c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233

General

Target

c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
Size

70KB
MD5

7f406fc6a7e4013ea459b251fba48f90
SHA1

3bc33b0508215db65991f2ff0be1dbadcfcba83e
SHA256

c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233
SHA512

8dac69c8b72b91512d970e39eaa0fc89fa58fd2bae3b09f91a53d652fc46eed2d7899166fa3664c50a4b762df9ad5d5f0b67798fb36002ec60302bc7ac56187e
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8K8WoA:Olg35GTslA5t3/w8KZP

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ufxuhov.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ufxuhov.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ufxuhov.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\IsInstalled = "1"	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\StubPath = "C:\\Windows\\system32\\kfetoab-erat.exe"	ufxuhov.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ufxuhov.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\upcukoar.exe"	ufxuhov.exe

Executes dropped EXE 2 IoCs

Processes:

ufxuhov.exeufxuhov.exe

pid process

3052 ufxuhov.exe
2604 ufxuhov.exe

Loads dropped DLL 3 IoCs

Processes:

c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exeufxuhov.exe

pid	process
2340	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
2340	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
3052	ufxuhov.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ufxuhov.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ufxuhov.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ufxuhov.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	ufxuhov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	ufxuhov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ivtoaheah.dll"	ufxuhov.exe

Drops file in System32 directory 9 IoCs

Processes:

ufxuhov.exec67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ufxuhov.exe	ufxuhov.exe
File opened for modification	C:\Windows\SysWOW64\kfetoab-erat.exe	ufxuhov.exe
File created	C:\Windows\SysWOW64\kfetoab-erat.exe	ufxuhov.exe
File opened for modification	C:\Windows\SysWOW64\ivtoaheah.dll	ufxuhov.exe
File created	C:\Windows\SysWOW64\ivtoaheah.dll	ufxuhov.exe
File opened for modification	C:\Windows\SysWOW64\ufxuhov.exe	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
File created	C:\Windows\SysWOW64\ufxuhov.exe	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
File opened for modification	C:\Windows\SysWOW64\upcukoar.exe	ufxuhov.exe
File created	C:\Windows\SysWOW64\upcukoar.exe	ufxuhov.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ufxuhov.exeufxuhov.exe

pid	process
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
2604	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe
3052	ufxuhov.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exeufxuhov.exe

description	pid	process
Token: SeDebugPrivilege	2340	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
Token: SeDebugPrivilege	3052	ufxuhov.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exeufxuhov.exe

description	pid	process	target process
PID 2340 wrote to memory of 3052	2340	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe	ufxuhov.exe
PID 2340 wrote to memory of 3052	2340	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe	ufxuhov.exe
PID 2340 wrote to memory of 3052	2340	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe	ufxuhov.exe
PID 2340 wrote to memory of 3052	2340	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe	ufxuhov.exe
PID 3052 wrote to memory of 436	3052	ufxuhov.exe	winlogon.exe
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 2604	3052	ufxuhov.exe	ufxuhov.exe
PID 3052 wrote to memory of 2604	3052	ufxuhov.exe	ufxuhov.exe
PID 3052 wrote to memory of 2604	3052	ufxuhov.exe	ufxuhov.exe
PID 3052 wrote to memory of 2604	3052	ufxuhov.exe	ufxuhov.exe
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE
PID 3052 wrote to memory of 1152	3052	ufxuhov.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
"C:\Users\Admin\AppData\Local\Temp\c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\ufxuhov.exe
"C:\Windows\system32\ufxuhov.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\ufxuhov.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ivtoaheah.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\kfetoab-erat.exe
Filesize
73KB

MD5
07797b8f55b0b141260ab9b3efc0521a

SHA1
fdfa7a51bf4fc1449604736b4a25ac458c99515d

SHA256
f0b805bed99bf3e282bb1e5fedfddfc75c77fd9250f55b644f5209688e2c67ae

SHA512
964e944d052a22ea71b068c10cd43202dea349aa29e4ec59ab2da642e0ed8ee3eac41331b9b3f972a0f0a7183a5e9328425fddbc7e1eed4038bd6dd7ff1e6ce6

Download Submit
C:\Windows\SysWOW64\upcukoar.exe
Filesize
74KB

MD5
7dc58356dbb2d03e8f42e5cae2392f70

SHA1
4750b8150d1bea680d9e0e23c33bec232b01b1a0

SHA256
f56e028869f78bf7403b40f738c90cc30dce40f869af7c50f6a5b1639a2a3fb5

SHA512
179e3c4103ad3947a6b1c53ead85d2be2d599941b896647d5ca070f19b4c7cad4093b2a97d1af3644118ff43d953c8c099cd5e9e5ef132c7e2a566db72ed01d9

Download Submit
\Windows\SysWOW64\ufxuhov.exe
Filesize
70KB

MD5
7f406fc6a7e4013ea459b251fba48f90

SHA1
3bc33b0508215db65991f2ff0be1dbadcfcba83e

SHA256
c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233

SHA512
8dac69c8b72b91512d970e39eaa0fc89fa58fd2bae3b09f91a53d652fc46eed2d7899166fa3664c50a4b762df9ad5d5f0b67798fb36002ec60302bc7ac56187e

Download Submit
memory/2340-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2604-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3052-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads