Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 22:23
Behavioral task
behavioral1
Sample
Aeonixx.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Aeonixx.exe
Resource
win10v2004-20240709-en
General
-
Target
Aeonixx.exe
-
Size
907KB
-
MD5
554025c57d014fd5ed8ab159c96da159
-
SHA1
2295d41aae469f8252c872eab15f7b5fcd85593c
-
SHA256
7634e00a8aa848b561d2d18d78b1bd9fb2f02380418fb8b6b8b36ee4a201106f
-
SHA512
125dce70da69479503f6cd42a16518bfd25b993b58499059703ffd8761dfeea71421d5a212ccddd84663e2ec464eb60128c07154d3a4db07fabe31906225a11c
-
SSDEEP
12288:C4j4mGk/gKAsEu0Q07J4TpiQlO0Qcuvmxn0HOBJ7V:C2icgKAo0h0piQlO0QkxnRBJ5
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Aeonixx.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation AEONIX.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation PAYLOAD.EXE -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\775de7e7e00d15df96207ab529453f70.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\775de7e7e00d15df96207ab529453f70.exe dllhost.exe -
Executes dropped EXE 4 IoCs
pid Process 4972 AEONIX.EXE 1936 PAYLOAD.EXE 4760 S.EXE 1424 dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\775de7e7e00d15df96207ab529453f70 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\775de7e7e00d15df96207ab529453f70 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .." dllhost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4780 sc.exe 4924 sc.exe 3692 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 116 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4760 S.EXE 4760 S.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE 1936 PAYLOAD.EXE -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1936 PAYLOAD.EXE Token: SeDebugPrivilege 1424 dllhost.exe Token: SeDebugPrivilege 4456 powershell.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe Token: 33 1424 dllhost.exe Token: SeIncBasePriorityPrivilege 1424 dllhost.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 3140 wrote to memory of 4972 3140 Aeonixx.exe 84 PID 3140 wrote to memory of 4972 3140 Aeonixx.exe 84 PID 3140 wrote to memory of 4972 3140 Aeonixx.exe 84 PID 4972 wrote to memory of 1936 4972 AEONIX.EXE 85 PID 4972 wrote to memory of 1936 4972 AEONIX.EXE 85 PID 4972 wrote to memory of 1936 4972 AEONIX.EXE 85 PID 4972 wrote to memory of 4760 4972 AEONIX.EXE 86 PID 4972 wrote to memory of 4760 4972 AEONIX.EXE 86 PID 4760 wrote to memory of 4748 4760 S.EXE 89 PID 4760 wrote to memory of 4748 4760 S.EXE 89 PID 1936 wrote to memory of 1424 1936 PAYLOAD.EXE 97 PID 1936 wrote to memory of 1424 1936 PAYLOAD.EXE 97 PID 1936 wrote to memory of 1424 1936 PAYLOAD.EXE 97 PID 1424 wrote to memory of 4396 1424 dllhost.exe 100 PID 1424 wrote to memory of 4396 1424 dllhost.exe 100 PID 1424 wrote to memory of 4396 1424 dllhost.exe 100 PID 1424 wrote to memory of 2528 1424 dllhost.exe 102 PID 1424 wrote to memory of 2528 1424 dllhost.exe 102 PID 1424 wrote to memory of 2528 1424 dllhost.exe 102 PID 2528 wrote to memory of 4456 2528 cmd.exe 104 PID 2528 wrote to memory of 4456 2528 cmd.exe 104 PID 2528 wrote to memory of 4456 2528 cmd.exe 104 PID 1424 wrote to memory of 2708 1424 dllhost.exe 105 PID 1424 wrote to memory of 2708 1424 dllhost.exe 105 PID 1424 wrote to memory of 2708 1424 dllhost.exe 105 PID 2708 wrote to memory of 4780 2708 cmd.exe 107 PID 2708 wrote to memory of 4780 2708 cmd.exe 107 PID 2708 wrote to memory of 4780 2708 cmd.exe 107 PID 1424 wrote to memory of 3140 1424 dllhost.exe 108 PID 1424 wrote to memory of 3140 1424 dllhost.exe 108 PID 1424 wrote to memory of 3140 1424 dllhost.exe 108 PID 3140 wrote to memory of 4924 3140 cmd.exe 110 PID 3140 wrote to memory of 4924 3140 cmd.exe 110 PID 3140 wrote to memory of 4924 3140 cmd.exe 110 PID 1424 wrote to memory of 2128 1424 dllhost.exe 111 PID 1424 wrote to memory of 2128 1424 dllhost.exe 111 PID 1424 wrote to memory of 2128 1424 dllhost.exe 111 PID 2128 wrote to memory of 3692 2128 cmd.exe 113 PID 2128 wrote to memory of 3692 2128 cmd.exe 113 PID 2128 wrote to memory of 3692 2128 cmd.exe 113 PID 1424 wrote to memory of 2248 1424 dllhost.exe 114 PID 1424 wrote to memory of 2248 1424 dllhost.exe 114 PID 1424 wrote to memory of 2248 1424 dllhost.exe 114 PID 2248 wrote to memory of 116 2248 cmd.exe 116 PID 2248 wrote to memory of 116 2248 cmd.exe 116 PID 2248 wrote to memory of 116 2248 cmd.exe 116 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4396 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Aeonixx.exe"C:\Users\Admin\AppData\Local\Temp\Aeonixx.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\AEONIX.EXE"C:\Users\Admin\AppData\Local\Temp\AEONIX.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\PAYLOAD.EXE"C:\Users\Admin\AppData\Local\Temp\PAYLOAD.EXE"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"5⤵
- Views/modifies file attributes
PID:4396
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc query windefend5⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\sc.exesc query windefend6⤵
- Launches sc.exe
PID:4780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc stop windefend5⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\sc.exesc stop windefend6⤵
- Launches sc.exe
PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete windefend5⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\sc.exesc delete windefend6⤵
- Launches sc.exe
PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\reg.exereg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- Modifies registry key
PID:116
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S.EXE"C:\Users\Admin\AppData\Local\Temp\S.EXE"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:4748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
849KB
MD50b7321cbbce655bb14c3737973936d8a
SHA13fbedbf411835e0d54593ae2fe938679f2f5a858
SHA256b13a4f5dc328fb50971d5579f8d32ca7af2b9cf5118999e033ff227242a04edd
SHA51282ee9dafd3948702da5eef1237270828257177f237115921b96d9d604901e0ce291d82562e20c3e0ad5473bd88615559fca2253a603c229f480b4fec746f4b34
-
Filesize
54KB
MD5dcc788ade743525d6922369a9b1cc1d9
SHA14c100d13f4115f64bbdcc47ffb4f60d50ea9edde
SHA2561a82a1b8db2e35e967a2f463292337e08717251b3e836bf1ffa20815b25037c9
SHA51267faa32ffb6a426f2626384629ac75083da881f549efe7b42c4d3ad915d93e1f2b07a10d952d9b7079b21964f66a8e5c8adb9a9e5fe59040b4dc5a5447c4fb79
-
Filesize
742KB
MD53dbda3d47ec35af319228ebe3677e743
SHA10c3033b7568875bb6041c8eaf7eefb065f2f138e
SHA2563d860b0b79377ea570b774977ac1d0976a5ce20c3a71ff67a9b91be84384fd9e
SHA512348f308e96400a4abf2f820ecfaff4c9bb3690b6a60cd1f0376913d0cf01af836a78c5df4af0d2fe95d0fa9186cbf6eefc1b2ef75c021b48572457ff273d9f74
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82