Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 21:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe
Resource
win7-20240508-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe
-
Size
71KB
-
MD5
52567479f68068d365c58c78a5f71b1b
-
SHA1
040258d09fc7fb974bca9e214416a5a806a2e3b8
-
SHA256
42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0
-
SHA512
3bb1003acf142a35bca807a477d292f3240d077193ae40530e8fba2da2c88f92a7701024c37b49d9e2ed85e9f47784385fd7d58e6a5eac95633dea3fe3fa1689
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8sl6:Olg35GTslA5t3/w8F
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" oucmohoat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" oucmohoat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" oucmohoat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" oucmohoat.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\StubPath = "C:\\Windows\\system32\\oulxekoas-eafix.exe" oucmohoat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851} oucmohoat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" oucmohoat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\IsInstalled = "1" oucmohoat.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe oucmohoat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" oucmohoat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ihcexam-eafat.exe" oucmohoat.exe -
Executes dropped EXE 2 IoCs
pid Process 1844 oucmohoat.exe 3016 oucmohoat.exe -
Loads dropped DLL 3 IoCs
pid Process 2176 42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe 2176 42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe 1844 oucmohoat.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" oucmohoat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" oucmohoat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" oucmohoat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" oucmohoat.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" oucmohoat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ovlooxon-iseab.dll" oucmohoat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" oucmohoat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} oucmohoat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify oucmohoat.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\oucmohoat.exe 42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe File created C:\Windows\SysWOW64\ihcexam-eafat.exe oucmohoat.exe File opened for modification C:\Windows\SysWOW64\ovlooxon-iseab.dll oucmohoat.exe File created C:\Windows\SysWOW64\ovlooxon-iseab.dll oucmohoat.exe File opened for modification C:\Windows\SysWOW64\oucmohoat.exe oucmohoat.exe File opened for modification C:\Windows\SysWOW64\oucmohoat.exe 42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe File opened for modification C:\Windows\SysWOW64\ihcexam-eafat.exe oucmohoat.exe File opened for modification C:\Windows\SysWOW64\oulxekoas-eafix.exe oucmohoat.exe File created C:\Windows\SysWOW64\oulxekoas-eafix.exe oucmohoat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 3016 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe 1844 oucmohoat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2176 42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe Token: SeDebugPrivilege 1844 oucmohoat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 1844 2176 42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe 28 PID 2176 wrote to memory of 1844 2176 42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe 28 PID 2176 wrote to memory of 1844 2176 42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe 28 PID 2176 wrote to memory of 1844 2176 42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe 28 PID 1844 wrote to memory of 432 1844 oucmohoat.exe 5 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 3016 1844 oucmohoat.exe 29 PID 1844 wrote to memory of 3016 1844 oucmohoat.exe 29 PID 1844 wrote to memory of 3016 1844 oucmohoat.exe 29 PID 1844 wrote to memory of 3016 1844 oucmohoat.exe 29 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21 PID 1844 wrote to memory of 1208 1844 oucmohoat.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe"C:\Users\Admin\AppData\Local\Temp\42c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\oucmohoat.exe"C:\Windows\system32\oucmohoat.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\oucmohoat.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD58e939a4f264692c2ad5b4b523e977a20
SHA1d11f18f548659ae87ca04b8b6485ecc86c651da1
SHA256f2f371809566a0fe11b07ea714d7bed41004d740b832dd8b2b23e54aed24a705
SHA5124c7c681ae16ca7fe21d0ca4f51d1bb3ad29ee70fc2cd8f63602beb7e58e650928aa9086d614485734bbc85842ded5e026c012412820a98ff52da36bfe4179ec6
-
Filesize
71KB
MD552567479f68068d365c58c78a5f71b1b
SHA1040258d09fc7fb974bca9e214416a5a806a2e3b8
SHA25642c72f515a28a2465a57e8e2374ea9ea827172e4999e75e6a786a766236011e0
SHA5123bb1003acf142a35bca807a477d292f3240d077193ae40530e8fba2da2c88f92a7701024c37b49d9e2ed85e9f47784385fd7d58e6a5eac95633dea3fe3fa1689
-
Filesize
73KB
MD5b2890532589bd623d57c83862120bc30
SHA18c3e2315d9546e31dca3ce863982b302d32d36f1
SHA25646d5d21c3794482ca05e1ea1d7f11c4e322073307865ed43a364e0a7caaf31b9
SHA512bc5ad22d21c2cbc0d0ba8116d612be6d428f9732cfe2b3b852f53f531f66cc795b9c6b2d292310e0e6f3bfca250f1e0661abb66ce663b8ba6e4abcf1df411599
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4