66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676

General

Target

66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exe
Size

70KB
MD5

827081eef76d2e7062778e184e4f665e
SHA1

8acbcd830bbe64853df8b04bf4a30296169fea6f
SHA256

66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676
SHA512

f73abe9904af37c709a68b19b27301b8b275b1ec53f37b7255d4058fd7622a1bc3a963fc9483c81bb302bc775def821790076fd333c81a1554d57b26e4fe4051
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8/x/:Olg35GTslA5t3/w8p

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

etveahoos-iteas.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	etveahoos-iteas.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	etveahoos-iteas.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	etveahoos-iteas.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	etveahoos-iteas.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

etveahoos-iteas.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	etveahoos-iteas.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}\IsInstalled = "1"	etveahoos-iteas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}\StubPath = "C:\\Windows\\system32\\udbuxuv-oxum.exe"	etveahoos-iteas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}	etveahoos-iteas.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

etveahoos-iteas.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	etveahoos-iteas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	etveahoos-iteas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ontoocad-itex.exe"	etveahoos-iteas.exe

Executes dropped EXE 2 IoCs

Processes:

etveahoos-iteas.exeetveahoos-iteas.exe

pid process

1312 etveahoos-iteas.exe
3960 etveahoos-iteas.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

etveahoos-iteas.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	etveahoos-iteas.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	etveahoos-iteas.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	etveahoos-iteas.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	etveahoos-iteas.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

etveahoos-iteas.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	etveahoos-iteas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	etveahoos-iteas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	etveahoos-iteas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\incoohoas-eafex.dll"	etveahoos-iteas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	etveahoos-iteas.exe

Drops file in System32 directory 9 IoCs

Processes:

66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exeetveahoos-iteas.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\etveahoos-iteas.exe	66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exe
File created	C:\Windows\SysWOW64\etveahoos-iteas.exe	66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exe
File opened for modification	C:\Windows\SysWOW64\ontoocad-itex.exe	etveahoos-iteas.exe
File opened for modification	C:\Windows\SysWOW64\udbuxuv-oxum.exe	etveahoos-iteas.exe
File created	C:\Windows\SysWOW64\ontoocad-itex.exe	etveahoos-iteas.exe
File created	C:\Windows\SysWOW64\udbuxuv-oxum.exe	etveahoos-iteas.exe
File opened for modification	C:\Windows\SysWOW64\incoohoas-eafex.dll	etveahoos-iteas.exe
File created	C:\Windows\SysWOW64\incoohoas-eafex.dll	etveahoos-iteas.exe
File opened for modification	C:\Windows\SysWOW64\etveahoos-iteas.exe	etveahoos-iteas.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

etveahoos-iteas.exeetveahoos-iteas.exe

pid	process
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
3960	etveahoos-iteas.exe
3960	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe
1312	etveahoos-iteas.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exeetveahoos-iteas.exe

description	pid	process
Token: SeDebugPrivilege	4756	66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exe
Token: SeDebugPrivilege	1312	etveahoos-iteas.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exeetveahoos-iteas.exe

description	pid	process	target process
PID 4756 wrote to memory of 1312	4756	66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exe	etveahoos-iteas.exe
PID 4756 wrote to memory of 1312	4756	66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exe	etveahoos-iteas.exe
PID 4756 wrote to memory of 1312	4756	66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exe	etveahoos-iteas.exe
PID 1312 wrote to memory of 608	1312	etveahoos-iteas.exe	winlogon.exe
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3960	1312	etveahoos-iteas.exe	etveahoos-iteas.exe
PID 1312 wrote to memory of 3960	1312	etveahoos-iteas.exe	etveahoos-iteas.exe
PID 1312 wrote to memory of 3960	1312	etveahoos-iteas.exe	etveahoos-iteas.exe
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE
PID 1312 wrote to memory of 3572	1312	etveahoos-iteas.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exe
"C:\Users\Admin\AppData\Local\Temp\66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\etveahoos-iteas.exe
"C:\Windows\system32\etveahoos-iteas.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\etveahoos-iteas.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\etveahoos-iteas.exe

Filesize
70KB

MD5
827081eef76d2e7062778e184e4f665e

SHA1
8acbcd830bbe64853df8b04bf4a30296169fea6f

SHA256
66ca41dc74ec8dbf2262d7d2315f34be27829d880537685a46ca20366ee67676

SHA512
f73abe9904af37c709a68b19b27301b8b275b1ec53f37b7255d4058fd7622a1bc3a963fc9483c81bb302bc775def821790076fd333c81a1554d57b26e4fe4051

Download Submit
C:\Windows\SysWOW64\incoohoas-eafex.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\ontoocad-itex.exe

Filesize
73KB

MD5
ecd13ae8816a0870a8341455a48b96d7

SHA1
a11dba78c599655f053ce9a6770f4c2e4602a75c

SHA256
0bba959dcb5c86bd51d109b8e8a964b0c91c591808e498b025d94f026d0526c5

SHA512
704ec06f50759310500e4f9f84adf1fbdf472f19d064b37982038c886b9f3ec77ad58892b579c32074c10a3c44fd276a578c878cc05d3810d569a7a6c6640c2e

Download Submit
C:\Windows\SysWOW64\udbuxuv-oxum.exe

Filesize
72KB

MD5
5e0e0d949c896999829091efdee0d6dd

SHA1
c1f1488579923c1faa2434124a536ffeaabb4ea1

SHA256
417fa49c8adbcab3614d53b709be5fd9005b229c5eb3f53f76d2611fc6d05341

SHA512
f616c49567089aa6e7e26bf5052589768384d6abbe38615b538d4b4ebaf20f4ed12b922fd0c9818337b45226bdd59ef3e0b797be9ecff39397c31caad3c29102

Download Submit
memory/1312-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3960-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4756-4-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads