Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2024, 01:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe
-
Size
72KB
-
MD5
1008ff1afaca953c864383014e893b8b
-
SHA1
8029ebd735701d47d2985683485ba1ecd95c8466
-
SHA256
793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d
-
SHA512
6c600d3adeb86e935caeca2dadf408c765f545c912df128d5d2d8edc223578f1d80bb4e8bffee972ec32fe4c4fe9360d9c84b54c682036c0d6b170356a7d1254
-
SSDEEP
1536:xk8KE3UknVTVpXd4Q2x6H5eCU8hh/Q/0ATiPGQQPWTk:Tp37VTV5d4Q2xpIhhTA5feA
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" eapmitoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" eapmitoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" eapmitoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" eapmitoov.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C464B54-444a-474c-4C46-4B54444A474c} eapmitoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C464B54-444a-474c-4C46-4B54444A474c}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" eapmitoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C464B54-444a-474c-4C46-4B54444A474c}\IsInstalled = "1" eapmitoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C464B54-444a-474c-4C46-4B54444A474c}\StubPath = "C:\\Windows\\system32\\adcoamup-ucur.exe" eapmitoov.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe eapmitoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" eapmitoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\itvemoab-ifeas.exe" eapmitoov.exe -
Executes dropped EXE 2 IoCs
pid Process 4376 eapmitoov.exe 4644 eapmitoov.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" eapmitoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" eapmitoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" eapmitoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" eapmitoov.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} eapmitoov.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify eapmitoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" eapmitoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\egdookag-oucooc.dll" eapmitoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" eapmitoov.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\adcoamup-ucur.exe eapmitoov.exe File opened for modification C:\Windows\SysWOW64\egdookag-oucooc.dll eapmitoov.exe File created C:\Windows\SysWOW64\egdookag-oucooc.dll eapmitoov.exe File opened for modification C:\Windows\SysWOW64\eapmitoov.exe eapmitoov.exe File opened for modification C:\Windows\SysWOW64\eapmitoov.exe 793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe File created C:\Windows\SysWOW64\eapmitoov.exe 793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe File created C:\Windows\SysWOW64\adcoamup-ucur.exe eapmitoov.exe File opened for modification C:\Windows\SysWOW64\itvemoab-ifeas.exe eapmitoov.exe File created C:\Windows\SysWOW64\itvemoab-ifeas.exe eapmitoov.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4644 eapmitoov.exe 4644 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe 4376 eapmitoov.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4376 eapmitoov.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1200 wrote to memory of 4376 1200 793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe 84 PID 1200 wrote to memory of 4376 1200 793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe 84 PID 1200 wrote to memory of 4376 1200 793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe 84 PID 4376 wrote to memory of 4644 4376 eapmitoov.exe 85 PID 4376 wrote to memory of 4644 4376 eapmitoov.exe 85 PID 4376 wrote to memory of 4644 4376 eapmitoov.exe 85 PID 4376 wrote to memory of 612 4376 eapmitoov.exe 5 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56 PID 4376 wrote to memory of 3480 4376 eapmitoov.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe"C:\Users\Admin\AppData\Local\Temp\793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\eapmitoov.exe"C:\Windows\SysWOW64\eapmitoov.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\eapmitoov.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4644
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD531541de674e377bd3337b074a9ebf1cc
SHA1f860aa972cf27e0b647060670ae38fbd4deef370
SHA2560516db09bd63c311aef2aa6c3f73a047497e9e9397d71d813ee07b23adec1473
SHA512e9dfdf60473012d75296f0f4e22e53ea16f48db8ba18d56bf3ab97a4607771bc9e8cd7a0c11bf93f187cc856e79e4b29d993c4c92f9b48a2dccf258f9add7c50
-
Filesize
70KB
MD52122eda14a9acdc2119416bd50d0d025
SHA18e313b3068df73c3cb6e6179c509f6a35759dfa2
SHA256f205797e8d32166ecf79b01cc4d4b977bc33e79097fdcb119073cb906d3a2c3c
SHA5124d8229cef4df127f7c37e3e82aeaecb3a6b63cff23f0599b17c819eac357b42f9e41bd004724e5b089c102b6a6eeda94354352759c2dee9c9449f91d395468a3
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
73KB
MD5c170204944fb21bb63d634d9bfe1605f
SHA18835842b8d3d2652164337fa47d519accb7fc4a1
SHA256a62c64a210bd28cf2c17f6b7cb706c9c687d6d1574db496500d535fc16e85dc6
SHA5126b346973b723ca333edd4e9a982bf4d471d9709037fbc090de65d0bca3dc211c47144cda779de722921e64fd0c2f214bdd1e9821dc44cbbb2a75a1c9b2a2e51c