Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/08/2024, 07:42
Behavioral task
behavioral1
Sample
6d35ee202396f3c884f540485b431a20N.exe
Resource
win7-20240705-en
windows7-x64
15 signatures
120 seconds
Behavioral task
behavioral2
Sample
6d35ee202396f3c884f540485b431a20N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
6d35ee202396f3c884f540485b431a20N.exe
-
Size
33KB
-
MD5
6d35ee202396f3c884f540485b431a20
-
SHA1
a115ec49fece8efda40c2c7910eb17ec953c5d82
-
SHA256
229849741b475b4aa52d42c61e8e11b580d36695cf190843ec2ab46f8351dfc5
-
SHA512
e1ccbf974d7d6f6aedccd73f00ddc1a835b3ac2fdb73fb12ed53b21f665cbfc26c6302354cd284e4f16931883c703a797c3ed2f783a87d49c4add1fb8b2e02e9
-
SSDEEP
768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewzKOm:QuQRylaUDTDxDXjy6AB7koYy2Tm
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" eakmoodoab-ourac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" eakmoodoab-ourac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" eakmoodoab-ourac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" eakmoodoab-ourac.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50564D4E-5544-5644-5056-4D4E55445644} eakmoodoab-ourac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50564D4E-5544-5644-5056-4D4E55445644}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" eakmoodoab-ourac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50564D4E-5544-5644-5056-4D4E55445644}\IsInstalled = "1" eakmoodoab-ourac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50564D4E-5544-5644-5056-4D4E55445644}\StubPath = "C:\\Windows\\system32\\idmeagat-acum.exe" eakmoodoab-ourac.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe eakmoodoab-ourac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" eakmoodoab-ourac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\attoseav.exe" eakmoodoab-ourac.exe -
Executes dropped EXE 2 IoCs
pid Process 4920 eakmoodoab-ourac.exe 1776 eakmoodoab-ourac.exe -
resource yara_rule behavioral2/memory/3116-0-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/files/0x0009000000023419-5.dat upx behavioral2/memory/3116-6-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/1776-17-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/4920-51-0x0000000000400000-0x0000000000417000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" eakmoodoab-ourac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" eakmoodoab-ourac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" eakmoodoab-ourac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" eakmoodoab-ourac.exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger eakmoodoab-ourac.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} eakmoodoab-ourac.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify eakmoodoab-ourac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" eakmoodoab-ourac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\esteroag-ecoab.dll" eakmoodoab-ourac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" eakmoodoab-ourac.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\eakmoodoab-ourac.exe eakmoodoab-ourac.exe File created C:\Windows\SysWOW64\eakmoodoab-ourac.exe 6d35ee202396f3c884f540485b431a20N.exe File opened for modification C:\Windows\SysWOW64\attoseav.exe eakmoodoab-ourac.exe File opened for modification C:\Windows\SysWOW64\idmeagat-acum.exe eakmoodoab-ourac.exe File opened for modification C:\Windows\SysWOW64\rmass.exe eakmoodoab-ourac.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe eakmoodoab-ourac.exe File created C:\Windows\SysWOW64\idmeagat-acum.exe eakmoodoab-ourac.exe File created C:\Windows\SysWOW64\esteroag-ecoab.dll eakmoodoab-ourac.exe File opened for modification C:\Windows\SysWOW64\ahuy.exe eakmoodoab-ourac.exe File opened for modification C:\Windows\SysWOW64\gymspzd.dll eakmoodoab-ourac.exe File created C:\Windows\SysWOW64\attoseav.exe eakmoodoab-ourac.