Analysis
-
max time kernel
137s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5e4dc195deceacd3626bed07bd4dd840_NEAS.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
5e4dc195deceacd3626bed07bd4dd840_NEAS.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
5e4dc195deceacd3626bed07bd4dd840_NEAS.exe
-
Size
71KB
-
MD5
5e4dc195deceacd3626bed07bd4dd840
-
SHA1
2c71a74cf2e2a453f71314a68fbebab7e1d5991e
-
SHA256
c551f0b139c150ef656fabba41822dcad3e9f694a4e6308be4f29096683c6925
-
SHA512
6473fcb22f72ec06910d95fcc46877e54d28e012d97ed9592e37a605b08126155bbcda3dadbd999e4ff7cc45c364837564bfe2ef0422310bc5d86defe2bf56be
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8slC8:Olg35GTslA5t3/w8d8
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ounxanum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ounxanum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ounxanum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ounxanum.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ounxanum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59}\IsInstalled = "1" ounxanum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59}\StubPath = "C:\\Windows\\system32\\aglooxeh.exe" ounxanum.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59} ounxanum.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ounxanum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\udpofeah.exe" ounxanum.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ounxanum.exe -
Executes dropped EXE 2 IoCs
pid Process 640 ounxanum.exe 3108 ounxanum.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ounxanum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ounxanum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ounxanum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ounxanum.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ounxanum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\onboohet.dll" ounxanum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ounxanum.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ounxanum.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ounxanum.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ounxanum.exe 5e4dc195deceacd3626bed07bd4dd840_NEAS.exe File created C:\Windows\SysWOW64\aglooxeh.exe ounxanum.exe File created C:\Windows\SysWOW64\ounxanum.exe 5e4dc195deceacd3626bed07bd4dd840_NEAS.exe File opened for modification C:\Windows\SysWOW64\udpofeah.exe ounxanum.exe File created C:\Windows\SysWOW64\udpofeah.exe ounxanum.exe File opened for modification C:\Windows\SysWOW64\aglooxeh.exe ounxanum.exe File opened for modification C:\Windows\SysWOW64\onboohet.dll ounxanum.exe File created C:\Windows\SysWOW64\onboohet.dll ounxanum.exe File opened for modification C:\Windows\SysWOW64\ounxanum.exe ounxanum.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 3108 ounxanum.exe 3108 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe 640 ounxanum.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1800 5e4dc195deceacd3626bed07bd4dd840_NEAS.exe Token: SeDebugPrivilege 640 ounxanum.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1800 wrote to memory of 640 1800 5e4dc195deceacd3626bed07bd4dd840_NEAS.exe 90 PID 1800 wrote to memory of 640 1800 5e4dc195deceacd3626bed07bd4dd840_NEAS.exe 90 PID 1800 wrote to memory of 640 1800 5e4dc195deceacd3626bed07bd4dd840_NEAS.exe 90 PID 640 wrote to memory of 3108 640 ounxanum.exe 91 PID 640 wrote to memory of 3108 640 ounxanum.exe 91 PID 640 wrote to memory of 3108 640 ounxanum.exe 91 PID 640 wrote to memory of 628 640 ounxanum.exe 5 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56 PID 640 wrote to memory of 3240 640 ounxanum.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:628
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\5e4dc195deceacd3626bed07bd4dd840_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\5e4dc195deceacd3626bed07bd4dd840_NEAS.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\ounxanum.exe"C:\Windows\system32\ounxanum.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\ounxanum.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3108
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:3836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5eb6bf8efd494803e61ab4dbf99c8ce8c
SHA14fc10aa52e378457a217913a16c45feafdec75aa
SHA25605566ebecb3523f7668abab5aeda4f681729ec10d965a82d371bdeca4dd0dd44
SHA51218a3db5892c39f37b47a7a51a32129b759baad8b18b0e8b86b737c9175293d5da869e3cb372ec10e760320d1f62c2199b455916cab1227f46dbc76585abe9ef0
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
71KB
MD55e4dc195deceacd3626bed07bd4dd840
SHA12c71a74cf2e2a453f71314a68fbebab7e1d5991e
SHA256c551f0b139c150ef656fabba41822dcad3e9f694a4e6308be4f29096683c6925
SHA5126473fcb22f72ec06910d95fcc46877e54d28e012d97ed9592e37a605b08126155bbcda3dadbd999e4ff7cc45c364837564bfe2ef0422310bc5d86defe2bf56be
-
Filesize
74KB
MD5d42b1160f0a9f4a482226947525c2eaa
SHA1ffe31f41c1a6fda3eeb62ea3af41ce5b3723bdcf
SHA2565ce2d577698b250e1fd77edede07c3b7cc7e5c3b6dbb8a0089180d84b32bece6
SHA512e5b74459a5bae842cfa7ea81c1abb381e8f6792aec3739dc6375edac5b69f2a2baaf01bc79a381095a0d0d185d5c4514e9156e77cb0a0e22de871c3d643ecc11