Malware Analysis Report

2024-12-07 16:23

Sample ID 241113-1h5z2azeqn
Target 3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe
SHA256 3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4
Tags
defense_evasion discovery evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4

Threat Level: Known bad

The file 3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence trojan

Windows security bypass

Boot or Logon Autostart Execution: Active Setup

Event Triggered Execution: Image File Execution Options Injection

Loads dropped DLL

Windows security modification

Executes dropped EXE

Modifies WinLogon

Indicator Removal: Clear Persistence

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 21:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 21:40

Reported

2024-11-13 21:42

Platform

win7-20241023-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504A4353-444d-5250-504A-4353444D5250} C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504A4353-444d-5250-504A-4353444D5250}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504A4353-444d-5250-504A-4353444D5250}\IsInstalled = "1" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504A4353-444d-5250-504A-4353444D5250}\StubPath = "C:\\Windows\\system32\\ebbikeat.exe" C:\Windows\SysWOW64\eahrikeat.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ekkovoag.exe" C:\Windows\SysWOW64\eahrikeat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\eahrikeat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\eahrikeat.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\eahrikeat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ucsifoot-egum.dll" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\eahrikeat.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\eahrikeat.exe C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe N/A
File created C:\Windows\SysWOW64\eahrikeat.exe C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe N/A
File opened for modification C:\Windows\SysWOW64\ebbikeat.exe C:\Windows\SysWOW64\eahrikeat.exe N/A
File created C:\Windows\SysWOW64\ebbikeat.exe C:\Windows\SysWOW64\eahrikeat.exe N/A
File opened for modification C:\Windows\SysWOW64\eahrikeat.exe C:\Windows\SysWOW64\eahrikeat.exe N/A
File opened for modification C:\Windows\SysWOW64\ekkovoag.exe C:\Windows\SysWOW64\eahrikeat.exe N/A
File created C:\Windows\SysWOW64\ekkovoag.exe C:\Windows\SysWOW64\eahrikeat.exe N/A
File opened for modification C:\Windows\SysWOW64\ucsifoot-egum.dll C:\Windows\SysWOW64\eahrikeat.exe N/A
File created C:\Windows\SysWOW64\ucsifoot-egum.dll C:\Windows\SysWOW64\eahrikeat.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\eahrikeat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\eahrikeat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe

"C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe"

C:\Windows\SysWOW64\eahrikeat.exe

"C:\Windows\SysWOW64\eahrikeat.exe"

C:\Windows\SysWOW64\eahrikeat.exe

ùù¿çç¤

Network

Country Destination Domain Proto
US 8.8.8.8:53 ttwdwiqsnqk.nu udp
US 8.8.8.8:53 ttwdwiqsnqk.nu udp

Files

C:\Windows\SysWOW64\eahrikeat.exe

MD5 dbfafb48b373c94216c4d150358b7261
SHA1 b391da66953d1dc9f8d30d8a9e1a4968cd432569
SHA256 3e13ca27070cbefe95e76205eb8fcdf073670144fe7f5a447bb2e116d19e5a80
SHA512 e8a1b6c1c8e24ca8f3990ff95e5c0c2e5d0f3d80e8cd2be9cc706147792103835d16d8b5d5156e2c1104f9cb5975b7835d5431fe03eb69950cf67331a71fed9d

memory/108-7-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\ebbikeat.exe

MD5 69b20518dc7559d7d9184bb330f1a86f
SHA1 9db320dd78e87d21674723a187d3e22d721942bf
SHA256 bf52e753212c67f5b1f6e2ddc0d0e362ecae042ddda6b1f74bd7541d51482f99
SHA512 a64ec984e5bd9162c3b4a8a9b71cc04d9679c5fe04b8912005bf0602de9d9b2da2c3ff729ad9c1d0308596bb95aac08cdbebc7e670ddfa0cf7f4a22dbe838302

C:\Windows\SysWOW64\ekkovoag.exe

MD5 b44e779d92edabbcb0db2138a1e314db
SHA1 dd8c81a588e91ef31172520954b0c2251ab52126
SHA256 6b21280df93225a50dda8a169142bdccab1933324fef4eb0fe1fba0afec001ff
SHA512 1b4e54b61be7236563c571a637451a8d8bdde69ffcae6d53037b7b9a9f0ac34b3ecacef0830cedd8c50777f5261c275f0266216d039e2b192ee80c087c84f1e2

