Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 19:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe
-
Size
72KB
-
MD5
1e4d9acc849b60a5088b65d115df1420
-
SHA1
6a3eee5fba5f91d92e1c3a91a300706dfa16574c
-
SHA256
5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644
-
SHA512
4685a70343767dedc29d61d893304093c1e1093eaf55d8757c3decb7d93b3b94721d21c52f18fd50918d9efcdf53b639087608aece6967f133bfb0daab1de7e8
-
SSDEEP
1536:x5FNAlTnd+5rO0PxfXZVBZq5qYXMEIcSg:XTAlOO0Pxfznq5zXug
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" uclivoaf-eagur.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850} uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\IsInstalled = "1" uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\StubPath = "C:\\Windows\\system32\\oucbifoor-idum.exe" uclivoaf-eagur.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\akgeaniv-oucac.exe" uclivoaf-eagur.exe -
Executes dropped EXE 2 IoCs
pid Process 1708 uclivoaf-eagur.exe 1672 uclivoaf-eagur.exe -
Loads dropped DLL 3 IoCs
pid Process 2092 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe 2092 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe 1708 uclivoaf-eagur.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" uclivoaf-eagur.exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger uclivoaf-eagur.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" uclivoaf-eagur.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} uclivoaf-eagur.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ulkeadak.dll" uclivoaf-eagur.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\uclivoaf-eagur.exe 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe File opened for modification C:\Windows\SysWOW64\ulkeadak.dll uclivoaf-eagur.exe File created C:\Windows\SysWOW64\ulkeadak.dll uclivoaf-eagur.exe File opened for modification C:\Windows\SysWOW64\uclivoaf-eagur.exe uclivoaf-eagur.exe File created C:\Windows\SysWOW64\uclivoaf-eagur.exe 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe File opened for modification C:\Windows\SysWOW64\akgeaniv-oucac.exe uclivoaf-eagur.exe File created C:\Windows\SysWOW64\akgeaniv-oucac.exe uclivoaf-eagur.exe File opened for modification C:\Windows\SysWOW64\oucbifoor-idum.exe uclivoaf-eagur.exe File created C:\Windows\SysWOW64\oucbifoor-idum.exe uclivoaf-eagur.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uclivoaf-eagur.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1672 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe 1708 uclivoaf-eagur.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1708 uclivoaf-eagur.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 1708 2092 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe 30 PID 2092 wrote to memory of 1708 2092 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe 30 PID 2092 wrote to memory of 1708 2092 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe 30 PID 2092 wrote to memory of 1708 2092 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe 30 PID 1708 wrote to memory of 432 1708 uclivoaf-eagur.exe 5 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1672 1708 uclivoaf-eagur.exe 31 PID 1708 wrote to memory of 1672 1708 uclivoaf-eagur.exe 31 PID 1708 wrote to memory of 1672 1708 uclivoaf-eagur.exe 31 PID 1708 wrote to memory of 1672 1708 uclivoaf-eagur.exe 31 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21 PID 1708 wrote to memory of 1216 1708 uclivoaf-eagur.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe"C:\Users\Admin\AppData\Local\Temp\5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\uclivoaf-eagur.exe"C:\Windows\SysWOW64\uclivoaf-eagur.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\uclivoaf-eagur.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5d59654abab4fd2d49bc649a6cc503ba2
SHA133c5e3bee58839f6d70a1572090bc12fd669323e
SHA256c078dba616da3861e7dc4b12f210db502b5de88f23c4871167201e71b91165e5
SHA512cc474ce6cd9d76bb4fe93220e7af0a0168620886a907d6f202349ca0ed72a9f8ef0d8d701b8b26872dd25a31c30efa1ace2e3085969c7f5d2ef7696417405205
-
Filesize
72KB
MD5c8b8e16540e3b220f40c3bea46ab1c12
SHA14ab05ed1d6735058b56fb02751d7538c52395c70
SHA2561a63b1c04eee3ccd9de5e0cee29d02516e9b4acd591ee0fa106d1e2efebee96f
SHA5127053bfca97e916d18807e143433f1341b0d54f0dd6b780d5458e5d36b917d689dcc75af1685bd8b6fcd8612fca6a48bed1af173ad43b09f72e4e20cca8ec87d7
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
70KB
MD5b8cc9fe7d1840ecd71fd24cfdda854bc
SHA1935a1f04733722c3918810c5174b387f6beb1fec
SHA2566b0f97eb129528df88d0c90ebaa572ad89111624142501ea72f19c6890032529
SHA512379a3830b7b13655fab55836acc1de5cc5f33c64118d588a7936e6f4c40aae97d88760bbd1d0200228e6b2f135470bfe50bcecce95e34e8d21dff2cdfada1723