c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233

General

Target

c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
Size

70KB
MD5

7f406fc6a7e4013ea459b251fba48f90
SHA1

3bc33b0508215db65991f2ff0be1dbadcfcba83e
SHA256

c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233
SHA512

8dac69c8b72b91512d970e39eaa0fc89fa58fd2bae3b09f91a53d652fc46eed2d7899166fa3664c50a4b762df9ad5d5f0b67798fb36002ec60302bc7ac56187e
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8K8WoA:Olg35GTslA5t3/w8KZP

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ufxuhov.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ufxuhov.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ufxuhov.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\IsInstalled = "1"	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\StubPath = "C:\\Windows\\system32\\kfetoab-erat.exe"	ufxuhov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}	ufxuhov.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ufxuhov.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\upcukoar.exe"	ufxuhov.exe

Executes dropped EXE 2 IoCs

Processes:

ufxuhov.exeufxuhov.exe

pid process

2416 ufxuhov.exe
3560 ufxuhov.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ufxuhov.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ufxuhov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ufxuhov.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ufxuhov.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	ufxuhov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ivtoaheah.dll"	ufxuhov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	ufxuhov.exe

Drops file in System32 directory 9 IoCs

Processes:

ufxuhov.exec67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ivtoaheah.dll	ufxuhov.exe
File created	C:\Windows\SysWOW64\ivtoaheah.dll	ufxuhov.exe
File opened for modification	C:\Windows\SysWOW64\ufxuhov.exe	ufxuhov.exe
File opened for modification	C:\Windows\SysWOW64\ufxuhov.exe	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
File created	C:\Windows\SysWOW64\ufxuhov.exe	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
File opened for modification	C:\Windows\SysWOW64\kfetoab-erat.exe	ufxuhov.exe
File opened for modification	C:\Windows\SysWOW64\upcukoar.exe	ufxuhov.exe
File created	C:\Windows\SysWOW64\upcukoar.exe	ufxuhov.exe
File created	C:\Windows\SysWOW64\kfetoab-erat.exe	ufxuhov.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ufxuhov.exeufxuhov.exe

pid	process
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
3560	ufxuhov.exe
3560	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe
2416	ufxuhov.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exeufxuhov.exe

description	pid	process
Token: SeDebugPrivilege	2348	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
Token: SeDebugPrivilege	2416	ufxuhov.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exeufxuhov.exe

description	pid	process	target process
PID 2348 wrote to memory of 2416	2348	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe	ufxuhov.exe
PID 2348 wrote to memory of 2416	2348	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe	ufxuhov.exe
PID 2348 wrote to memory of 2416	2348	c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe	ufxuhov.exe
PID 2416 wrote to memory of 3560	2416	ufxuhov.exe	ufxuhov.exe
PID 2416 wrote to memory of 3560	2416	ufxuhov.exe	ufxuhov.exe
PID 2416 wrote to memory of 3560	2416	ufxuhov.exe	ufxuhov.exe
PID 2416 wrote to memory of 616	2416	ufxuhov.exe	winlogon.exe
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE
PID 2416 wrote to memory of 3500	2416	ufxuhov.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe
"C:\Users\Admin\AppData\Local\Temp\c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\ufxuhov.exe
"C:\Windows\system32\ufxuhov.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\ufxuhov.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ivtoaheah.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\kfetoab-erat.exe
Filesize
73KB

MD5
8af396a7c82f5c3d55f7b0b2dee11189

SHA1
beeee9a9eac9b3d2573b25c9c4b612e431f70219

SHA256
8985fbde52c8f921c00b415879fb5d4f1359d78c7c468a5ee0f533cea6777800

SHA512
1b23085cce0edbe9de261d8d1de473406f615b44eafc4bb3162950c4996ab234c0edfae75902ba734293634ea60536a374a835cc5ab0e5852ac1f3bc3d5b8640

Download Submit
C:\Windows\SysWOW64\ufxuhov.exe
Filesize
70KB

MD5
7f406fc6a7e4013ea459b251fba48f90

SHA1
3bc33b0508215db65991f2ff0be1dbadcfcba83e

SHA256
c67a346c6cf5802a82b3b3ef3efaa855101e5955fe29faaf1921e752b455d233

SHA512
8dac69c8b72b91512d970e39eaa0fc89fa58fd2bae3b09f91a53d652fc46eed2d7899166fa3664c50a4b762df9ad5d5f0b67798fb36002ec60302bc7ac56187e

Download Submit
C:\Windows\SysWOW64\upcukoar.exe
Filesize
74KB

MD5
fae55a1d3d1c4dce41d03cdef2a0126d

SHA1
ba475003f883c82dd72ec3941d0f2d59c3588c2b

SHA256
35258c91fd476537e189d85ac76ed78ad024a3e0d4cbefa73787dbf952485c23

SHA512
ee2eef3369537c7a72ee4d5c1451d50e41dba9db4db95496c5ddb079edbfbdc72563cb0137c18d3b662d8f57acecaa1bf05767421bc66e83f4bec2ee6d707246

Download Submit
memory/2348-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2416-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3560-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads