Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2024, 22:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe
-
Size
69KB
-
MD5
53483ab6151d146fd11600ca74c32690
-
SHA1
7c0dac68a755bdaf3cc05011e336a474bc40c1f2
-
SHA256
6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6
-
SHA512
b9c9c709a49c83dce16edab9f03adbd928cc4e02bf68ad6cc465fd3a1db8931f42328dc255665ad53fc20b2bdc749d8d3e2e8e5eadcd416ef0a4663f5a927574
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8Nb:Olg35GTslA5t3/w8Nb
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" arheasif-eadoab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" arheasif-eadoab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" arheasif-eadoab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" arheasif-eadoab.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45} arheasif-eadoab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" arheasif-eadoab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45}\IsInstalled = "1" arheasif-eadoab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45}\StubPath = "C:\\Windows\\system32\\ulsenoos.exe" arheasif-eadoab.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe arheasif-eadoab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" arheasif-eadoab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\omveadoor-amid.exe" arheasif-eadoab.exe -
Executes dropped EXE 2 IoCs
pid Process 4908 arheasif-eadoab.exe 4876 arheasif-eadoab.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" arheasif-eadoab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" arheasif-eadoab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" arheasif-eadoab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" arheasif-eadoab.exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger arheasif-eadoab.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} arheasif-eadoab.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify arheasif-eadoab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" arheasif-eadoab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ipxeaxoak.dll" arheasif-eadoab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" arheasif-eadoab.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\omveadoor-amid.exe arheasif-eadoab.exe File opened for modification C:\Windows\SysWOW64\ulsenoos.exe arheasif-eadoab.exe File created C:\Windows\SysWOW64\ulsenoos.exe arheasif-eadoab.exe File opened for modification C:\Windows\SysWOW64\ipxeaxoak.dll arheasif-eadoab.exe File created C:\Windows\SysWOW64\ipxeaxoak.dll arheasif-eadoab.exe File opened for modification C:\Windows\SysWOW64\arheasif-eadoab.exe arheasif-eadoab.exe File opened for modification C:\Windows\SysWOW64\arheasif-eadoab.exe 6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe File created C:\Windows\SysWOW64\arheasif-eadoab.exe 6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe File opened for modification C:\Windows\SysWOW64\omveadoor-amid.exe arheasif-eadoab.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arheasif-eadoab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arheasif-eadoab.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4876 arheasif-eadoab.exe 4876 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe 4908 arheasif-eadoab.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1220 6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe Token: SeDebugPrivilege 4908 arheasif-eadoab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 4908 1220 6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe 84 PID 1220 wrote to memory of 4908 1220 6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe 84 PID 1220 wrote to memory of 4908 1220 6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe 84 PID 4908 wrote to memory of 616 4908 arheasif-eadoab.exe 5 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 4876 4908 arheasif-eadoab.exe 85 PID 4908 wrote to memory of 4876 4908 arheasif-eadoab.exe 85 PID 4908 wrote to memory of 4876 4908 arheasif-eadoab.exe 85 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56 PID 4908 wrote to memory of 3584 4908 arheasif-eadoab.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe"C:\Users\Admin\AppData\Local\Temp\6fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6N.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\arheasif-eadoab.exe"C:\Windows\system32\arheasif-eadoab.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\arheasif-eadoab.exe--k33p4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4876
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD553483ab6151d146fd11600ca74c32690
SHA17c0dac68a755bdaf3cc05011e336a474bc40c1f2
SHA2566fb38ab86738986fb7e4935a90366518ed82a4e46088413e7a34d37d48c118a6
SHA512b9c9c709a49c83dce16edab9f03adbd928cc4e02bf68ad6cc465fd3a1db8931f42328dc255665ad53fc20b2bdc749d8d3e2e8e5eadcd416ef0a4663f5a927574
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
72KB
MD5966c9c0087780376851bafeb09110921
SHA137f59bbf78af5f90f4eafb5cd9b81ee813fa7bc8
SHA25693dff6b3726e1de726ceb7ab0e7be3c4dd2fe61f7a2a83ebcaa1f616d6213703
SHA512776e8735c2669259e7dfec2cb42168595f436c2289f94aa178f51520628bd49140ed075b208043651b472e0f162f807379d0bbf130c7296d93cc02a1f564d758
-
Filesize
71KB
MD502c99ed9454256a12d69ee2f7092f990
SHA1db4db4737e71ed5c135528097bbd0b3cfe0d3e62
SHA25675385e14e3ce90f518444bbd5c1e725b34cdb9ac81329f461ade29444b78d8a5
SHA512ed17c5adb36d9e69542a50efb0078565dbcc7c1190876ade6fb4d42f43725c47cd457a7c11792ae5a11f2099b2ac39d7c62cd4b94bf13c92f87d2844fa0b88b2