msedge.exe	86
PID 4640 wrote to memory of 2080	4640	msedge.exe	86
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87
PID 4640 wrote to memory of 3908	4640	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ek4o/fake-exodus/releases/tag/ekoTools
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xf0,0x134,0x7ffee18e46f8,0x7ffee18e4708,0x7ffee18e4718
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14927210660107918008,14916390848924832492,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5300 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed05621b2a1e4a5665da21bfaf333a47

SHA1
4cd83a338b9bb2940b9cd9c3c8cc6a7638556579

SHA256
bc3f423aae2852f02ecee50bc19e7c78cc61b20e0d3bb04237ec628c3cf63c5a

SHA512
775d9523db85198ce510e082e2932fdcb7ef2ef1ec8d730cada441f795919399ecb3fb72b498c1c20c555aa95728a33bc45387ae43818cef51a19316bd80b2df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e8d81c171651dcbc4e2fc0ebb2634e48

SHA1
90a3278c31591349899a699715c8e418dbdf17d1

SHA256
dc344683b95b4fc853fd26420fe56798fa08f8a685de889ee6d4ed587ebfed34

SHA512
2f47d722e59a22d7729a8c0276297b0d679038ff9d1dae0abe01d233c1bd1368d87894e1637dc4297addcd79a19c686c4c03719fb876a5304f66088e941d3d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
595B

MD5
000925f20e4e0abff3cb1d873353c50b

SHA1
01885cdbb66334b92c78575fbfadc9a314e5fdff

SHA256
ff5bee4a53e911a19c3eb223ab06de8de222aeed8b460d1938c4ab934698ec17

SHA512
8ce838f97f86cd55814fce2eb0ddb5376a72f52788607fc40d6ba4a4c6abe410998f64fcf223283fcdb64da4fcf369c2bc01d0ed4300e15469ad3545135ccc20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f967a7ea1decfd459698c1fef3e5ddd2

SHA1
e6cb54e67dab258e06b1d162f6ad50757946a045

SHA256
337b39ffae0173908bffd8b2155c60f30217641c5d41051f0e3caaa84f3cefc3

SHA512
be9f3d79994843d04c22ccc0ebad9d4616ab1a1a121b7af6ab9dd13896352426efb1ffeb92294cafdc8be1d31cdbd84cf0b34a66c82ad01a856a3a38cfd01d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af1c6ff0166e54ab9ca882c588763711

SHA1
7675916cce3c033e6d083edda915e0a396d761f0

SHA256
067cb0587c57523685cf97d7e874f0555b7d58efc0aab42956bf4df40942baa5

SHA512
06e0263fdef749017a38e2cddfb27860c7df8f19f53a7edb7d51833e6de0b3601a3d54cb110c921cd619e8d8121c586ff0d3fb227aac9d4cb3b51ead83dd4b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e06e0eabe13da96c0555c9f41f27680f

SHA1
aeb0ff83a4000fc3425afae51862c468d640d773

SHA256
41cdd39dd72d2e3b06cb3894fb08435c66cab64a4b5e6f7c42744886e60a6368

SHA512
6fdc73101ec2eb9d36a7614e6e824b90af33ffc9a2249f08060f0d26bf0776d07bb65eb4f11fa2a9c07e248e7f5396d8fb5271a48b9927e2603edcf332a527aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ebc2bda5-fb06-4a48-921d-9e475ddac487.tmp

Filesize
10KB

MD5
1b71540d62a1916d8290be263f2d771a

SHA1
b331bd0e36cd477e14a106136d9e6b98e2fcb42c

SHA256
72845a233502d44c95eb8ff7cb718bd193fc179492f9b4ac0e9f73b1b2e06db1

SHA512
0cfe61c5f206a78a6e74dfa76d2035bcd1337355c50487c745ce17c0e250d7b33813bb4202830b966a344e9eaf4cd63e12b911d3752a6a9c71055ab16196efb1

Download Submit