Analysis

  • max time kernel
    120s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 14:46

General

  • Target

    c5831bb6e3eb0a1b7ebc4479644878b37edaf3d0eb13e2e2c1953b0b74349ebbN.exe

  • Size

    69KB

  • MD5

    9cfc5c63be0deeef453ce5a86b7f8ff0

  • SHA1

    e5decea697f1af55d2e97f9f30fca430ea3f086d

  • SHA256

    c5831bb6e3eb0a1b7ebc4479644878b37edaf3d0eb13e2e2c1953b0b74349ebb

  • SHA512

    524c98087941b4738acc28804576667b8a235319af7ccebacbe891b3ea3acb4af9bfa89ed805509235b60d31da539e7fe6f3a5c8290e02386194a96702a18cc2

  • SSDEEP

    1536:1teqKDlXvkDB04f5Gn/L8FlADNt3d1Tw8P:OlG35GTslA5t37w8P

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3496
        • C:\Users\Admin\AppData\Local\Temp\c5831bb6e3eb0a1b7ebc4479644878b37edaf3d0eb13e2e2c1953b0b74349ebbN.exe
          "C:\Users\Admin\AppData\Local\Temp\c5831bb6e3eb0a1b7ebc4479644878b37edaf3d0eb13e2e2c1953b0b74349ebbN.exe"
          2⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:32
          • C:\Windows\SysWOW64\ihxikoan-efat.exe
            "C:\Windows\system32\ihxikoan-efat.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3180
            • C:\Windows\SysWOW64\ihxikoan-efat.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\akfeaxub.exe

        Filesize

        71KB

        MD5

        cf8fd5fe360dde8e29512d5d70554b43

        SHA1

        172b47dd57c520f40b2781b2dc7a8d408a412221

        SHA256

        c67e4e362905cc644376467a766b67ec9176795af795fe52e00c569aa3173b03

        SHA512

        228389b885d78cb4095691f8d4d7a00c4b29d366e057181214df48b0d12dd5ff84fc8a3aed3fbc72b2fc969a64bf08853b0ee9fa319377ef6c5554569e5066b9

      • C:\Windows\SysWOW64\eabxuvud.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\ihxikoan-efat.exe

        Filesize

        69KB

        MD5

        9cfc5c63be0deeef453ce5a86b7f8ff0

        SHA1

        e5decea697f1af55d2e97f9f30fca430ea3f086d

        SHA256

        c5831bb6e3eb0a1b7ebc4479644878b37edaf3d0eb13e2e2c1953b0b74349ebb

        SHA512

        524c98087941b4738acc28804576667b8a235319af7ccebacbe891b3ea3acb4af9bfa89ed805509235b60d31da539e7fe6f3a5c8290e02386194a96702a18cc2

      • C:\Windows\SysWOW64\oudseadup-emum.exe

        Filesize

        72KB

        MD5

        7d341bd64c81fe3e93a040fb9cb5980f

        SHA1

        37ef30c5ea0fd80c656b5c45a37deb95a11821da

        SHA256

        9f174a1000cf9c356a397734e35064ad41019c453c84661102c5c9db1b97d353

        SHA512

        387b344fe3719593e40e2450c52bea409218bccb1d61271757d4c9c219875b78ae62caac2e97b85043975689e56ffdaf86c97d011b3d1d467e5c1cc46840e5a2

      • memory/32-6-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/1608-44-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/3180-43-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB