Analysis Overview
SHA256
70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118
Threat Level: Known bad
The file 70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Event Triggered Execution: Image File Execution Options Injection
Boot or Logon Autostart Execution: Active Setup
Windows security modification
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Indicator Removal: Clear Persistence
Drops file in System32 directory
UPX packed file
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 23:47
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 23:47
Reported
2024-11-13 23:49
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D585146-4e58-4c54-4D58-51464E584c54} | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D585146-4e58-4c54-4D58-51464E584c54}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D585146-4e58-4c54-4D58-51464E584c54}\IsInstalled = "1" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D585146-4e58-4c54-4D58-51464E584c54}\StubPath = "C:\\Windows\\system32\\acberab.exe" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouctisuc.exe" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\atvofeak.dll" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\idbg32.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmoopeg.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File created | C:\Windows\SysWOW64\tmoopeg.exe | C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\acberab.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aset32.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrnt.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gymspzd.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ouctisuc.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File created | C:\Windows\SysWOW64\ouctisuc.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File created | C:\Windows\SysWOW64\atvofeak.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmoopeg.exe | C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe | N/A |
| File created | C:\Windows\SysWOW64\acberab.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\atvofeak.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\gymspzd.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrnt.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\rmass.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\aset32.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ahuy.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\idbg32.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ntdbg.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\RECOVER32.DLL | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe
"C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe"
C:\Windows\SysWOW64\tmoopeg.exe
"C:\Windows\system32\tmoopeg.exe"
C:\Windows\SysWOW64\tmoopeg.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | okivedx.st | udp |
| US | 8.8.8.8:53 | okivedx.st | udp |
Files
memory/2404-0-0x0000000000400000-0x0000000000417000-memory.dmp
\Windows\SysWOW64\tmoopeg.exe
| MD5 | 76756359ecf86d0c02899ae95c8d0fd0 |
| SHA1 | d967a5e2abc611dd6790c5fbc5d7c2a11dc6d16a |
| SHA256 | 70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118 |
| SHA512 | c7fae08c488f799a3dd970047eb0a758dc59ede1ff6f0af477793bd26371da6c4894e63d236ac5f985197a431d7a0bd9065a7255a9124cbde9b36891a29780ed |
memory/2404-12-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2108-22-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\atvofeak.dll
| MD5 | c8521a5fdd1c9387d536f599d850b195 |
| SHA1 | a543080665107b7e32bcc1ed19dbfbc1d2931356 |
| SHA256 | fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5 |
| SHA512 | 541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd |
C:\Windows\SysWOW64\ouctisuc.exe
| MD5 | 8ee0862017b773616a27e203a7ce7aab |
| SHA1 | 89e1cf2ab19df61d3100d4ff57fd51a35193ef40 |
| SHA256 | 4dd393843bfe2125c2944740f7a7f9482479d0aa0555ea855f628fbf20e07c15 |
| SHA512 | 87d832bd45e49dd49520421b1d26260c6ceab01a5d3e744ae1b562a92c212716f6910b2006672e4fd56cd2453e93b850e43b2a3ea10fd01520704d8fb9305e99 |
C:\Windows\SysWOW64\acberab.exe
| MD5 | 5fa6f51956ba8c82445147000f23f88b |
| SHA1 | f71953e2f2af384bfa9315d3b85f758dc89fa7ae |
| SHA256 | f62311322eaffb4eb4a1557e62e71632c28e489690c7fbbc8a43f4e9a377d3f6 |
| SHA512 | 09208a5e977d0cc26582ee0f8ecc91f8b90415ba3c402567af4869eb2e342a94f9bc3ac962ef45b93d52f09d7f87754041112ae2af1c770b23a335a94d98a03a |
memory/2548-43-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2548-50-0x0000000000320000-0x0000000000337000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 23:47
Reported
2024-11-13 23:49
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748}\StubPath = "C:\\Windows\\system32\\acberab.exe" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748} | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53504445-424a-5748-5350-4445424A5748}\IsInstalled = "1" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouctisuc.exe" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\atvofeak.dll" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmoopeg.exe | C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe | N/A |
| File created | C:\Windows\SysWOW64\tmoopeg.exe | C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe | N/A |
| File created | C:\Windows\SysWOW64\acberab.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File created | C:\Windows\SysWOW64\atvofeak.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrnt.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\acberab.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gymspzd.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ouctisuc.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File created | C:\Windows\SysWOW64\ouctisuc.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aset32.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmoopeg.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\atvofeak.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\idbg32.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\idbg32.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ntdbg.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\RECOVER32.DLL | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\gymspzd.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrnt.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\rmass.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\aset32.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ahuy.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe
"C:\Users\Admin\AppData\Local\Temp\70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118.exe"
C:\Windows\SysWOW64\tmoopeg.exe
"C:\Windows\system32\tmoopeg.exe"
C:\Windows\SysWOW64\tmoopeg.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | acwheerueua.mp | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | acwheerueua.mp | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3992-0-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\tmoopeg.exe
| MD5 | 76756359ecf86d0c02899ae95c8d0fd0 |
| SHA1 | d967a5e2abc611dd6790c5fbc5d7c2a11dc6d16a |
| SHA256 | 70cd105d172febaf95255ca8ef54381bd720a167fc33b218d123643dd5e70118 |
| SHA512 | c7fae08c488f799a3dd970047eb0a758dc59ede1ff6f0af477793bd26371da6c4894e63d236ac5f985197a431d7a0bd9065a7255a9124cbde9b36891a29780ed |
memory/3992-8-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2992-18-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\ouctisuc.exe
| MD5 | fcda8e6043ecbe79b584c6ed8834b035 |
| SHA1 | a6183f2c63f19f37942998d05806902f72297e7f |
| SHA256 | 79f8ebf5cf505ae6736b88078e292ea1d29a56dd7f9200f2e1b473cc48df1a06 |
| SHA512 | d97f11dfbdddac4b50a8e4ab5166d424d6e692a51258429793922d006f7892d4a9eb4ae0f87ba74ec8c90bc0a90a95014dee5c181531454f1dd40e5295822091 |
C:\Windows\SysWOW64\acberab.exe
| MD5 | efc8054b7ed8ad1217e5c94cd7f7bd7c |
| SHA1 | f4bb34be0eab42c752a972d5376be157298f4edd |
| SHA256 | b1b9e1e299da36d0123e83ca5a314aa01807a34f67525e443db9e78f31cf453f |
| SHA512 | f8132c0a0d6314152012e267ba75d4dc537192f803fe990c72e26bae539e102c4f447d05f2e545c0ed2dabb2fe39ab57647b2ad061e06b4dd8ab95f5bd11baa0 |
C:\Windows\SysWOW64\atvofeak.dll
| MD5 | c8521a5fdd1c9387d536f599d850b195 |
| SHA1 | a543080665107b7e32bcc1ed19dbfbc1d2931356 |
| SHA256 | fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5 |
| SHA512 | 541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd |
memory/588-43-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2992-48-0x0000000000400000-0x0000000000417000-memory.dmp