Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2024, 02:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe
-
Size
67KB
-
MD5
1ec9145710c75646d1e83111610b51a0
-
SHA1
2e5c4e5359c63740877f098e658b23ee8916c0f2
-
SHA256
c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0
-
SHA512
d2b0baf587fb56f93158d1cf8a1c313263840254cf4a4fd75358b2de47b4f02e7d61f4f0878b3d014e8f02b57c80db0c83aa7cc9e746683e3784078caca3bd8d
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Rew6:ulg35GTslA5t3pew6
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ahpoamor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ahpoamor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ahpoamor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ahpoamor.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44544B55-544a-524c-4454-4B55544A524c} ahpoamor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44544B55-544a-524c-4454-4B55544A524c}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ahpoamor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44544B55-544a-524c-4454-4B55544A524c}\IsInstalled = "1" ahpoamor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44544B55-544a-524c-4454-4B55544A524c}\StubPath = "C:\\Windows\\system32\\ihmuduc-eadac.exe" ahpoamor.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ahpoamor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ahpoamor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\hdefeap.exe" ahpoamor.exe -
Executes dropped EXE 2 IoCs
pid Process 2896 ahpoamor.exe 3164 ahpoamor.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ahpoamor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ahpoamor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ahpoamor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ahpoamor.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ahpoamor.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ahpoamor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ahpoamor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eanfegeas-gex.dll" ahpoamor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ahpoamor.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hdefeap.exe ahpoamor.exe File opened for modification C:\Windows\SysWOW64\ihmuduc-eadac.exe ahpoamor.exe File created C:\Windows\SysWOW64\ihmuduc-eadac.exe ahpoamor.exe File opened for modification C:\Windows\SysWOW64\eanfegeas-gex.dll ahpoamor.exe File created C:\Windows\SysWOW64\eanfegeas-gex.dll ahpoamor.exe File opened for modification C:\Windows\SysWOW64\ahpoamor.exe c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe File created C:\Windows\SysWOW64\ahpoamor.exe c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe File created C:\Windows\SysWOW64\hdefeap.exe ahpoamor.exe File opened for modification C:\Windows\SysWOW64\ahpoamor.exe ahpoamor.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 3164 ahpoamor.exe 3164 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe 2896 ahpoamor.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2584 c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe Token: SeDebugPrivilege 2896 ahpoamor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2896 2584 c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe 87 PID 2584 wrote to memory of 2896 2584 c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe 87 PID 2584 wrote to memory of 2896 2584 c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe 87 PID 2896 wrote to memory of 3164 2896 ahpoamor.exe 88 PID 2896 wrote to memory of 3164 2896 ahpoamor.exe 88 PID 2896 wrote to memory of 3164 2896 ahpoamor.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe"C:\Users\Admin\AppData\Local\Temp\c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\ahpoamor.exe"C:\Windows\system32\ahpoamor.exe"2⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\ahpoamor.exeùù¿çç¤3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD51ec9145710c75646d1e83111610b51a0
SHA12e5c4e5359c63740877f098e658b23ee8916c0f2
SHA256c2c834569524f0be8d72a0e3bc96dd2b6686d7363995972e215013c806fc89c0
SHA512d2b0baf587fb56f93158d1cf8a1c313263840254cf4a4fd75358b2de47b4f02e7d61f4f0878b3d014e8f02b57c80db0c83aa7cc9e746683e3784078caca3bd8d
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
70KB
MD5cbe6c4f5af93ee63aea2f67bd04088ad
SHA16bc4b7a0aa7c489454c51bb5c49fb328814ad881
SHA25694865b66f35debbedab459f4d0d8020e70a08c3c217a1afde581f3875e9a26e5
SHA512e38e3d5d2ee934c68f5ec26ba616c144e5efd13d3fd6ff01f4cd5b67a62ced1874ac6041eda90987edd12a11808a61051b55c072f8dcf7afb92fa72991f8e380
-
Filesize
69KB
MD54dd122da5b99d6ca0fd89468ec39b42e
SHA101613d9ccc91d39c911698c3e16dc3fe2f086105
SHA256183f4baba6235ceea1ce43d06fe6d6cab55fe097b828c19309a0e7010fb6f316
SHA5126a80e997753fb0e9e0e304246619169f0a126fab8e0daac3c4c4ddca335912b5a19aa4cdcc23b9c4b42ae53d524c19240782bccaa8ed707cbfb897c3efd3a64e