65cbe05262f0bc82bef3c01d7b3afd6847223b00f9142163111db350bff19514

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b39b519091371242a1e278e584f04d70N.exe
Size

71KB
MD5

b39b519091371242a1e278e584f04d70
SHA1

23971b7aad8b8f4d4a8ecafa6ba34065eda1868e
SHA256

65cbe05262f0bc82bef3c01d7b3afd6847223b00f9142163111db350bff19514
SHA512

facf82b6f5091d0daedddcf885e75713febba88b442a03d680fc19d327fc5ff321622dfde3c2e35e4a5f6fcc2a58a5c388e6f444d4b185eedad2cc0c94f65c82
SSDEEP

768:x/nh3pSzouGbBcDZBCtfefzXDDDvFKEWSrVkr93k977l89NSMwu:xZ3pSzMzwXXD9KErrGnqu

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	easfikoop-oxoab.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D475757-4159-594e-4D47-57574159594e}\StubPath = "C:\\Windows\\system32\\eahxamoam.exe"	easfikoop-oxoab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D475757-4159-594e-4D47-57574159594e}	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D475757-4159-594e-4D47-57574159594e}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D475757-4159-594e-4D47-57574159594e}\IsInstalled = "1"	easfikoop-oxoab.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\iflimooh-odoot.exe"	easfikoop-oxoab.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	easfikoop-oxoab.exe
2512	easfikoop-oxoab.exe

Loads dropped DLL 3 IoCs

pid	Process
1640	b39b519091371242a1e278e584f04d70N.exe
1640	b39b519091371242a1e278e584f04d70N.exe
2352	easfikoop-oxoab.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	easfikoop-oxoab.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	easfikoop-oxoab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eaptoonoar.dll"	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	easfikoop-oxoab.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\eahxamoam.exe	easfikoop-oxoab.exe
File opened for modification	C:\Windows\SysWOW64\easfikoop-oxoab.exe	easfikoop-oxoab.exe
File opened for modification	C:\Windows\SysWOW64\eaptoonoar.dll	easfikoop-oxoab.exe
File created	C:\Windows\SysWOW64\eaptoonoar.dll	easfikoop-oxoab.exe
File opened for modification	C:\Windows\SysWOW64\easfikoop-oxoab.exe	b39b519091371242a1e278e584f04d70N.exe
File created	C:\Windows\SysWOW64\easfikoop-oxoab.exe	b39b519091371242a1e278e584f04d70N.exe
File opened for modification	C:\Windows\SysWOW64\iflimooh-odoot.exe	easfikoop-oxoab.exe
File created	C:\Windows\SysWOW64\iflimooh-odoot.exe	easfikoop-oxoab.exe
File created	C:\Windows\SysWOW64\eahxamoam.exe	easfikoop-oxoab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2512	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe
2352	easfikoop-oxoab.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	easfikoop-oxoab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2352	1640	b39b519091371242a1e278e584f04d70N.exe	30
PID 1640 wrote to memory of 2352	1640	b39b519091371242a1e278e584f04d70N.exe	30
PID 1640 wrote to memory of 2352	1640	b39b519091371242a1e278e584f04d70N.exe	30
PID 1640 wrote to memory of 2352	1640	b39b519091371242a1e278e584f04d70N.exe	30
PID 2352 wrote to memory of 432	2352	easfikoop-oxoab.exe	5
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 2512	2352	easfikoop-oxoab.exe	31
PID 2352 wrote to memory of 2512	2352	easfikoop-oxoab.exe	31
PID 2352 wrote to memory of 2512	2352	easfikoop-oxoab.exe	31
PID 2352 wrote to memory of 2512	2352	easfikoop-oxoab.exe	31
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20
PID 2352 wrote to memory of 1136	2352	easfikoop-oxoab.exe	20

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\b39b519091371242a1e278e584f04d70N.exe
  "C:\Users\Admin\AppData\Local\Temp\b39b519091371242a1e278e584f04d70N.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\easfikoop-oxoab.exe
    "C:\Windows\SysWOW64\easfikoop-oxoab.exe"
    3⤵
    - Windows security bypass
    - Boot or Logon Autostart Execution: Active Setup
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\easfikoop-oxoab.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eahxamoam.exe

Filesize
71KB

MD5
4c4f0910877af4937180988f9d584720

SHA1
6f7251d2c711a1b20c39b4fbed669be078245a7d

SHA256
38a64d0c5a672a4006e681f635416c997b01d3f767073f8c2367508e868ada0e

SHA512
217a51f962e82c9a460bf5796d3139ca3302e71d73625b237b17acfdf118395ed15dcd347464cd790fad39f159bf5d5aafe3186ee463a514ea082466fd9b2ddf

Download Submit
C:\Windows\SysWOW64\eaptoonoar.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\iflimooh-odoot.exe

Filesize
72KB

MD5
41bd96d3985434a9ff0b8845ac253529

SHA1
58feb19902c705ec5f9c09587a238d2b831f602a

SHA256
d6264d5d725d95b6ca22c99072a8dcd0675f6b65f5f08c8bdc383d3870d55038

SHA512
dcfee1db19e97484ac1d63476f964ec1bac6349ce0feff8dfb36232826c04c7dde594540548aa5b0c8546d650d6e98cbd434f050f39a5d744d669e66588211e8

Download Submit
\Windows\SysWOW64\easfikoop-oxoab.exe

Filesize
68KB

MD5
c844d4863c79a0adfd8584baa4eab3ef

SHA1
91a15d0ba18550db7957f27266c82236521a3a1b

SHA256
b3e2ff18167c04b94cb05502e2cecd168369bf00e3422fa76c4cfb2c54458502

SHA512
67db903afe529e22f76e4a6118c37598fd19cc72ccf37b34c33a16b67d8af098810437790a874127faaeb7c120f4030d3fb432a1ad8feda0c993d77a47d8da1b

Download Submit
memory/1640-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2352-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2512-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download