C:\Windows\SysWOW64\ucsifoot-egum.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

memory/2024-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1948-51-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 21:40

Reported

2024-11-13 21:42

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645} C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645}\IsInstalled = "1" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645}\StubPath = "C:\\Windows\\system32\\ebbikeat.exe" C:\Windows\SysWOW64\eahrikeat.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ekkovoag.exe" C:\Windows\SysWOW64\eahrikeat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\eahrikeat.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\eahrikeat.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\eahrikeat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ucsifoot-egum.dll" C:\Windows\SysWOW64\eahrikeat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\eahrikeat.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ekkovoag.exe C:\Windows\SysWOW64\eahrikeat.exe N/A
File opened for modification C:\Windows\SysWOW64\ebbikeat.exe C:\Windows\SysWOW64\eahrikeat.exe N/A
File opened for modification C:\Windows\SysWOW64\ucsifoot-egum.dll C:\Windows\SysWOW64\eahrikeat.exe N/A
File created C:\Windows\SysWOW64\ebbikeat.exe C:\Windows\SysWOW64\eahrikeat.exe N/A
File created C:\Windows\SysWOW64\ucsifoot-egum.dll C:\Windows\SysWOW64\eahrikeat.exe N/A
File opened for modification C:\Windows\SysWOW64\eahrikeat.exe C:\Windows\SysWOW64\eahrikeat.exe N/A
File opened for modification C:\Windows\SysWOW64\eahrikeat.exe C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe N/A
File created C:\Windows\SysWOW64\eahrikeat.exe C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe N/A
File opened for modification C:\Windows\SysWOW64\ekkovoag.exe C:\Windows\SysWOW64\eahrikeat.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\eahrikeat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A
N/A N/A C:\Windows\SysWOW64\eahrikeat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\eahrikeat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe

"C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe"

C:\Windows\SysWOW64\eahrikeat.exe

"C:\Windows\SysWOW64\eahrikeat.exe"

C:\Windows\SysWOW64\eahrikeat.exe

ùù¿çç¤

Network

Country Destination Domain Proto
US 8.8.8.8:53 ruibflkkmeasi.st udp
US 8.8.8.8:53 ruibflkkmeasi.st udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\eahrikeat.exe

MD5 dbfafb48b373c94216c4d150358b7261
SHA1 b391da66953d1dc9f8d30d8a9e1a4968cd432569
SHA256 3e13ca27070cbefe95e76205eb8fcdf073670144fe7f5a447bb2e116d19e5a80
SHA512 e8a1b6c1c8e24ca8f3990ff95e5c0c2e5d0f3d80e8cd2be9cc706147792103835d16d8b5d5156e2c1104f9cb5975b7835d5431fe03eb69950cf67331a71fed9d

memory/4980-4-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\ebbikeat.exe

MD5 aee907c848e80a39f3cc50c1228060a9
SHA1 02ab81f2117977ed38c1e63c119778e1e2100712
SHA256 6984d4ee6dec303fc2d787e88f76a0ac1410cdc98c7690266def91e7415d58c3
SHA512 fe79a64e890934e6c990f403f7aa5c52a6ba1d1cdbdabbfae404225ef1e17a98d287c845a0b626cf9fd88c164617162e47b39f49f7946a4f035cbdf1ca19f800

C:\Windows\SysWOW64\ekkovoag.exe

MD5 e6282cab5aa33a3e3ec838f7c05129a9
SHA1 fd1d12f6010d4bb0581268340691074ea0117fbb
SHA256 e976a6e46807a91d763f614439d1d3a38926963be13206e5caee2087ae61c925
SHA512 3f8618774bcef1c26b246c5c64e91d7894fa7a137180a90e9f6254090d0a94e6d35f3da913752cef337f7145feed39d4420f354afb6fa571a945fd69c8ef6af9

C:\Windows\SysWOW64\ucsifoot-egum.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

memory/632-44-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4952-45-0x0000000000400000-0x0000000000414000-memory.dmp