59d8ea37f2df2e0774159f0917ceb77d573075a483d5b8f6e5eea3ac8cfd7a28

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe
Size

73KB
MD5

9efac3d9e2a6178f0d7ccddc5651e490
SHA1

5a9e68b0cd3c948631d4540f17cc32b06f35ea44
SHA256

59d8ea37f2df2e0774159f0917ceb77d573075a483d5b8f6e5eea3ac8cfd7a28
SHA512

df74b74cceba422093b264c21cfa399a342d421c0469ee1734e4f7f1b74027452f8d02881e058e16918b33eb1620609cc01318eb6bc8d6580d18c8eb8cf42be7
SSDEEP

1536:xCbu2+qEzyX/vh4K+AI5JZC17KNfeCIG3nc3ij/OVVhcEnYN6eQ:gu2+qEzyX/vh4K+AI5JZCMN1I2nSiDO/

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ecmafed-udum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ecmafed-udum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ecmafed-udum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ecmafed-udum.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\StubPath = "C:\\Windows\\system32\\ouxlirac.exe"	ecmafed-udum.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}	ecmafed-udum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	ecmafed-udum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\IsInstalled = "1"	ecmafed-udum.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	ecmafed-udum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	ecmafed-udum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\edxinan.exe"	ecmafed-udum.exe

Executes dropped EXE 2 IoCs

pid	Process
2936	ecmafed-udum.exe
2972	ecmafed-udum.exe

Loads dropped DLL 3 IoCs

pid	Process
2880	9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe
2880	9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe
2936	ecmafed-udum.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ecmafed-udum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ecmafed-udum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ecmafed-udum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ecmafed-udum.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	ecmafed-udum.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ecmafed-udum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	ecmafed-udum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\aptecog-acex.dll"	ecmafed-udum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	ecmafed-udum.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aptecog-acex.dll	ecmafed-udum.exe
File opened for modification	C:\Windows\SysWOW64\ecmafed-udum.exe	ecmafed-udum.exe
File opened for modification	C:\Windows\SysWOW64\ecmafed-udum.exe	9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\edxinan.exe	ecmafed-udum.exe
File created	C:\Windows\SysWOW64\edxinan.exe	ecmafed-udum.exe
File created	C:\Windows\SysWOW64\aptecog-acex.dll	ecmafed-udum.exe
File created	C:\Windows\SysWOW64\ecmafed-udum.exe	9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\ouxlirac.exe	ecmafed-udum.exe
File created	C:\Windows\SysWOW64\ouxlirac.exe	ecmafed-udum.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2972	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe
2936	ecmafed-udum.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	ecmafed-udum.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2936	2880	9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe	28
PID 2880 wrote to memory of 2936	2880	9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe	28
PID 2880 wrote to memory of 2936	2880	9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe	28
PID 2880 wrote to memory of 2936	2880	9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe	28
PID 2936 wrote to memory of 436	2936	ecmafed-udum.exe	5
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 2972	2936	ecmafed-udum.exe	29
PID 2936 wrote to memory of 2972	2936	ecmafed-udum.exe	29
PID 2936 wrote to memory of 2972	2936	ecmafed-udum.exe	29
PID 2936 wrote to memory of 2972	2936	ecmafed-udum.exe	29
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21
PID 2936 wrote to memory of 1204	2936	ecmafed-udum.exe	21

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\9efac3d9e2a6178f0d7ccddc5651e490_NEAS.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\ecmafed-udum.exe
    "C:\Windows\SysWOW64\ecmafed-udum.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\ecmafed-udum.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aptecog-acex.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\edxinan.exe

Filesize
74KB

MD5
c7f664d565e42e54a31e8d7a4f0bc08c

SHA1
635fa32a112c211bc93c8e5a2e080e500b3be8c3

SHA256
79c899448a1c955e1d8cc92d2bab7bdb638de876904651cdb7a2a2c684b5e965

SHA512
7cf0c3df2bdd87d59569f0469204a631c2ad3e67228b71839b8ce474f4775cde661d44ad9e87d2f275fc492e7afd8b17daa4e3ed252d8ec217c30d39204aa5bd

Download Submit
C:\Windows\SysWOW64\ouxlirac.exe

Filesize
73KB

MD5
e401b646c3b1ff0f39cae96a583bfc63

SHA1
f3b502061d7ffec7fef6483a1ef1b68b28b701fb

SHA256
574d237ebc53dbe65b85d3c1e81c285544d6cc37700e2bd6436b9709e6095739

SHA512
8b116c18df1583b2e079dce612d2a1567d5a272a3e8e901c4939e04d47a7779d8d4008f09b92babec5a6ef4998bfc48fa503177cecdab948648fe42abb92b9e0

Download Submit
\Windows\SysWOW64\ecmafed-udum.exe

Filesize
71KB

MD5
487f02589231be61180e180e4d76d235

SHA1
5795f27776f0bb9e33750f09d0442be66fff61fb

SHA256
4be8569865c00b829b55ff05da31a1aa6c3829ff5e36f90127b42b4b4f0a4f3e

SHA512
d06d4e02d1f3dfa37ccb1c7c480b0f4e5b572cf66e1bc43f94e33f96f4a8885ecb68e22b583699761d3da5c0a10c136dc4dc55def42b511f0ce7946452964f6f

Download Submit
memory/2880-8-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2936-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2972-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download