Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 01:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc.exe
-
Size
73KB
-
MD5
6cea987e3925dec04a2e7be5e8a9dbd1
-
SHA1
2700ac62ef88b230c9d63021dfb1c0e9e827bd41
-
SHA256
aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc
-
SHA512
4efb8bedcb33bedd5f0f1c50a130a498923656893aea288848321c70bcabe64eb9d10d627ba75cb7ae86c3eda5cc64aba188217879bbc2c06e46d6ab66c21c47
-
SSDEEP
1536:xPhWNc6tJBsHnsim25qCp7nwHyxTQrQRLIDU:xKR4sf25qCp7wHyxEc7
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" amhecar-icix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" amhecar-icix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" amhecar-icix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" amhecar-icix.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\IsInstalled = "1" amhecar-icix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\StubPath = "C:\\Windows\\system32\\eamdoafar.exe" amhecar-icix.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945} amhecar-icix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" amhecar-icix.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" amhecar-icix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eashafep-eaxoab.exe" amhecar-icix.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe amhecar-icix.exe -
Executes dropped EXE 2 IoCs
pid Process 1040 amhecar-icix.exe 4644 amhecar-icix.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" amhecar-icix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" amhecar-icix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" amhecar-icix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" amhecar-icix.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} amhecar-icix.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify amhecar-icix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" amhecar-icix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eaktodah.dll" amhecar-icix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" amhecar-icix.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\amhecar-icix.exe aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc.exe File opened for modification C:\Windows\SysWOW64\eashafep-eaxoab.exe amhecar-icix.exe File created C:\Windows\SysWOW64\eashafep-eaxoab.exe amhecar-icix.exe File created C:\Windows\SysWOW64\eaktodah.dll amhecar-icix.exe File opened for modification C:\Windows\SysWOW64\amhecar-icix.exe amhecar-icix.exe File opened for modification C:\Windows\SysWOW64\amhecar-icix.exe aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc.exe File opened for modification C:\Windows\SysWOW64\eamdoafar.exe amhecar-icix.exe File created C:\Windows\SysWOW64\eamdoafar.exe amhecar-icix.exe File opened for modification C:\Windows\SysWOW64\eaktodah.dll amhecar-icix.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 4644 amhecar-icix.exe 4644 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe 1040 amhecar-icix.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1040 amhecar-icix.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5112 wrote to memory of 1040 5112 aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc.exe 82 PID 5112 wrote to memory of 1040 5112 aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc.exe 82 PID 5112 wrote to memory of 1040 5112 aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc.exe 82 PID 1040 wrote to memory of 4644 1040 amhecar-icix.exe 83 PID 1040 wrote to memory of 4644 1040 amhecar-icix.exe 83 PID 1040 wrote to memory of 4644 1040 amhecar-icix.exe 83 PID 1040 wrote to memory of 624 1040 amhecar-icix.exe 5 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56 PID 1040 wrote to memory of 3508 1040 amhecar-icix.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc.exe"C:\Users\Admin\AppData\Local\Temp\aaec7ef1b6f2223da8f1bbef15b6d0760ae5420bd578db08f70446a2525bf4cc.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\amhecar-icix.exe"C:\Windows\SysWOW64\amhecar-icix.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\amhecar-icix.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4644
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5dd19dba2a7aac9e74936c49269a1f8b7
SHA1b9e1170f79fb857de9688415177be5a02a9c5622
SHA25674c428c44a57307484d5877427e97a37b9d7356ef1e75abdef4db276e8ec958b
SHA51206757d070470831ed58596d29fcfca0a7daf1e61e6fab82dd091f953a246bbfa3aa4a5652ea7a40ef35b88176d0e6487c7a951f40d653dbdab82e408aaa53b10
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
73KB
MD5894a93157762cda9056174c392eaf903
SHA1bbfb974cd186a218844d754b1e96237280258608
SHA256957720bbb5aa24c29fceafe9f2333d1a573852f15056f7c230a4bd67be84423d
SHA5125e403e878cd05ad2688f0a8915dc3bfa45615e7cb4b344378573ffbc8563a3c844693870f73dc44897565a96264ef9638f957007844678e23fca15a81867ddce
-
Filesize
74KB
MD510ce4d5850a9ac11b4d681eefa24e237
SHA1f9e1cb98a0a0180ca0a84ca1f6c78af4bdb2654d
SHA256c4498391e77a330c2d94b50857caa6ee944ca79a999057d5c331568c3c31deb1
SHA512b93b7b2f9f847c815f71bb8d568b21fa0de97f171b4e67d79ba611e962770b0efd73306b1204d8bceee087e8c7c147ef16ea602b5c9d1f68a231314b03bc56f2