8bf44aa4f37172e2d739eb8996e89c9cfd1d62fd9cd76546641b532ec9136b99

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 15:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc2b4c786e5ca6460f0a0954bd139c00_NEIKI.exe
Size

73KB
MD5

fc2b4c786e5ca6460f0a0954bd139c00
SHA1

9aef78dd0c8a9f5ce60091190cb382312836d2ab
SHA256

8bf44aa4f37172e2d739eb8996e89c9cfd1d62fd9cd76546641b532ec9136b99
SHA512

267def5464b2a8ccf55d4b5433230f7239fe81a5c27b4aff08e444a79884ccda3141491b2d4766fed23941c4b9d029bf87a476d7f209833448cd06f1e8707ec1
SSDEEP

1536:x0MoWELkdEwt74R6QJro0857l+bMxNs2QWCFu6sDv:aMoWKkdEi74RLo0uaumjuD

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	eahfaxos-okat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	eahfaxos-okat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	eahfaxos-okat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	eahfaxos-okat.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}	eahfaxos-okat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	eahfaxos-okat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\IsInstalled = "1"	eahfaxos-okat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\StubPath = "C:\\Windows\\system32\\urxanoac.exe"	eahfaxos-okat.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	eahfaxos-okat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	eahfaxos-okat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eabroocoom.exe"	eahfaxos-okat.exe

Executes dropped EXE 2 IoCs

pid	Process
2128	eahfaxos-okat.exe
64	eahfaxos-okat.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	eahfaxos-okat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	eahfaxos-okat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	eahfaxos-okat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	eahfaxos-okat.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	eahfaxos-okat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	eahfaxos-okat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	eahfaxos-okat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\obgaxoaf-oumom.dll"	eahfaxos-okat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	eahfaxos-okat.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\urxanoac.exe	eahfaxos-okat.exe
File created	C:\Windows\SysWOW64\obgaxoaf-oumom.dll	eahfaxos-okat.exe
File opened for modification	C:\Windows\SysWOW64\eahfaxos-okat.exe	eahfaxos-okat.exe
File created	C:\Windows\SysWOW64\eahfaxos-okat.exe	fc2b4c786e5ca6460f0a0954bd139c00_NEIKI.exe
File created	C:\Windows\SysWOW64\eabroocoom.exe	eahfaxos-okat.exe
File created	C:\Windows\SysWOW64\urxanoac.exe	eahfaxos-okat.exe
File opened for modification	C:\Windows\SysWOW64\obgaxoaf-oumom.dll	eahfaxos-okat.exe
File opened for modification	C:\Windows\SysWOW64\eahfaxos-okat.exe	fc2b4c786e5ca6460f0a0954bd139c00_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\eabroocoom.exe	eahfaxos-okat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
64	eahfaxos-okat.exe
64	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe
2128	eahfaxos-okat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	eahfaxos-okat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2128	744	fc2b4c786e5ca6460f0a0954bd139c00_NEIKI.exe	84
PID 744 wrote to memory of 2128	744	fc2b4c786e5ca6460f0a0954bd139c00_NEIKI.exe	84
PID 744 wrote to memory of 2128	744	fc2b4c786e5ca6460f0a0954bd139c00_NEIKI.exe	84
PID 2128 wrote to memory of 64	2128	eahfaxos-okat.exe	85
PID 2128 wrote to memory of 64	2128	eahfaxos-okat.exe	85
PID 2128 wrote to memory of 64	2128	eahfaxos-okat.exe	85
PID 2128 wrote to memory of 616	2128	eahfaxos-okat.exe	5
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56
PID 2128 wrote to memory of 3548	2128	eahfaxos-okat.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\fc2b4c786e5ca6460f0a0954bd139c00_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\fc2b4c786e5ca6460f0a0954bd139c00_NEIKI.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\eahfaxos-okat.exe
    "C:\Windows\SysWOW64\eahfaxos-okat.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\eahfaxos-okat.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eabroocoom.exe

Filesize
74KB

MD5
47a851f715dcee93bb770aab808ecbe5

SHA1
b79c027d75e6bb9865750a2705994d5ca0eecf07

SHA256
01ca89efab763bf63b10345689848a7f5742054499e846e400faa04e7be87c1a

SHA512
352122f6d57ca12bfeefe2878afb496adc5acdb0ee21ff9e5ced5409d27ca59d7d37b43849d9053baafd39b4dd025e822f4cb830f0330980f85278331b9f1b00

Download Submit
C:\Windows\SysWOW64\eahfaxos-okat.exe

Filesize
70KB

MD5
79d90c33bbad774bb392f494703275e2

SHA1
0334d24d5f842a61d9fc86c55ecc43e09074ecb9

SHA256
e8a622399fd07eb6a6c22a72456c24f71bdf88a6d1f3c6cb36efd924035d14a1

SHA512
70016c75006487686e6347c1730d619a5b852ece393cc11071dcf727a15c035b226be19cab51833e6aed6b33db15d06e028a922dbc948fa9cbcccc853c52ca96

Download Submit
C:\Windows\SysWOW64\obgaxoaf-oumom.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\urxanoac.exe

Filesize
73KB

MD5
9d1b5bfca0d244647624fb73a18f94c6

SHA1
1b653588ee2dd2affddc46153869a0033d5f1625

SHA256
3846a93c9d362159cc45f056d4669b2f2cdbb2799dfafa12cf5a67c2370140b3

SHA512
f52fd1f2a0a298ef853508a98b5f09f4f4ad7e2b4367cf5612d057eb06ca6dc068cf6d30e606060910bd4ad358e431e6d942130bb82e4f99d5e4c78ecfd33022

Download Submit
memory/64-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/744-3-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2128-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download