Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-05-2024 20:32
General
-
Target
34d754bcf0f8295bb65e4e56e5281b0f8440067306b747be4dbdd6c21cc290a1.exe
-
Size
73KB
-
MD5
18b7533cf929fcb5f60c84b18def4070
-
SHA1
8ef57bb1191e70a4b8476e4967803650d67736c3
-
SHA256
34d754bcf0f8295bb65e4e56e5281b0f8440067306b747be4dbdd6c21cc290a1
-
SHA512
32d92b351fe321d86d05723c5ddafe63aad2b1532ccdccad15ee48efa4a9e46f75db52474d840ce8ea64fdba3aff79d19d23918eba7a829f9b6d0f8a8817c993
-
SSDEEP
768:x/ngseFPR3dwG0XD0kfLkctfkx1/pbFuWnJWFwnpmkFzCfxUOxrlpZ+pZk7/NQ5z:xfE3dF0XD0CLX2pbP0ue66aC/NQx
Malware Config
Signatures
-
Windows security bypass 2 TTPs 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Windows security modification 2 TTPs 4 IoCs
-
Modifies WinLogon 2 TTPs 5 IoCs
-
Drops file in System32 directory 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\34d754bcf0f8295bb65e4e56e5281b0f8440067306b747be4dbdd6c21cc290a1.exe"C:\Users\Admin\AppData\Local\Temp\34d754bcf0f8295bb65e4e56e5281b0f8440067306b747be4dbdd6c21cc290a1.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\earmeaxig.exe"C:\Windows\SysWOW64\earmeaxig.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\earmeaxig.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\cludoax-ehur.exeFilesize
74KB
MD5d08caa5bc9ad3188d9057b022a439f7a
SHA13e6b0b1131b427e1b3361424cbe9b5b8462e08af
SHA256660729a5fdf8bc6df7c1b3bf0df67e2560b4bb5315ca217ba77791de5359c649
SHA512a08031b8dd3f56fcd9ef913ac5c0cd9f09442ed29acc97a81842e0a09a0fd7b5212bb0f3802a15ab7673c1cbfecbfc550a2be57dcebd4e000e917bb093cdb49b
-
C:\Windows\SysWOW64\orfeavoon.dllFilesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
C:\Windows\SysWOW64\tsoareat.exeFilesize
73KB
MD56ddbc31895347cd5fbebed0517b11fa9
SHA1c9dc1ccbf81e085be74867a4a98dad205b8756dd
SHA256a0ce55f265123aa7bd1b573db6266fc4668b770605645dfbe4ff6b4eb4af3207
SHA512f6c25b79a770b870326af134df34fd6dae6e8a93e76b47b28f36dcbd235f1d18a172b970a17bd2caab41469a3cd08f921424303c592131715b7962ea350004b1
-
\Windows\SysWOW64\earmeaxig.exeFilesize
71KB
MD560fde4bf512cfbea0920454edc07eb6d
SHA173e6735d2c4566b762a8fa48375b9e00f836c3ad
SHA256627728ac73566d8adcb874d89f7eefbe241867e2def92c8b7b339c5c3242e0f1
SHA512d0b7b04b996aaa3c05b435fe1bf19f4b792359102c0fe8adca94835659cc6126b2cb324b577a53af5cb026faee5d451ba2219427337912935e2f78ca3fcf51e3
-
memory/1288-7-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/1680-54-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1784-53-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB