File name:	eDEX-UI-Windows-x64.exe
Full analysis:	https://app.any.run/tasks/2346fb59-12b1-421a-991f-e21ac6a2ccf9
Verdict:	Malicious activity
Analysis date:	December 09, 2024, 00:33:17
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	20BEFF9C4CC991A27DBC24E61067F37F
SHA1:	0C65AD7D5F4A58BE8533ACA3E1477FADBC41C663
SHA256:	E877429D2AFFF2977497E4C9C379B2C6A140143D7DF19478344871E05BE8AD6C
SSDEEP:	1572864:imSHpRoERp4sheNfEvU08MCPcAMAyAYaCb:imSJRoERp4s4NsvU08MucVBAYaU

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:02:12 16:15:17+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	30208
InitializedDataSize:	483840
UninitializedDataSize:	16384
EntryPoint:	0x39ed
OSVersion:	5.1
ImageVersion:	6
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	2.2.8.0
ProductVersionNumber:	2.2.8.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Gabriel 'Squared' SAILLARD
FileDescription:	eDEX-UI sci-fi interface
FileVersion:	2.2.8
LegalCopyright:	Copyright © 2017-2021 Gabriel 'Squared' SAILLARD <gabriel@saillard.dev> (https://gaby.dev)
ProductName:	eDEX-UI
ProductVersion:	2.2.8


(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Local\Programs\eDEX-UI
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	KeepShortcuts
Value: true
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	ShortcutName
Value: eDEX-UI
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	DisplayName
Value: eDEX-UI 2.2.8
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	UninstallString
Value: "C:\Users\admin\AppData\Local\Programs\eDEX-UI\Uninstall eDEX-UI.exe" /currentuser
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	QuietUninstallString
Value: "C:\Users\admin\AppData\Local\Programs\eDEX-UI\Uninstall eDEX-UI.exe" /currentuser /S
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	DisplayVersion
Value: 2.2.8
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	DisplayIcon
Value: C:\Users\admin\AppData\Local\Programs\eDEX-UI\eDEX-UI.exe,0
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	Publisher
Value: Gabriel 'Squared' SAILLARD
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	NoModify
Value: 1

PID	Process	Filename		Type
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Temp\nsqA627.tmp\app-64.7z		—
		MD5:—	SHA256:—
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\icudtl.dat		—
		MD5:—	SHA256:—
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\LICENSES.chromium.html		—
		MD5:—	SHA256:—
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Temp\nsqA627.tmp\nsis7z.dll		executable
		MD5:80E44CE4895304C6A3A831310FBF8CD0	SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Temp\nsqA627.tmp\nsDialogs.dll		executable
		MD5:466179E1C8EE8A1FF5E4427DBB6C4A01	SHA256:1E40211AF65923C2F4FD02CE021458A7745D28E2F383835E3015E96575632172
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\LICENSE.electron.txt		text
		MD5:45574510C534A8195F53B30E3810239E	SHA256:C44607A865E7A6DB05552BAA0EF71F9887D96ACD00D123854B44996BC27C0E33
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Temp\nsqA627.tmp\modern-wizard.bmp		image
		MD5:52FF52EEE3B944B862C11C268A02C196	SHA256:2079F7A3EBA60E0D9EE827A7208AA052A71B384873B641DE5E299AEB8E733109
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Temp\nsqA627.tmp\UAC.dll		executable
		MD5:ADB29E6B186DAA765DC750128649B63D	SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\chrome_200_percent.pak		pgc
		MD5:1985B8FC603DB4D83DF72CFAEEAC7C50	SHA256:7F9DED50D81C50F9C6ED89591FA621FABBD45CEF150C8AABCCEB3B7A9DE5603B
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\locales\ar.pak		pgc
		MD5:70BB1C831327B26E4DD74097F59A55B0	SHA256:776DB47DD91BCE8BC813A54A815BE3E73B6E58E9FE5F24DB7BF0D8C06A240F6A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	204	104.126.37.145:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	2.23.209.133:443	www.bing.com	Akamai International B.V.	GB	whitelisted
2216	eDEX-UI.exe	185.199.108.133:443	raw.githubusercontent.com	FASTLY	US	shared
2216	eDEX-UI.exe	140.82.121.5:443	api.github.com	GITHUB	US	whitelisted
2216	eDEX-UI.exe	1.1.1.1:80	—	CLOUDFLARENET	—	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
google.com	142.250.186.142	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
www.bing.com	2.23.209.133 2.23.209.177 2.23.209.149 2.23.209.176 2.23.209.189 2.23.209.187 2.23.209.185 2.23.209.140	whitelisted
raw.githubusercontent.com	185.199.108.133 185.199.109.133 185.199.110.133 185.199.111.133	shared
api.github.com	140.82.121.5	whitelisted
self.events.data.microsoft.com	20.189.173.26	whitelisted

General Info

eDEX-UI-Windows-x64.exe

20BEFF9C4CC991A27DBC24E61067F37F

0C65AD7D5F4A58BE8533ACA3E1477FADBC41C663

E877429D2AFFF2977497E4C9C379B2C6A140143D7DF19478344871E05BE8AD6C

1572864:imSHpRoERp4sheNfEvU08MCPcAMAyAYaCb:imSJRoERp4s4NsvU08MucVBAYaU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Unrestricted)

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Drops 7-zip archiver for unpacking

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Creates a software uninstall entry

Application launched itself

Starts POWERSHELL.EXE for commands execution

Starts CMD.EXE for commands execution

Starts application with an unusual extension

The process hides Powershell's copyright startup banner

Uses WMIC.EXE to obtain data on processes

Uses WMIC.EXE to obtain information about the network interface controller

Uses WMIC.EXE to obtain data on the virtual memory file swapping

Uses WMIC.EXE to obtain Windows Installer data

Uses WMIC.EXE

Uses WMIC.EXE to obtain local storage devices information

Uses NETSH.EXE to obtain data on the network

Process uses IPCONFIG to discover network configuration

Uses WMIC.EXE to obtain CPU information

Executes as Windows Service

Uses WMIC.EXE to obtain BIOS management information

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Creates files or folders in the user directory

Manual execution by a user

Reads product name

Reads Environment values

Drops encrypted VBS script (Microsoft Script Encoder)

Drops encrypted JS script (Microsoft Script Encoder)

Reads CPU info

Changes the display of characters in the console

Checks proxy server information

Process checks computer location settings

The process uses the downloaded file

Checks current location (POWERSHELL)

Node.js compiler has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Information

Information

Information

Information

Information

Information

Information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files