File name:	eDEX-UI-Windows-x64.exe
Full analysis:	https://app.any.run/tasks/2346fb59-12b1-421a-991f-e21ac6a2ccf9
Verdict:	Malicious activity
Analysis date:	December 09, 2024, 00:33:17
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	20BEFF9C4CC991A27DBC24E61067F37F
SHA1:	0C65AD7D5F4A58BE8533ACA3E1477FADBC41C663
SHA256:	E877429D2AFFF2977497E4C9C379B2C6A140143D7DF19478344871E05BE8AD6C
SSDEEP:	1572864:imSHpRoERp4sheNfEvU08MCPcAMAyAYaCb:imSJRoERp4s4NsvU08MucVBAYaU

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:02:12 16:15:17+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	30208
InitializedDataSize:	483840
UninitializedDataSize:	16384
EntryPoint:	0x39ed
OSVersion:	5.1
ImageVersion:	6
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	2.2.8.0
ProductVersionNumber:	2.2.8.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Gabriel 'Squared' SAILLARD
FileDescription:	eDEX-UI sci-fi interface
FileVersion:	2.2.8
LegalCopyright:	Copyright © 2017-2021 Gabriel 'Squared' SAILLARD <gabriel@saillard.dev> (https://gaby.dev)
ProductName:	eDEX-UI
ProductVersion:	2.2.8


(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Local\Programs\eDEX-UI
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	KeepShortcuts
Value: true
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	ShortcutName
Value: eDEX-UI
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	DisplayName
Value: eDEX-UI 2.2.8
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	UninstallString
Value: "C:\Users\admin\AppData\Local\Programs\eDEX-UI\Uninstall eDEX-UI.exe" /currentuser
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	QuietUninstallString
Value: "C:\Users\admin\AppData\Local\Programs\eDEX-UI\Uninstall eDEX-UI.exe" /currentuser /S
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	DisplayVersion
Value: 2.2.8
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	DisplayIcon
Value: C:\Users\admin\AppData\Local\Programs\eDEX-UI\eDEX-UI.exe,0
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	Publisher
Value: Gabriel 'Squared' SAILLARD
(PID) Process:	(6472) eDEX-UI-Windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\82c1c72c-4db6-57c2-bb24-743f60eb274f
Operation:	write	Name:	NoModify
Value: 1

PID	Process	Filename		Type
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Temp\nsqA627.tmp\app-64.7z		—
		MD5:—	SHA256:—
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\icudtl.dat		—
		MD5:—	SHA256:—
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\LICENSES.chromium.html		—
		MD5:—	SHA256:—
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Temp\nsqA627.tmp\nsDialogs.dll		executable
		MD5:466179E1C8EE8A1FF5E4427DBB6C4A01	SHA256:1E40211AF65923C2F4FD02CE021458A7745D28E2F383835E3015E96575632172
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Temp\nsqA627.tmp\System.dll		executable
		MD5:0D7AD4F45DC6F5AA87F606D0331C6901	SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\LICENSE.electron.txt		text
		MD5:45574510C534A8195F53B30E3810239E	SHA256:C44607A865E7A6DB05552BAA0EF71F9887D96ACD00D123854B44996BC27C0E33
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\locales\am.pak		pgc
		MD5:4E7DB89A9F5C07A295DE43B745E5658B	SHA256:4C0B4273DC4103C666FF01ED8B9DB995F68C5C178973465BB25CD5CDF99EF01A
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\locales\cs.pak		pgc
		MD5:6817671B166242686C18B0D17DC15A80	SHA256:0C554977F587F1910AB077D99B97F5011F5C466F0B6D86DF08F9A4C7C940D99F
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\locales\ar.pak		pgc
		MD5:70BB1C831327B26E4DD74097F59A55B0	SHA256:776DB47DD91BCE8BC813A54A815BE3E73B6E58E9FE5F24DB7BF0D8C06A240F6A
6472	eDEX-UI-Windows-x64.exe	C:\Users\admin\AppData\Local\Programs\eDEX-UI\locales\da.pak		pgc
		MD5:AFDBF3945FBF2CF7FF3787A1761326DB	SHA256:88DA5FAB329C56D1625205CF1A27F508A4797D4129C59D2A966B2628AE4545B9

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	204	104.126.37.145:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	2.23.209.133:443	www.bing.com	Akamai International B.V.	GB	whitelisted
2216	eDEX-UI.exe	185.199.108.133:443	raw.githubusercontent.com	FASTLY	US	shared
2216	eDEX-UI.exe	140.82.121.5:443	api.github.com	GITHUB	US	whitelisted
2216	eDEX-UI.exe	1.1.1.1:80	—	CLOUDFLARENET	—	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
google.com	142.250.186.142	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
www.bing.com	2.23.209.133 2.23.209.177 2.23.209.149 2.23.209.176 2.23.209.189 2.23.209.187 2.23.209.185 2.23.209.140	whitelisted
raw.githubusercontent.com	185.199.108.133 185.199.109.133 185.199.110.133 185.199.111.133	shared
api.github.com	140.82.121.5	whitelisted
self.events.data.microsoft.com	20.189.173.26	whitelisted

General Info

eDEX-UI-Windows-x64.exe

20BEFF9C4CC991A27DBC24E61067F37F

0C65AD7D5F4A58BE8533ACA3E1477FADBC41C663

E877429D2AFFF2977497E4C9C379B2C6A140143D7DF19478344871E05BE8AD6C

1572864:imSHpRoERp4sheNfEvU08MCPcAMAyAYaCb:imSJRoERp4s4NsvU08MucVBAYaU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Unrestricted)

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Drops 7-zip archiver for unpacking

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Creates a software uninstall entry

Application launched itself

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Starts application with an unusual extension

The process hides Powershell's copyright startup banner

Uses WMIC.EXE to obtain data on processes

Uses WMIC.EXE to obtain Windows Installer data

Uses WMIC.EXE to obtain data on the virtual memory file swapping

Uses WMIC.EXE

Uses WMIC.EXE to obtain local storage devices information

Uses WMIC.EXE to obtain information about the network interface controller

Process uses IPCONFIG to discover network configuration

Uses NETSH.EXE to obtain data on the network

Uses WMIC.EXE to obtain CPU information

Executes as Windows Service

Uses WMIC.EXE to obtain BIOS management information

INFO

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Create files in a temporary directory

Manual execution by a user

Reads product name

Reads Environment values

Drops encrypted VBS script (Microsoft Script Encoder)

Drops encrypted JS script (Microsoft Script Encoder)

Reads CPU info

Process checks computer location settings

Changes the display of characters in the console

Checks proxy server information

Checks current location (POWERSHELL)

The process uses the downloaded file

Node.js compiler has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Information

Information

Information

Information

Information

Information

Information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files