Malware Analysis Report

2025-06-16 06:57

Sample ID 241104-dx1yasvndq
Target f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N
SHA256 f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122
Tags
defense_evasion discovery evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122

Threat Level: Known bad

The file f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence trojan

Windows security bypass

Event Triggered Execution: Image File Execution Options Injection

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Executes dropped EXE

Windows security modification

Modifies WinLogon

Indicator Removal: Clear Persistence

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 03:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 03:24

Reported

2024-11-04 03:27

Platform

win7-20241010-en

Max time kernel

120s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\IsInstalled = "1" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\StubPath = "C:\\Windows\\system32\\oucsukar.exe" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45} C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eagfusoar.exe" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oumboafoot-oxid.dll" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\oumboafoot-oxid.dll C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File opened for modification C:\Windows\SysWOW64\oumvidoat-nid.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File created C:\Windows\SysWOW64\oumvidoat-nid.exe C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe N/A
File opened for modification C:\Windows\SysWOW64\eagfusoar.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File created C:\Windows\SysWOW64\eagfusoar.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File opened for modification C:\Windows\SysWOW64\oucsukar.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File created C:\Windows\SysWOW64\oucsukar.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File opened for modification C:\Windows\SysWOW64\oumboafoot-oxid.dll C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File opened for modification C:\Windows\SysWOW64\oumvidoat-nid.exe C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe

"C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe"

C:\Windows\SysWOW64\oumvidoat-nid.exe

"C:\Windows\system32\oumvidoat-nid.exe"

C:\Windows\SysWOW64\oumvidoat-nid.exe

ùù¿çç¤

Network

Country Destination Domain Proto
US 8.8.8.8:53 siqys.st udp
US 8.8.8.8:53 siqys.st udp

Files

\Windows\SysWOW64\oumvidoat-nid.exe

MD5 b2de2b7bb31d9cab09124a0b6ceda640
SHA1 ab62464ebab3e8ded51aa543ac81fd5953dcb2ae
SHA256 f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122
SHA512 13c155bad0da692ce1eef50ff569f4dca6153c5b1344d9fe7d0f6aa51fc97f89734fee569eb6d26f982a216ac503d9679c9bfa7863c373e5ee3234301f29367f

memory/572-9-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\oucsukar.exe

MD5 ddd9b24948fdf40a6c60e45b90c6c47c
SHA1 84ca59e393b600ea3e19b1be3465492348b30a70
SHA256 65e9cdbd9659da30126a09d0930f11032826ce66b1e97ea8fe3a327d55217b28
SHA512 9a3d5da70dd56ed2786bd895b7a9740913c3b47056f0f13ff2d5b0bae888a40e2b6c8297d45d9d88878ca3b62ef2724eb643d1214796365aea7556f36c0cf504

C:\Windows\SysWOW64\oumboafoot-oxid.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\eagfusoar.exe

MD5 fc8eb462713bbe21cf3da2f75be252c3
SHA1 8400d7079014214015d5ef95a440f0881524a6c1
SHA256 1e9884abcec97162225627510fb6645676b1e138b70c05bf6469824e596613b5
SHA512 516afb2e44faecc7eaa3f339f445eca67eb4b334021867180bd9037b73ab2ba59905023f78b9da4e65b17184788f366908705000c2517b2a59f4ad099188fb79

memory/2744-52-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2396-53-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 03:24

Reported

2024-11-04 03:27

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748} C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748}\IsInstalled = "1" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748}\StubPath = "C:\\Windows\\system32\\oucsukar.exe" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eagfusoar.exe" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oumboafoot-oxid.dll" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\oucsukar.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File created C:\Windows\SysWOW64\oucsukar.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File opened for modification C:\Windows\SysWOW64\oumvidoat-nid.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File created C:\Windows\SysWOW64\oumvidoat-nid.exe C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe N/A
File created C:\Windows\SysWOW64\eagfusoar.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File opened for modification C:\Windows\SysWOW64\oumboafoot-oxid.dll C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File created C:\Windows\SysWOW64\oumboafoot-oxid.dll C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
File opened for modification C:\Windows\SysWOW64\oumvidoat-nid.exe C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe N/A
File opened for modification C:\Windows\SysWOW64\eagfusoar.exe C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A
N/A N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\oumvidoat-nid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe

"C:\Users\Admin\AppData\Local\Temp\f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122N.exe"

C:\Windows\SysWOW64\oumvidoat-nid.exe

"C:\Windows\system32\oumvidoat-nid.exe"

C:\Windows\SysWOW64\oumvidoat-nid.exe

ùù¿çç¤

Network

Country Destination Domain Proto
US 8.8.8.8:53 gtpagepsyumcci.cg udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 gtpagepsyumcci.cg udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\SysWOW64\oumvidoat-nid.exe

MD5 b2de2b7bb31d9cab09124a0b6ceda640
SHA1 ab62464ebab3e8ded51aa543ac81fd5953dcb2ae
SHA256 f3c5aa8c6d0efd31fdf284357d7fe29a1ff850683882b4f485d5a33131958122
SHA512 13c155bad0da692ce1eef50ff569f4dca6153c5b1344d9fe7d0f6aa51fc97f89734fee569eb6d26f982a216ac503d9679c9bfa7863c373e5ee3234301f29367f

memory/3640-6-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\eagfusoar.exe

MD5 ab08d33f48637dfb1ba2c6fbe20b98ba
SHA1 2aa52f20131866d0e5db18b4cee13da72d9efd3e
SHA256 0fa059c6c6c8abd1868c82196876b17a4d770c60fdbd87588b8ed1e0b78a1877
SHA512 88fa7057bef82c33b32395d5fd26136c195861e084f962910a11a59df26dae97cdafdc1e14f13489bd804fb4a2a6d1bc602fe21190b27a784dcc3f02eabb5a03

C:\Windows\SysWOW64\oumboafoot-oxid.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\oucsukar.exe

MD5 14f90ae2a3c27fed5bcf3f4d14c02938
SHA1 8d5ff2d25a4e8d3f581aa64932d074dfed7ef468
SHA256 10e5e3ef657cd6604aee95a747f30fb61f9daa0c17b205c282f9a83f662ff1b0
SHA512 d5d59144a5c94b687f1a01f46800221ee868a3c2d92b6949fe10b3d256953c937386a7ef0f0f316f3cda8bc6b960f8fa3e8f98c6ddccc19401d690f75c18a2f0

memory/2684-43-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4984-44-0x0000000000400000-0x0000000000414000-memory.dmp