59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407

General

Target

59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe
Size

69KB
MD5

7c6557fbec09adaab5b2b4f55405f428
SHA1

b7ff118c016cc8a0fb51db8443e6dd9f52a719a2
SHA256

59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407
SHA512

0d679ac779eae4d44af81f4cff38d6c1b7b74c9f73d516d593c1d9889af850024c51397ae24177d43569f684ccd4f5a54b4a2d82491f0e43c06a8c4f46ecea4c
SSDEEP

768:x/nLsOotoORa9BtsKq59qixsiLD908odASouD/7Vs6U2Y6AdYLSQhOauy+G2:xTxd9IKu7v9svDzhkiLSQoauyO

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ealfeheam.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ealfeheam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ealfeheam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ealfeheam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ealfeheam.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ealfeheam.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}	ealfeheam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	ealfeheam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\IsInstalled = "1"	ealfeheam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\StubPath = "C:\\Windows\\system32\\outmadat-aheas.exe"	ealfeheam.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ealfeheam.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	ealfeheam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	ealfeheam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ofcoboof-utoot.exe"	ealfeheam.exe

Executes dropped EXE 2 IoCs

Processes:

ealfeheam.exeealfeheam.exe

pid process

2540 ealfeheam.exe
2548 ealfeheam.exe

Loads dropped DLL 3 IoCs

Processes:

59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exeealfeheam.exe

pid	process
2980	59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe
2980	59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe
2540	ealfeheam.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ealfeheam.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ealfeheam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ealfeheam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ealfeheam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ealfeheam.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ealfeheam.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	ealfeheam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\enkeaxet-ted.dll"	ealfeheam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	ealfeheam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	ealfeheam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ealfeheam.exe

Drops file in System32 directory 9 IoCs

Processes:

59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exeealfeheam.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ealfeheam.exe	59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe
File created	C:\Windows\SysWOW64\enkeaxet-ted.dll	ealfeheam.exe
File opened for modification	C:\Windows\SysWOW64\enkeaxet-ted.dll	ealfeheam.exe
File opened for modification	C:\Windows\SysWOW64\ealfeheam.exe	ealfeheam.exe
File opened for modification	C:\Windows\SysWOW64\ealfeheam.exe	59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe
File opened for modification	C:\Windows\SysWOW64\ofcoboof-utoot.exe	ealfeheam.exe
File created	C:\Windows\SysWOW64\ofcoboof-utoot.exe	ealfeheam.exe
File opened for modification	C:\Windows\SysWOW64\outmadat-aheas.exe	ealfeheam.exe
File created	C:\Windows\SysWOW64\outmadat-aheas.exe	ealfeheam.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ealfeheam.exeealfeheam.exe

pid	process
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2548	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe
2540	ealfeheam.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ealfeheam.exe

description pid process

Token: SeDebugPrivilege 2540 ealfeheam.exe

description	pid	process
Token: SeDebugPrivilege	2540	ealfeheam.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exeealfeheam.exe

description	pid	process	target process
PID 2980 wrote to memory of 2540	2980	59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe	ealfeheam.exe
PID 2980 wrote to memory of 2540	2980	59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe	ealfeheam.exe
PID 2980 wrote to memory of 2540	2980	59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe	ealfeheam.exe
PID 2980 wrote to memory of 2540	2980	59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe	ealfeheam.exe
PID 2540 wrote to memory of 2548	2540	ealfeheam.exe	ealfeheam.exe
PID 2540 wrote to memory of 2548	2540	ealfeheam.exe	ealfeheam.exe
PID 2540 wrote to memory of 2548	2540	ealfeheam.exe	ealfeheam.exe
PID 2540 wrote to memory of 2548	2540	ealfeheam.exe	ealfeheam.exe

C:\Users\Admin\AppData\Local\Temp\59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe
"C:\Users\Admin\AppData\Local\Temp\59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\ealfeheam.exe
"C:\Windows\SysWOW64\ealfeheam.exe"
2⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\ealfeheam.exe
ùù¿çç¤
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\enkeaxet-ted.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\ofcoboof-utoot.exe
Filesize
70KB

MD5
0937bc9f30e7c4d86b0960522f5c9ec1

SHA1
a068e038d3df530f6601f460069e1835c0591428

SHA256
f646833166ad9abf5c4e2b3b230d4131ecd3590e749adf910ef8c8b0bafc7530

SHA512
b35a4e5232bdbc8771b84b4a9152e02cfbf2e60dcca70546ca009c7c0b164161e58de87fb0e6159ef81d69498bee821fa2c217d16dddc4c66d0f3183baafc67c

Download Submit
C:\Windows\SysWOW64\outmadat-aheas.exe
Filesize
69KB

MD5
5c45ca498fb91e1cf61be1a6865c158d

SHA1
2a97d388c7db1a3691f11b857a1ce7af7f66858b

SHA256
b45d07d511a0e198dd646505a6aa863a658f6e1156ac34a231e47adffe5c0f12

SHA512
6b78dbc4df148126fd9235144e1989af83c66984948adf8b4257d2495277e6fafcb74183498fcb768f16239b5d9af5946478f29f800e1c0d916884834ea3492a

Download Submit
\Windows\SysWOW64\ealfeheam.exe
Filesize
67KB

MD5
5c6e8189c1ae7cfb2b9493c6121995d8

SHA1
b46b2e986e880aca8bdb63008218488280530d09

SHA256
09cbbc0b2a61ecda91137bf5d8c67dbb9bb4f3f942facbb167a8343cb9c45506

SHA512
32d7a81c1245e58b116ba0dec82126f6611dae64f7ee856e4e8d159332a60c34048d09e8d2a1a159ac6b1e4bd9246c16662a4c2acb21cc506f5a96bb02929068

Download Submit
memory/2540-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2548-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2980-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads