e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9

Analysis

max time kernel
153s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe
Size

69KB
MD5

459dc69af42280412294da12dedacd68
SHA1

06f9138fa9f708184104d025da71df51b7c072e6
SHA256

e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9
SHA512

628259619e5872db29592fa11b563cc171d33fc6b055c8fca23dae6b53796c1ed045f041719319c5dd54bdf2d25dc3a6a13432f81d1d00cdd53ecb819dfe3502
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8Z:Olg35GTslA5t3/w8Z

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	pfipin-nex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	pfipin-nex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	pfipin-nex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	pfipin-nex.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{494B4A53-5047-494d-494B-4A535047494d}	pfipin-nex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{494B4A53-5047-494d-494B-4A535047494d}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	pfipin-nex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{494B4A53-5047-494d-494B-4A535047494d}\IsInstalled = "1"	pfipin-nex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{494B4A53-5047-494d-494B-4A535047494d}\StubPath = "C:\\Windows\\system32\\evfurit.exe"	pfipin-nex.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ilkeciv.exe"	pfipin-nex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	pfipin-nex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	pfipin-nex.exe

Executes dropped EXE 2 IoCs

pid	Process
1388	pfipin-nex.exe
2652	pfipin-nex.exe

Loads dropped DLL 3 IoCs

pid	Process
2508	e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe
2508	e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe
1388	pfipin-nex.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	pfipin-nex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	pfipin-nex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	pfipin-nex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	pfipin-nex.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	pfipin-nex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	pfipin-nex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	pfipin-nex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ecneteag.dll"	pfipin-nex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	pfipin-nex.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pfipin-nex.exe	e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe
File opened for modification	C:\Windows\SysWOW64\ilkeciv.exe	pfipin-nex.exe
File opened for modification	C:\Windows\SysWOW64\evfurit.exe	pfipin-nex.exe
File created	C:\Windows\SysWOW64\ecneteag.dll	pfipin-nex.exe
File created	C:\Windows\SysWOW64\pfipin-nex.exe	e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe
File created	C:\Windows\SysWOW64\ilkeciv.exe	pfipin-nex.exe
File created	C:\Windows\SysWOW64\evfurit.exe	pfipin-nex.exe
File opened for modification	C:\Windows\SysWOW64\ecneteag.dll	pfipin-nex.exe
File opened for modification	C:\Windows\SysWOW64\pfipin-nex.exe	pfipin-nex.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
2652	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe
1388	pfipin-nex.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe
Token: SeDebugPrivilege	1388	pfipin-nex.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1388	2508	e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe	28
PID 2508 wrote to memory of 1388	2508	e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe	28
PID 2508 wrote to memory of 1388	2508	e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe	28
PID 2508 wrote to memory of 1388	2508	e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe	28
PID 1388 wrote to memory of 424	1388	pfipin-nex.exe	5
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 2652	1388	pfipin-nex.exe	29
PID 1388 wrote to memory of 2652	1388	pfipin-nex.exe	29
PID 1388 wrote to memory of 2652	1388	pfipin-nex.exe	29
PID 1388 wrote to memory of 2652	1388	pfipin-nex.exe	29
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21
PID 1388 wrote to memory of 1260	1388	pfipin-nex.exe	21

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe
  "C:\Users\Admin\AppData\Local\Temp\e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\pfipin-nex.exe
    "C:\Windows\system32\pfipin-nex.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\pfipin-nex.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ecneteag.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\evfurit.exe

Filesize
71KB

MD5
d133b86703ab94995ed38f80a3969a50

SHA1
51c2b44b642a8d8a5c95d71cdfae094447495ecd

SHA256
544aef0360fe4d2bdf3d4720eeb6b35a2f7ac2df97f780b1e76e88ff0e43c445

SHA512
7ec21e98c52c64b95a14085871157b2d0300d1dccfbd767ada57a9d180c0a50782517ad1ad67d7fc7f2852a139e8cad875a0f2150b40a97a03b293d78c01f7b1

Download Submit
C:\Windows\SysWOW64\ilkeciv.exe

Filesize
72KB

MD5
a471145ac6d03a096a907d25764915d8

SHA1
cf2e06f2a0c726a4c1abd07dae19a1594952a484

SHA256
84c544bff3150d502b169a7f1fc08906a04882f956fbb6f292b9b110dc5a1a1f

SHA512
8dfa76e35aefc410374dc7dd5a3fef2fc56cabddbe915a3ac4c29d22d27613012794454331758cf8b3f31111140050b08ab4e06b81d369e724a848210b5d183f

Download Submit
\Windows\SysWOW64\pfipin-nex.exe

Filesize
69KB

MD5
459dc69af42280412294da12dedacd68

SHA1
06f9138fa9f708184104d025da71df51b7c072e6

SHA256
e0846185cdd663294246c03ef52b5aade2ecbf3835650a3d619c72185aea16b9

SHA512
628259619e5872db29592fa11b563cc171d33fc6b055c8fca23dae6b53796c1ed045f041719319c5dd54bdf2d25dc3a6a13432f81d1d00cdd53ecb819dfe3502

Download Submit
memory/1388-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2508-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2652-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download