11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe
Size

89KB
MD5

4dee775588f5a0e8edd80f76f1066ab5
SHA1

d95480d6b98c417a328d1ceb7d076c2b4b7237a2
SHA256

11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f
SHA512

4020d87938fc11e9ad792a65bce08f722ba6455d7bf8afbeccb6b44897553af9b1300bf00753c342b7fadb9be6b6263ab4fe9b9774fa9c37f8df08d31e880022
SSDEEP

768:eLxqBt1sJw5pVNUP1/kvtbWcpmCKXSkXDlXvqL/OSBw7N4foYGpFdSEL8DhPZZ6F:BteqGDlXvCDB04f5Gn/L8NRel1VwY4EV

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2104	eargamut-idoas.exe
1984	eargamut-idoas.exe

Loads dropped DLL 3 IoCs

pid	Process
328	11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe
328	11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe
2104	eargamut-idoas.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	eargamut-idoas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	eargamut-idoas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	eargamut-idoas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\avpeafih.dll"	eargamut-idoas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	eargamut-idoas.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\eargamut-idoas.exe	11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe
File created	C:\Windows\SysWOW64\eargamut-idoas.exe	11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe
File opened for modification	C:\Windows\SysWOW64\avpeafih.dll	eargamut-idoas.exe
File created	C:\Windows\SysWOW64\avpeafih.dll	eargamut-idoas.exe
File opened for modification	C:\Windows\SysWOW64\eargamut-idoas.exe	eargamut-idoas.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eargamut-idoas.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
1984	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe
2104	eargamut-idoas.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe
Token: SeDebugPrivilege	2104	eargamut-idoas.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2104	328	11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe	30
PID 328 wrote to memory of 2104	328	11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe	30
PID 328 wrote to memory of 2104	328	11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe	30
PID 328 wrote to memory of 2104	328	11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe	30
PID 2104 wrote to memory of 1984	2104	eargamut-idoas.exe	31
PID 2104 wrote to memory of 1984	2104	eargamut-idoas.exe	31
PID 2104 wrote to memory of 1984	2104	eargamut-idoas.exe	31
PID 2104 wrote to memory of 1984	2104	eargamut-idoas.exe	31

C:\Users\Admin\AppData\Local\Temp\11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe
"C:\Users\Admin\AppData\Local\Temp\11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\eargamut-idoas.exe
  "C:\Windows\system32\eargamut-idoas.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\eargamut-idoas.exe
    ùù¿çç¤
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\avpeafih.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\eargamut-idoas.exe

Filesize
89KB

MD5
4dee775588f5a0e8edd80f76f1066ab5

SHA1
d95480d6b98c417a328d1ceb7d076c2b4b7237a2

SHA256
11135994ccc3afc4ec6d0a7e6630d1ded6d35313a76f84443a71fa9f8f04c08f

SHA512
4020d87938fc11e9ad792a65bce08f722ba6455d7bf8afbeccb6b44897553af9b1300bf00753c342b7fadb9be6b6263ab4fe9b9774fa9c37f8df08d31e880022

Download Submit
memory/328-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1984-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2104-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download