Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2025, 07:21
Behavioral task
behavioral1
Sample
e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe
Resource
win10v2004-20250619-en
General
-
Target
e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe
-
Size
76KB
-
MD5
ca96a8ebe967d7fb665d42f2e65a55d4
-
SHA1
573948d09c43e86ba1672b1659814d4d074dda03
-
SHA256
e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5
-
SHA512
730fee4107d8de1b8dedd3ea163eca21ab97e7bd336812bfcc414f4d4ba634554924a26eeeb97e3c8c00a449d21877cf207c35c0e458a38915233d581ac8786b
-
SSDEEP
1536:5L5lxcQxgr9BcXzfGQz0/m4QdQiWC378JztYtfBpf4p7WtX44:blSQxgr9eXzd4/mxKIm+t3JI4
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
flow pid Process 27 5160 rundll32.exe 28 5160 rundll32.exe 29 5160 rundll32.exe 30 5160 rundll32.exe 36 5160 rundll32.exe 41 5160 rundll32.exe 66 5160 rundll32.exe 67 5160 rundll32.exe 75 5160 rundll32.exe 76 5160 rundll32.exe 77 5160 rundll32.exe 80 5160 rundll32.exe 81 5160 rundll32.exe 82 5160 rundll32.exe 83 5160 rundll32.exe -
resource yara_rule behavioral1/files/0x000b00000001e6c7-5.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 4268 eqhed.exe -
Executes dropped EXE 1 IoCs
pid Process 4268 eqhed.exe -
Loads dropped DLL 2 IoCs
pid Process 5160 rundll32.exe 4916 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\zjzhm\\eucfe.dll\",GetWindowClass" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\l: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqhed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2956 cmd.exe 2500 PING.EXE 4528 cmd.exe 4652 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2500 PING.EXE 4652 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5160 rundll32.exe 5160 rundll32.exe 5160 rundll32.exe 5160 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5160 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5784 e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe 4268 eqhed.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5784 wrote to memory of 2956 5784 e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe 87 PID 5784 wrote to memory of 2956 5784 e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe 87 PID 5784 wrote to memory of 2956 5784 e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe 87 PID 2956 wrote to memory of 2500 2956 cmd.exe 89 PID 2956 wrote to memory of 2500 2956 cmd.exe 89 PID 2956 wrote to memory of 2500 2956 cmd.exe 89 PID 2956 wrote to memory of 4268 2956 cmd.exe 91 PID 2956 wrote to memory of 4268 2956 cmd.exe 91 PID 2956 wrote to memory of 4268 2956 cmd.exe 91 PID 4268 wrote to memory of 5160 4268 eqhed.exe 92 PID 4268 wrote to memory of 5160 4268 eqhed.exe 92 PID 4268 wrote to memory of 5160 4268 eqhed.exe 92 PID 5028 wrote to memory of 4916 5028 cmd.exe 99 PID 5028 wrote to memory of 4916 5028 cmd.exe 99 PID 5028 wrote to memory of 4916 5028 cmd.exe 99 PID 4916 wrote to memory of 4528 4916 rundll32.exe 100 PID 4916 wrote to memory of 4528 4916 rundll32.exe 100 PID 4916 wrote to memory of 4528 4916 rundll32.exe 100 PID 4528 wrote to memory of 4652 4528 cmd.exe 103 PID 4528 wrote to memory of 4652 4528 cmd.exe 103 PID 4528 wrote to memory of 4652 4528 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5784 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\eqhed.exe "C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2500
-
-
\??\c:\eqhed.exec:\eqhed.exe "C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\zjzhm\eucfe.dll",GetWindowClass c:\eqhed.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5160
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\SysWOW64\rundll32.exe "c:\zjzhm\eucfe.dll",GetWindowClass1⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\SysWOW64\rundll32.exe "c:\zjzhm\eucfe.dll",GetWindowClass2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\zjzhm"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4652
-
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD51c6a375a955e5ab89a131ea82a9e6a14
SHA1f195d91b07ce3515f38764b5fc2befd6ad99ed96
SHA256d95212beb040619c4693c5bee79cdbebc18da6fcdf004891e730f8fec5d050bd
SHA512c46d8bd41823ec53a246d134634bf712fc1aaa5219dd37a0d1301a2354c970c0c04433f329962c8605825bc8abe60b9cb4229f177b7bbe06a16eb2077bd2366e
-
Filesize
46KB
MD5a3fd41430ddcaa55fde840788925406a
SHA1dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2
SHA256f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9
SHA51223109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9