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe eakmoodoab-ourac.exe File opened for modification C:\Windows\SysWOW64\eakmoodoab-ourac.exe 6d35ee202396f3c884f540485b431a20N.exe File opened for modification C:\Windows\SysWOW64\esteroag-ecoab.dll eakmoodoab-ourac.exe File opened for modification C:\Windows\SysWOW64\winrnt.exe eakmoodoab-ourac.exe File opened for modification C:\Windows\SysWOW64\aset32.exe eakmoodoab-ourac.exe File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL eakmoodoab-ourac.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe eakmoodoab-ourac.exe File opened for modification C:\Program Files (x86)\Common Files\System\rmass.exe eakmoodoab-ourac.exe File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe eakmoodoab-ourac.exe File opened for modification C:\Program Files (x86)\Common Files\System\ahuy.exe eakmoodoab-ourac.exe File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe eakmoodoab-ourac.exe File opened for modification C:\Program Files (x86)\Common Files\System\ntdbg.exe eakmoodoab-ourac.exe File opened for modification C:\Program Files (x86)\Common Files\System\RECOVER32.DLL eakmoodoab-ourac.exe File opened for modification C:\Program Files (x86)\Common Files\System\gymspzd.dll eakmoodoab-ourac.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d35ee202396f3c884f540485b431a20N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eakmoodoab-ourac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eakmoodoab-ourac.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 1776 eakmoodoab-ourac.exe 1776 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe 4920 eakmoodoab-ourac.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3116 6d35ee202396f3c884f540485b431a20N.exe Token: SeDebugPrivilege 4920 eakmoodoab-ourac.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3116 wrote to memory of 4920 3116 6d35ee202396f3c884f540485b431a20N.exe 83 PID 3116 wrote to memory of 4920 3116 6d35ee202396f3c884f540485b431a20N.exe 83 PID 3116 wrote to memory of 4920 3116 6d35ee202396f3c884f540485b431a20N.exe 83 PID 4920 wrote to memory of 1776 4920 eakmoodoab-ourac.exe 84 PID 4920 wrote to memory of 1776 4920 eakmoodoab-ourac.exe 84 PID 4920 wrote to memory of 1776 4920 eakmoodoab-ourac.exe 84 PID 4920 wrote to memory of 616 4920 eakmoodoab-ourac.exe 5 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56 PID 4920 wrote to memory of 3524 4920 eakmoodoab-ourac.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\6d35ee202396f3c884f540485b431a20N.exe"C:\Users\Admin\AppData\Local\Temp\6d35ee202396f3c884f540485b431a20N.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\eakmoodoab-ourac.exe"C:\Windows\system32\eakmoodoab-ourac.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\eakmoodoab-ourac.exe--k33p4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1776
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5f865007ff94eb325dcd0645e51eedc23
SHA14c3256b830714d0248a41c89804b5819b6efd3f5
SHA256b8579743347da57d8c45d88bf74fd5812c455ccef3744816bc28a7de1bcc22c8
SHA5120eb4232434413b7382531ae1f261ab33a6e1032c714ad13afe066a42414a5e762dc333631042f62d8329ec9751022b28b7e8b9508c669a219acf6fa265fd20f6
-
Filesize
33KB
MD56d35ee202396f3c884f540485b431a20
SHA1a115ec49fece8efda40c2c7910eb17ec953c5d82
SHA256229849741b475b4aa52d42c61e8e11b580d36695cf190843ec2ab46f8351dfc5
SHA512e1ccbf974d7d6f6aedccd73f00ddc1a835b3ac2fdb73fb12ed53b21f665cbfc26c6302354cd284e4f16931883c703a797c3ed2f783a87d49c4add1fb8b2e02e9
-
Filesize
5KB
MD5c8521a5fdd1c9387d536f599d850b195
SHA1a543080665107b7e32bcc1ed19dbfbc1d2931356
SHA256fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5
SHA512541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd
-
Filesize
35KB
MD5f0c6ef855c32c59ccea2037becac8978
SHA1454b2858597c487dfae38ef057f31e28f266da16
SHA25684f45c20a8553e6ee99cc7e4cac959cac9c96fe0bac65aadafaf30f5d0fb4b32
SHA512cc31cbbe394f7cf85191f763cd90331021fe2fe12c3bc40a3fd74ab344e74ada5d9b41ac62015b13c687d9d753c4843fc035c2dd1fa16f661505ffaaf1b6e269