7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee

General

Target

7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exe
Size

68KB
MD5

27729fa2a75c8d953c3742976957cb5b
SHA1

7869c34b67d7c855317e96295773dec024fe7a3a
SHA256

7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee
SHA512

a53b082ae16c06dc9fbd633a2bc46dab8a37ab6729d296620fa51c9f9d27ba8c72c50d3b4a4078e9b7e8b45d99770ae7fdd98578c0971cf4ca5b9ec5b9d79b56
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8u:Olg35GTslA5t3/w8u

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

evpikeac.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	evpikeac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	evpikeac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	evpikeac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	evpikeac.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

evpikeac.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52494A54-4f4f-5658-5249-4A544F4F5658}\IsInstalled = "1"	evpikeac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52494A54-4f4f-5658-5249-4A544F4F5658}\StubPath = "C:\\Windows\\system32\\eapleafoab.exe"	evpikeac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52494A54-4f4f-5658-5249-4A544F4F5658}	evpikeac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52494A54-4f4f-5658-5249-4A544F4F5658}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	evpikeac.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

evpikeac.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	evpikeac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	evpikeac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ihseasit.exe"	evpikeac.exe

Executes dropped EXE 2 IoCs

Processes:

evpikeac.exeevpikeac.exe

pid process

740 evpikeac.exe
4940 evpikeac.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

evpikeac.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	evpikeac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	evpikeac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	evpikeac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	evpikeac.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

evpikeac.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	evpikeac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	evpikeac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	evpikeac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ahnupoat-oudat.dll"	evpikeac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	evpikeac.exe

Drops file in System32 directory 9 IoCs

Processes:

evpikeac.exe7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ahnupoat-oudat.dll	evpikeac.exe
File opened for modification	C:\Windows\SysWOW64\evpikeac.exe	evpikeac.exe
File opened for modification	C:\Windows\SysWOW64\evpikeac.exe	7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exe
File created	C:\Windows\SysWOW64\evpikeac.exe	7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exe
File opened for modification	C:\Windows\SysWOW64\ihseasit.exe	evpikeac.exe
File created	C:\Windows\SysWOW64\ihseasit.exe	evpikeac.exe
File opened for modification	C:\Windows\SysWOW64\eapleafoab.exe	evpikeac.exe
File created	C:\Windows\SysWOW64\eapleafoab.exe	evpikeac.exe
File opened for modification	C:\Windows\SysWOW64\ahnupoat-oudat.dll	evpikeac.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

evpikeac.exeevpikeac.exe

pid	process
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
4940	evpikeac.exe
4940	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe
740	evpikeac.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exeevpikeac.exe

description	pid	process
Token: SeDebugPrivilege	4544	7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exe
Token: SeDebugPrivilege	740	evpikeac.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exeevpikeac.exe

description	pid	process	target process
PID 4544 wrote to memory of 740	4544	7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exe	evpikeac.exe
PID 4544 wrote to memory of 740	4544	7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exe	evpikeac.exe
PID 4544 wrote to memory of 740	4544	7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exe	evpikeac.exe
PID 740 wrote to memory of 612	740	evpikeac.exe	winlogon.exe
PID 740 wrote to memory of 4940	740	evpikeac.exe	evpikeac.exe
PID 740 wrote to memory of 4940	740	evpikeac.exe	evpikeac.exe
PID 740 wrote to memory of 4940	740	evpikeac.exe	evpikeac.exe
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE
PID 740 wrote to memory of 3540	740	evpikeac.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exe
"C:\Users\Admin\AppData\Local\Temp\7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\evpikeac.exe
"C:\Windows\system32\evpikeac.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\evpikeac.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ahnupoat-oudat.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\eapleafoab.exe

Filesize
71KB

MD5
f86410648d5795dc59e76267ffb776cb

SHA1
766b03cd6e13fd62d9b9cb789a5afcf6f780a6e3

SHA256
b1fdb40b9482bbeaa66f4f8350af4ce2073daeb34019b0edc217e30ad94ee51f

SHA512
a9506c4d8fb5ac33e058e506c07e9db4fa2b104f57cf20dd777ec0dd08b82d4b37e83bdc6cd83d8613c166e16bc0639957ca0635b8b56190017b59c17775d2ca

Download Submit
C:\Windows\SysWOW64\evpikeac.exe

Filesize
68KB

MD5
27729fa2a75c8d953c3742976957cb5b

SHA1
7869c34b67d7c855317e96295773dec024fe7a3a

SHA256
7bdc9232b71c3aaaee483526abe3b2b633136cdedefbb514f335b96e426971ee

SHA512
a53b082ae16c06dc9fbd633a2bc46dab8a37ab6729d296620fa51c9f9d27ba8c72c50d3b4a4078e9b7e8b45d99770ae7fdd98578c0971cf4ca5b9ec5b9d79b56

Download Submit
C:\Windows\SysWOW64\ihseasit.exe

Filesize
72KB

MD5
691774d1e0bb93dff09da7a2128e558d

SHA1
88f53e7221cb2ad76f1b3a263bb8674f6ad83b7b

SHA256
f55da1675363fb3a84653b26c4c0423a6d75b6965629a0c59087207b9e0a688b

SHA512
f6a2be08ff73871611aeb866bbab48d539dc87da38337f87ce0c1787e673172f87c21b5b29fcae95affffe79f8080c2ceaf9c9aa0976190f37144fe8f8e0a638

Download Submit
memory/740-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4544-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4940-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads