Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 22:13
Behavioral task
behavioral1
Sample
64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe
-
Size
34KB
-
MD5
fb49b57c093014a496d7e40ab1a96383
-
SHA1
3ccb31611b8e80b5b76ca9b315d330c9910a4052
-
SHA256
64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037
-
SHA512
277cdaec9630f6a55d09c5a0a3a6722e467eadabed69fe95868ebda6c33fa9d6b39dce46a37d6b20e5efde766d89f9e0e665d53f626cc13dc1da1655e070f0a1
-
SSDEEP
768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewzKO5C:QuQRylaUDTDxDXjy6AB7koYy2To
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" ountahoat-oufex.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" ountahoat-oufex.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" ountahoat-oufex.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" ountahoat-oufex.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53594D52-4b43-4355-5359-4D524B434355} ountahoat-oufex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53594D52-4b43-4355-5359-4D524B434355}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ountahoat-oufex.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53594D52-4b43-4355-5359-4D524B434355}\IsInstalled = "1" ountahoat-oufex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53594D52-4b43-4355-5359-4D524B434355}\StubPath = "C:\\Windows\\system32\\inleadar-udex.exe" ountahoat-oufex.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ountahoat-oufex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ountahoat-oufex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\blakas.exe" ountahoat-oufex.exe -
Executes dropped EXE 2 IoCs
pid Process 1228 ountahoat-oufex.exe 2316 ountahoat-oufex.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" ountahoat-oufex.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" ountahoat-oufex.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" ountahoat-oufex.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" ountahoat-oufex.exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger ountahoat-oufex.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ountahoat-oufex.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ountahoat-oufex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ountahoat-oufex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\urheapuk.dll" ountahoat-oufex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ountahoat-oufex.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ahuy.exe ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\ountahoat-oufex.exe 64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe File created C:\Windows\SysWOW64\ountahoat-oufex.exe 64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe File opened for modification C:\Windows\SysWOW64\blakas.exe ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\inleadar-udex.exe ountahoat-oufex.exe File created C:\Windows\SysWOW64\inleadar-udex.exe ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\urheapuk.dll ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL ountahoat-oufex.exe File created C:\Windows\SysWOW64\blakas.exe ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\winrnt.exe ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\aset32.exe ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\gymspzd.dll ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\ountahoat-oufex.exe ountahoat-oufex.exe File created C:\Windows\SysWOW64\urheapuk.dll ountahoat-oufex.exe File opened for modification C:\Windows\SysWOW64\rmass.exe ountahoat-oufex.exe -
resource yara_rule behavioral2/memory/2116-0-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/2116-12-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/files/0x00080000000235ac-14.dat upx behavioral2/memory/1228-9-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/1228-43-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/2316-48-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\rmass.exe ountahoat-oufex.exe File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe ountahoat-oufex.exe File opened for modification C:\Program Files (x86)\Common Files\System\ahuy.exe ountahoat-oufex.exe File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe ountahoat-oufex.exe File opened for modification C:\Program Files (x86)\Common Files\System\ntdbg.exe ountahoat-oufex.exe File opened for modification C:\Program Files (x86)\Common Files\System\RECOVER32.DLL ountahoat-oufex.exe File opened for modification C:\Program Files (x86)\Common Files\System\gymspzd.dll ountahoat-oufex.exe File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe ountahoat-oufex.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ountahoat-oufex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ountahoat-oufex.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 2316 ountahoat-oufex.exe 2316 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe 1228 ountahoat-oufex.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2116 64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe Token: SeDebugPrivilege 1228 ountahoat-oufex.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 1228 2116 64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe 89 PID 2116 wrote to memory of 1228 2116 64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe 89 PID 2116 wrote to memory of 1228 2116 64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe 89 PID 1228 wrote to memory of 632 1228 ountahoat-oufex.exe 5 PID 1228 wrote to memory of 2316 1228 ountahoat-oufex.exe 90 PID 1228 wrote to memory of 2316 1228 ountahoat-oufex.exe 90 PID 1228 wrote to memory of 2316 1228 ountahoat-oufex.exe 90 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56 PID 1228 wrote to memory of 3408 1228 ountahoat-oufex.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe"C:\Users\Admin\AppData\Local\Temp\64e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\ountahoat-oufex.exe"C:\Windows\system32\ountahoat-oufex.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\ountahoat-oufex.exe--k33p4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2316
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:81⤵PID:3756
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD506e438b5dbc1d5a7b793e86eb419eaa7
SHA1e614fd0727d8a056289f0e3abc366e5d892df147
SHA256a1b5290309b5483b91741101098610eb4a45618b3b4e10d500d7bd4ec1a644a5
SHA5124267e2b53e4cffad9745e48e6ce91199f6fe6eb0139a8fba683d0daa4f19af50e69a38fd687d972e71e03bbc8e49b8d85a1f2c0e30205e1d02314411a21f22e0
-
Filesize
36KB
MD537090520519635ad54e8420266dd0c9e
SHA1437dc099e91b126fdd3b37637dd1ccb972757018
SHA256e1d585aa99c50a514c99d7a6c6f72e6de6794f50ed882432de4616a453c6cb72
SHA51290c49195ed1b6529c19bfefce3ce574317c8b2385df402dde384b7c5071f5496e88de530190f0175559c385d57523a0f8fd532a1e45eec50e43aede6c9ba9392
-
Filesize
34KB
MD5fb49b57c093014a496d7e40ab1a96383
SHA13ccb31611b8e80b5b76ca9b315d330c9910a4052
SHA25664e88eb34df6a06ab42158005be3f292a4fe8a78b8f1c4ee0e32c849ade8a037
SHA512277cdaec9630f6a55d09c5a0a3a6722e467eadabed69fe95868ebda6c33fa9d6b39dce46a37d6b20e5efde766d89f9e0e665d53f626cc13dc1da1655e070f0a1
-
Filesize
5KB
MD5c8521a5fdd1c9387d536f599d850b195
SHA1a543080665107b7e32bcc1ed19dbfbc1d2931356
SHA256fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5
SHA512541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd