65cbe05262f0bc82bef3c01d7b3afd6847223b00f9142163111db350bff19514

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b39b519091371242a1e278e584f04d70N.exe
Size

71KB
MD5

b39b519091371242a1e278e584f04d70
SHA1

23971b7aad8b8f4d4a8ecafa6ba34065eda1868e
SHA256

65cbe05262f0bc82bef3c01d7b3afd6847223b00f9142163111db350bff19514
SHA512

facf82b6f5091d0daedddcf885e75713febba88b442a03d680fc19d327fc5ff321622dfde3c2e35e4a5f6fcc2a58a5c388e6f444d4b185eedad2cc0c94f65c82
SSDEEP

768:x/nh3pSzouGbBcDZBCtfefzXDDDvFKEWSrVkr93k977l89NSMwu:xZ3pSzMzwXXD9KErrGnqu

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	easfikoop-oxoab.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50544D59-5046-5456-5054-4D5950465456}\IsInstalled = "1"	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50544D59-5046-5456-5054-4D5950465456}\StubPath = "C:\\Windows\\system32\\eahxamoam.exe"	easfikoop-oxoab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50544D59-5046-5456-5054-4D5950465456}	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50544D59-5046-5456-5054-4D5950465456}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	easfikoop-oxoab.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\iflimooh-odoot.exe"	easfikoop-oxoab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	easfikoop-oxoab.exe

Executes dropped EXE 2 IoCs

pid	Process
1828	easfikoop-oxoab.exe
3932	easfikoop-oxoab.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	easfikoop-oxoab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	easfikoop-oxoab.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eaptoonoar.dll"	easfikoop-oxoab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	easfikoop-oxoab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	easfikoop-oxoab.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iflimooh-odoot.exe	easfikoop-oxoab.exe
File opened for modification	C:\Windows\SysWOW64\eaptoonoar.dll	easfikoop-oxoab.exe
File created	C:\Windows\SysWOW64\eaptoonoar.dll	easfikoop-oxoab.exe
File opened for modification	C:\Windows\SysWOW64\easfikoop-oxoab.exe	easfikoop-oxoab.exe
File opened for modification	C:\Windows\SysWOW64\easfikoop-oxoab.exe	b39b519091371242a1e278e584f04d70N.exe
File created	C:\Windows\SysWOW64\easfikoop-oxoab.exe	b39b519091371242a1e278e584f04d70N.exe
File opened for modification	C:\Windows\SysWOW64\iflimooh-odoot.exe	easfikoop-oxoab.exe
File opened for modification	C:\Windows\SysWOW64\eahxamoam.exe	easfikoop-oxoab.exe
File created	C:\Windows\SysWOW64\eahxamoam.exe	easfikoop-oxoab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
3932	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
3932	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe
1828	easfikoop-oxoab.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	easfikoop-oxoab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 1828	708	b39b519091371242a1e278e584f04d70N.exe	84
PID 708 wrote to memory of 1828	708	b39b519091371242a1e278e584f04d70N.exe	84
PID 708 wrote to memory of 1828	708	b39b519091371242a1e278e584f04d70N.exe	84
PID 1828 wrote to memory of 3932	1828	easfikoop-oxoab.exe	85
PID 1828 wrote to memory of 3932	1828	easfikoop-oxoab.exe	85
PID 1828 wrote to memory of 3932	1828	easfikoop-oxoab.exe	85
PID 1828 wrote to memory of 608	1828	easfikoop-oxoab.exe	5
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56
PID 1828 wrote to memory of 3420	1828	easfikoop-oxoab.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\b39b519091371242a1e278e584f04d70N.exe
  "C:\Users\Admin\AppData\Local\Temp\b39b519091371242a1e278e584f04d70N.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\SysWOW64\easfikoop-oxoab.exe
    "C:\Windows\SysWOW64\easfikoop-oxoab.exe"
    3⤵
    - Windows security bypass
    - Boot or Logon Autostart Execution: Active Setup
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\easfikoop-oxoab.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eahxamoam.exe

Filesize
71KB

MD5
6c58e5467e80cd051d2e4585e235eba4

SHA1
21ffa7b1f3f30a516fda6b09856f2968bd71011a

SHA256
a38bdccbddd057bc66cc0a93151d2d54d53204a04fd762022be2f708d77a928d

SHA512
61884e828079bddbf6009fe378735e870c4ebd8c14b45f14b30c90cb4a968bc1c8b883c418c4bcd61c03797020092fd6142c4c35ca93787d3c819f75ac4d2344

Download Submit
C:\Windows\SysWOW64\eaptoonoar.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\easfikoop-oxoab.exe

Filesize
68KB

MD5
c844d4863c79a0adfd8584baa4eab3ef

SHA1
91a15d0ba18550db7957f27266c82236521a3a1b

SHA256
b3e2ff18167c04b94cb05502e2cecd168369bf00e3422fa76c4cfb2c54458502

SHA512
67db903afe529e22f76e4a6118c37598fd19cc72ccf37b34c33a16b67d8af098810437790a874127faaeb7c120f4030d3fb432a1ad8feda0c993d77a47d8da1b

Download Submit
C:\Windows\SysWOW64\iflimooh-odoot.exe

Filesize
72KB

MD5
5f8bdb046ef6ba158753629e88df9c3e

SHA1
1021ef079daf02748238a0828330b7dc0d59211f

SHA256
65158da910c2a3ba0baedf9ff9141aebe967e18b03b8dcdcdd12c36a04c1982c

SHA512
707dd3254bd077127fb482136d3fa70f6e1b772f2c5ce63388e40cbf24ba01074b3f6da3d6ccbbb5fe582a2cf4086fd8ab16d404068f9b50660506a23e5a059d

Download Submit
memory/708-4-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1828-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3932-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download