efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 05:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe
Size

70KB
MD5

13d1a63206573d24bb94180f2f85b474
SHA1

d8c5c0faf95ed315d20997d8a4cd0cda88b83daa
SHA256

efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb
SHA512

cc8c73f6a64de57a906940499e84c708bbfe02a34a4abcd07bec3a250927c04fa76ed2fe5e55289712d0b735351087759151ca12e5fc6bbbdbd04a4e48aadf17
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw85:Olg35GTslA5t3/w85

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	anfusad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	anfusad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	anfusad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	anfusad.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}	anfusad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	anfusad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\IsInstalled = "1"	anfusad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\StubPath = "C:\\Windows\\system32\\evmisap.exe"	anfusad.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	anfusad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	anfusad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eanhifeag-ukex.exe"	anfusad.exe

Executes dropped EXE 2 IoCs

pid	Process
2848	anfusad.exe
1404	anfusad.exe

Loads dropped DLL 3 IoCs

pid	Process
2304	efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe
2304	efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe
2848	anfusad.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	anfusad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	anfusad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	anfusad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	anfusad.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	anfusad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	anfusad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	anfusad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ohximas.dll"	anfusad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	anfusad.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\anfusad.exe	efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe
File created	C:\Windows\SysWOW64\anfusad.exe	efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe
File opened for modification	C:\Windows\SysWOW64\evmisap.exe	anfusad.exe
File created	C:\Windows\SysWOW64\ohximas.dll	anfusad.exe
File opened for modification	C:\Windows\SysWOW64\anfusad.exe	anfusad.exe
File opened for modification	C:\Windows\SysWOW64\eanhifeag-ukex.exe	anfusad.exe
File created	C:\Windows\SysWOW64\eanhifeag-ukex.exe	anfusad.exe
File created	C:\Windows\SysWOW64\evmisap.exe	anfusad.exe
File opened for modification	C:\Windows\SysWOW64\ohximas.dll	anfusad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
1404	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe
2848	anfusad.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe
Token: SeDebugPrivilege	2848	anfusad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2848	2304	efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe	28
PID 2304 wrote to memory of 2848	2304	efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe	28
PID 2304 wrote to memory of 2848	2304	efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe	28
PID 2304 wrote to memory of 2848	2304	efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe	28
PID 2848 wrote to memory of 432	2848	anfusad.exe	5
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1404	2848	anfusad.exe	29
PID 2848 wrote to memory of 1404	2848	anfusad.exe	29
PID 2848 wrote to memory of 1404	2848	anfusad.exe	29
PID 2848 wrote to memory of 1404	2848	anfusad.exe	29
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21
PID 2848 wrote to memory of 1256	2848	anfusad.exe	21

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe
  "C:\Users\Admin\AppData\Local\Temp\efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\anfusad.exe
    "C:\Windows\system32\anfusad.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\anfusad.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eanhifeag-ukex.exe

Filesize
73KB

MD5
0fb9095e562b59ead148b0b082dc7f8d

SHA1
4f87d68892a0ba5480a294d4c33f412b26900489

SHA256
61eadca1a88a53a9095e20fa5c2f240c76b5bb659b80939363d32c46789fa767

SHA512
b97b03b6a51b57c8e907058683edfb69f82a3793c409bd547c06edc13b8bbc8940a022423c39a67220dd32e673291cbbde20159bfff70b35a9ea5b07029589ed

Download Submit
C:\Windows\SysWOW64\evmisap.exe

Filesize
72KB

MD5
05963872aec698708ac30d3572a1963c

SHA1
afe002950ec781a4779e3af402b3d63b74563d11

SHA256
82fea6228d512a71612526366e72d89138c0ba4d808d71878dd3b22ca13c53e4

SHA512
4dc8d97c8e1e4a23151bfe573222ded0ed1d71c5166a784fe09954f1f096d5d414b970374144a2ec63c07d0389f428c70f779c934ba7b0646a96845723fb9b76

Download Submit
C:\Windows\SysWOW64\ohximas.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
\Windows\SysWOW64\anfusad.exe

Filesize
70KB

MD5
13d1a63206573d24bb94180f2f85b474

SHA1
d8c5c0faf95ed315d20997d8a4cd0cda88b83daa

SHA256
efec8538630a73037398074d1463763821e0c7431e731bf9f452133017e87ffb

SHA512
cc8c73f6a64de57a906940499e84c708bbfe02a34a4abcd07bec3a250927c04fa76ed2fe5e55289712d0b735351087759151ca12e5fc6bbbdbd04a4e48aadf17

Download Submit
memory/1404-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2304-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2848-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download