fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7.exe
Size

70KB
MD5

31a26ff5697999e86753f9823940e514
SHA1

2c72b78613bd26404b600d2fda4c4565d3ad7576
SHA256

fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7
SHA512

da1715bbe792987630e9ba7ab073aa8f437c6c992e6d303473acfcddcba53b54e29cbf62af17a974864ad5edd1996a6475d4c033f0cd593770ada1950aa4dd17
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8slKz:Olg35GTslA5t3/w8L

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ifceages-ifoot.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ifceages-ifoot.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ifceages-ifoot.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ifceages-ifoot.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4C5844-4845-5743-4C4C-584448455743}\IsInstalled = "1"	ifceages-ifoot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4C5844-4845-5743-4C4C-584448455743}\StubPath = "C:\\Windows\\system32\\ebmeagoos-ecom.exe"	ifceages-ifoot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4C5844-4845-5743-4C4C-584448455743}	ifceages-ifoot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4C5844-4845-5743-4C4C-584448455743}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	ifceages-ifoot.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	ifceages-ifoot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	ifceages-ifoot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\odxoopoak.exe"	ifceages-ifoot.exe

Executes dropped EXE 2 IoCs

pid	Process
3352	ifceages-ifoot.exe
4964	ifceages-ifoot.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ifceages-ifoot.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ifceages-ifoot.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ifceages-ifoot.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ifceages-ifoot.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	ifceages-ifoot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ifceages-ifoot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	ifceages-ifoot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\isreaxab.dll"	ifceages-ifoot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	ifceages-ifoot.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ifceages-ifoot.exe	ifceages-ifoot.exe
File opened for modification	C:\Windows\SysWOW64\ifceages-ifoot.exe	fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7.exe
File created	C:\Windows\SysWOW64\ifceages-ifoot.exe	fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7.exe
File opened for modification	C:\Windows\SysWOW64\odxoopoak.exe	ifceages-ifoot.exe
File created	C:\Windows\SysWOW64\odxoopoak.exe	ifceages-ifoot.exe
File opened for modification	C:\Windows\SysWOW64\isreaxab.dll	ifceages-ifoot.exe
File created	C:\Windows\SysWOW64\isreaxab.dll	ifceages-ifoot.exe
File opened for modification	C:\Windows\SysWOW64\ebmeagoos-ecom.exe	ifceages-ifoot.exe
File created	C:\Windows\SysWOW64\ebmeagoos-ecom.exe	ifceages-ifoot.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
4964	ifceages-ifoot.exe
4964	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe
3352	ifceages-ifoot.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3760	fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7.exe
Token: SeDebugPrivilege	3352	ifceages-ifoot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 3352	3760	fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7.exe	82
PID 3760 wrote to memory of 3352	3760	fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7.exe	82
PID 3760 wrote to memory of 3352	3760	fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7.exe	82
PID 3352 wrote to memory of 612	3352	ifceages-ifoot.exe	5
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 4964	3352	ifceages-ifoot.exe	83
PID 3352 wrote to memory of 4964	3352	ifceages-ifoot.exe	83
PID 3352 wrote to memory of 4964	3352	ifceages-ifoot.exe	83
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54
PID 3352 wrote to memory of 3092	3352	ifceages-ifoot.exe	54

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7.exe
  "C:\Users\Admin\AppData\Local\Temp\fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\SysWOW64\ifceages-ifoot.exe
    "C:\Windows\system32\ifceages-ifoot.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Windows\SysWOW64\ifceages-ifoot.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ebmeagoos-ecom.exe

Filesize
72KB

MD5
ef376f894470415629eabd97909c7f87

SHA1
d680a684be916f0a30864a58b443f0509f858cd1

SHA256
20442d4b0479c665acf925c5f842bf7fd5d42f67f81a9852efaf6a15d524feb3

SHA512
8e52af3ecbcd8669988f39d528931f39e1c77584ab63439e1e78151783d7c4dacbf5325bc541eadec00c245234e3d87f31fc83aa629b085aea3016f8ac793639

Download Submit
C:\Windows\SysWOW64\ifceages-ifoot.exe

Filesize
70KB

MD5
31a26ff5697999e86753f9823940e514

SHA1
2c72b78613bd26404b600d2fda4c4565d3ad7576

SHA256
fb80690d53338a8e6e0fe422912c0087216d596e880b7e99dc1776216201e6a7

SHA512
da1715bbe792987630e9ba7ab073aa8f437c6c992e6d303473acfcddcba53b54e29cbf62af17a974864ad5edd1996a6475d4c033f0cd593770ada1950aa4dd17

Download Submit
C:\Windows\SysWOW64\isreaxab.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\odxoopoak.exe

Filesize
73KB

MD5
ab56770a7cbcdaa9a6428f47abc1be7d

SHA1
0256428843aadb98fa9d650be630599b24c32c43

SHA256
5370c05ed3f7df300819be48b6cac9f33b2509da2bf696f52c1dfda30f1c6471

SHA512
acbace4ea17098dcacf23e795859b7b77426f8c055d99d77fbefc630d0a50234e26ff70baeaaad32bd025c483bafa4c247db326aa19cded5438c59809987db8d

Download Submit
memory/3352-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3760-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4964-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download