Overview

overview

10

Static

static

3

59fcc2c283...07.exe

windows7-x64

10

59fcc2c283...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe

  • Size

    69KB

  • MD5

    7c6557fbec09adaab5b2b4f55405f428

  • SHA1

    b7ff118c016cc8a0fb51db8443e6dd9f52a719a2

  • SHA256

    59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407

  • SHA512

    0d679ac779eae4d44af81f4cff38d6c1b7b74c9f73d516d593c1d9889af850024c51397ae24177d43569f684ccd4f5a54b4a2d82491f0e43c06a8c4f46ecea4c

  • SSDEEP

    768:x/nLsOotoORa9BtsKq59qixsiLD908odASouD/7Vs6U2Y6AdYLSQhOauy+G2:xTxd9IKu7v9svDzhkiLSQoauyO

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe
    "C:\Users\Admin\AppData\Local\Temp\59fcc2c28334ce356e71fbf3562e8c79afdc642494086d2a1e43ab1e09b79407.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\ealfeheam.exe
      "C:\Windows\SysWOW64\ealfeheam.exe"
      2⤵
      • Windows security bypass
      • Modifies Installed Components in the registry
      • Sets file execution options in registry
      • Executes dropped EXE
      • Windows security modification
      • Modifies WinLogon
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\SysWOW64\ealfeheam.exe
        ùù¿çç¤
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ealfeheam.exe
    Filesize

    67KB

    MD5

    5c6e8189c1ae7cfb2b9493c6121995d8

    SHA1

    b46b2e986e880aca8bdb63008218488280530d09

    SHA256

    09cbbc0b2a61ecda91137bf5d8c67dbb9bb4f3f942facbb167a8343cb9c45506

    SHA512

    32d7a81c1245e58b116ba0dec82126f6611dae64f7ee856e4e8d159332a60c34048d09e8d2a1a159ac6b1e4bd9246c16662a4c2acb21cc506f5a96bb02929068

    Download Submit
  • C:\Windows\SysWOW64\enkeaxet-ted.dll
    Filesize

    5KB

    MD5

    f37b21c00fd81bd93c89ce741a88f183

    SHA1

    b2796500597c68e2f5638e1101b46eaf32676c1c

    SHA256

    76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

    SHA512

    252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

    Download Submit
  • C:\Windows\SysWOW64\ofcoboof-utoot.exe
    Filesize

    70KB

    MD5

    f2cfd66498932385397842bb3a8b09b2

    SHA1

    6252585639c2507002112f3514ed2a9c12a43e61

    SHA256

    c25d0eb54177e4842d8946c396375f18995ae43c616f76509e453107c7f4226d

    SHA512

    33d700bdb175c4329d894ec714fc973e50f4f596cab42ab4347bb551773694ef56b375c2ce975c6df4c781fd82468daf2db00ce934c92350b4d77a50d591a702

    Download Submit
  • C:\Windows\SysWOW64\outmadat-aheas.exe
    Filesize

    69KB

    MD5

    94ce78d60cd5b86b892e519c45509000

    SHA1

    63d5380d84556ca04025657e7ce98fb32cea4e1f

    SHA256

    8d3c5d47ec829fb23c07d0e953e075c2da16b0dcf0608e6aab2990ec14ccfb5a

    SHA512

    641d47676361d2d5c167528195b248e36faba799e68d42edb4e87c20776e2d3b2f0f3fe8dfdf5662db5353e1d9db292f2f94c29faee44ecade13ae81e6ad0826

    Download Submit
  • memory/1724-3-0x0000000000400000-0x0000000000403000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2336-47-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4052-48-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download