Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2025, 07:21

General

  • Target

    e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe

  • Size

    76KB

  • MD5

    ca96a8ebe967d7fb665d42f2e65a55d4

  • SHA1

    573948d09c43e86ba1672b1659814d4d074dda03

  • SHA256

    e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5

  • SHA512

    730fee4107d8de1b8dedd3ea163eca21ab97e7bd336812bfcc414f4d4ba634554924a26eeeb97e3c8c00a449d21877cf207c35c0e458a38915233d581ac8786b

  • SSDEEP

    1536:5L5lxcQxgr9BcXzfGQz0/m4QdQiWC378JztYtfBpf4p7WtX44:blSQxgr9eXzd4/mxKIm+t3JI4

Malware Config

Signatures

  • Blocklisted process makes network request 15 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe
    "C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5784
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&c:\eqhed.exe "C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2500
      • \??\c:\eqhed.exe
        c:\eqhed.exe "C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4268
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\zjzhm\eucfe.dll",GetWindowClass c:\eqhed.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5160
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\SysWOW64\rundll32.exe "c:\zjzhm\eucfe.dll",GetWindowClass
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5028
    • \??\c:\windows\SysWOW64\rundll32.exe
      c:\windows\SysWOW64\rundll32.exe "c:\zjzhm\eucfe.dll",GetWindowClass
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4916
      • \??\c:\windows\SysWOW64\cmd.exe
        cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\zjzhm"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4652

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\eqhed.exe

          Filesize

          76KB

          MD5

          1c6a375a955e5ab89a131ea82a9e6a14

          SHA1

          f195d91b07ce3515f38764b5fc2befd6ad99ed96

          SHA256

          d95212beb040619c4693c5bee79cdbebc18da6fcdf004891e730f8fec5d050bd

          SHA512

          c46d8bd41823ec53a246d134634bf712fc1aaa5219dd37a0d1301a2354c970c0c04433f329962c8605825bc8abe60b9cb4229f177b7bbe06a16eb2077bd2366e

        • \??\c:\zjzhm\eucfe.dll

          Filesize

          46KB

          MD5

          a3fd41430ddcaa55fde840788925406a

          SHA1

          dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2

          SHA256

          f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9

          SHA512

          23109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9

        • memory/4268-7-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/4268-10-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/4916-16-0x0000000010000000-0x000000001002E000-memory.dmp

          Filesize

          184KB

        • memory/4916-17-0x0000000010000000-0x000000001002E000-memory.dmp

          Filesize

          184KB

        • memory/5160-13-0x0000000010000000-0x000000001002E000-memory.dmp

          Filesize

          184KB

        • memory/5160-14-0x0000000010001000-0x000000001001E000-memory.dmp

          Filesize

          116KB

        • memory/5160-18-0x0000000010000000-0x000000001002E000-memory.dmp

          Filesize

          184KB

        • memory/5160-19-0x0000000010001000-0x000000001001E000-memory.dmp

          Filesize

          116KB

        • memory/5784-3-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/5784-1-0x0000000000418000-0x0000000000419000-memory.dmp

          Filesize

          4KB

        • memory/5784-0-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB