ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe
Size

72KB
MD5

b1e55c112e85c23eb2b0ab778435afbf
SHA1

8d4ebc95ce928df261160714a29ee7cb94804909
SHA256

ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd
SHA512

9ce8f9044afbe5594137f75b8ecf6168c95c7e9a768c3fc2eee792dd824a64998a8ab9ec7437d6cc1928332ce8d5050a45ef3b397be339e1d9f74475af69afda
SSDEEP

1536:xl6p585dpr3KCUGCsqq2ku2S+Se0uyMWmiCeiq+uKQy6+2OOSGwm6S+yaG2quiCD:f6XY/3KCUGCsqq2ku2S+Se0uyMWmiCe4

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ealkefar-otid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ealkefar-otid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ealkefar-otid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ealkefar-otid.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}	ealkefar-otid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	ealkefar-otid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\IsInstalled = "1"	ealkefar-otid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\StubPath = "C:\\Windows\\system32\\aphuxeam.exe"	ealkefar-otid.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	ealkefar-otid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eamrecuh-ucix.exe"	ealkefar-otid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	ealkefar-otid.exe

Executes dropped EXE 2 IoCs

pid	Process
2120	ealkefar-otid.exe
1676	ealkefar-otid.exe

Loads dropped DLL 3 IoCs

pid	Process
1956	ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe
1956	ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe
2120	ealkefar-otid.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ealkefar-otid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ealkefar-otid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ealkefar-otid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ealkefar-otid.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\adpoanot-oucum.dll"	ealkefar-otid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	ealkefar-otid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	ealkefar-otid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ealkefar-otid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	ealkefar-otid.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ealkefar-otid.exe	ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe
File opened for modification	C:\Windows\SysWOW64\eamrecuh-ucix.exe	ealkefar-otid.exe
File created	C:\Windows\SysWOW64\aphuxeam.exe	ealkefar-otid.exe
File opened for modification	C:\Windows\SysWOW64\adpoanot-oucum.dll	ealkefar-otid.exe
File created	C:\Windows\SysWOW64\adpoanot-oucum.dll	ealkefar-otid.exe
File opened for modification	C:\Windows\SysWOW64\ealkefar-otid.exe	ealkefar-otid.exe
File created	C:\Windows\SysWOW64\ealkefar-otid.exe	ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe
File created	C:\Windows\SysWOW64\eamrecuh-ucix.exe	ealkefar-otid.exe
File opened for modification	C:\Windows\SysWOW64\aphuxeam.exe	ealkefar-otid.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
1676	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe
2120	ealkefar-otid.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	ealkefar-otid.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2120	1956	ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe	28
PID 1956 wrote to memory of 2120	1956	ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe	28
PID 1956 wrote to memory of 2120	1956	ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe	28
PID 1956 wrote to memory of 2120	1956	ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe	28
PID 2120 wrote to memory of 428	2120	ealkefar-otid.exe	5
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1676	2120	ealkefar-otid.exe	29
PID 2120 wrote to memory of 1676	2120	ealkefar-otid.exe	29
PID 2120 wrote to memory of 1676	2120	ealkefar-otid.exe	29
PID 2120 wrote to memory of 1676	2120	ealkefar-otid.exe	29
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21
PID 2120 wrote to memory of 1208	2120	ealkefar-otid.exe	21

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe
  "C:\Users\Admin\AppData\Local\Temp\ffde34d3681543e129155e0a09ee29932b3667c56ca9546a9532fa65b4b2dfbd.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\ealkefar-otid.exe
    "C:\Windows\SysWOW64\ealkefar-otid.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\ealkefar-otid.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\adpoanot-oucum.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\aphuxeam.exe

Filesize
72KB

MD5
78f5a08420a71a8f23143123d2b7ab1f

SHA1
3f00bac83afd3eba364a98b9560a4cc3c62532b9

SHA256
8e95d6bc050414a4a73d0daf47e31923900208a634b71704bf976ef960e947bc

SHA512
ec70720c6e4f08341b847de46ae8d52e232c0a326c71a2c03a3067c8396bc342168c1db49e99c4b0efd9411fc319ffaa5ca03709eac1452f3d850152502ea6b5

Download Submit
C:\Windows\SysWOW64\eamrecuh-ucix.exe

Filesize
73KB

MD5
3eb51c1a7ba7bf9a41563c87c3dfd37f

SHA1
85a13fc085d90e5e6bea1e49b433c74f19b5b07c

SHA256
ae0b6b2e1b7a74fafd986c4d33bc2044113b98f2740f4baab2848c42ac247f2f

SHA512
62d2f6618251edd5399926c80e0db4647b6efd309291f5c35ac86abd2769b4c2476a763825f75f830386f2fdd2021b4f45db5ceba2ae24731f659229e34f4e70

Download Submit
\Windows\SysWOW64\ealkefar-otid.exe

Filesize
70KB

MD5
97686ef7654c2b174aef91c850eb3119

SHA1
32a6b4c3ad1805c305f5b910ee90163b709d4c2f

SHA256
d28403feb0d78ad15f5fdffb3cccbdf88cb642f271ba92d0016baa2e6e99cdb1

SHA512
5e57da70e34cb3f9f63f07d92c894f8ac263bcb22a604f549575752de124208c98b0c7ed92557c229870153589b2ced0da43a62b057276688190199ab4ee20a8

Download Submit
memory/1676-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1956-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2120-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download