Analysis Overview
SHA256
275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b
Threat Level: Known bad
The file 275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Boot or Logon Autostart Execution: Active Setup
Event Triggered Execution: Image File Execution Options Injection
Windows security modification
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Indicator Removal: Clear Persistence
Drops file in System32 directory
UPX packed file
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:35
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:35
Reported
2024-11-13 20:38
Platform
win7-20241010-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\StubPath = "C:\\Windows\\system32\\arloatud-udoab.exe" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45} | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\IsInstalled = "1" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\apniheav.exe" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\udkesos-xum.dll" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\aset32.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File created | C:\Windows\SysWOW64\udkesos-xum.dll | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eammoabab.exe | C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe | N/A |
| File created | C:\Windows\SysWOW64\arloatud-udoab.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\udkesos-xum.dll | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\arloatud-udoab.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrnt.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\idbg32.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gymspzd.dll | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eammoabab.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File created | C:\Windows\SysWOW64\eammoabab.exe | C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\apniheav.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File created | C:\Windows\SysWOW64\apniheav.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\rmass.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\aset32.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ahuy.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\idbg32.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ntdbg.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\RECOVER32.DLL | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\gymspzd.dll | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrnt.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe
"C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe"
C:\Windows\SysWOW64\eammoabab.exe
"C:\Windows\system32\eammoabab.exe"
C:\Windows\SysWOW64\eammoabab.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yvgxmom.mp | udp |
| US | 8.8.8.8:53 | yvgxmom.mp | udp |
Files
memory/1064-0-0x0000000000400000-0x0000000000418000-memory.dmp
\Windows\SysWOW64\eammoabab.exe
| MD5 | 263bdd6fbaa7dd34d5ee56b97e2a3cb5 |
| SHA1 | 0e1d446308189ddf8cd9d0719415721b69aa7b67 |
| SHA256 | 275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b |
| SHA512 | b860bab9c045bac958fb92f51d564379235f0fbe398fc164b736406466f3483cf493e220380361da6345e537c5554add7b5dc950ed95edfe572dcd1117b3c3ce |
memory/1064-10-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\udkesos-xum.dll
| MD5 | c8521a5fdd1c9387d536f599d850b195 |
| SHA1 | a543080665107b7e32bcc1ed19dbfbc1d2931356 |
| SHA256 | fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5 |
| SHA512 | 541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd |
C:\Windows\SysWOW64\apniheav.exe
| MD5 | dd0a988c954b0959603c62fd5b18d903 |
| SHA1 | 3e23addc824862312cbc5e60c50492ceca94bc8d |
| SHA256 | 0695d7bc594772ef3939a64e4eb4840569e6b0c0fd460741e5727746f1878ee9 |
| SHA512 | 89c5e8a21bf2caec987a933424bbeaba1ea427d36202bb4341bd2b594294f1c44c1c7e1caf03d94c040cf9e203b2a26e085f43a4e59d434adb0ce78ea0fd58f5 |
C:\Windows\SysWOW64\arloatud-udoab.exe
| MD5 | 12e499ed1c2256b6e5afcee57c7c099d |
| SHA1 | 327e2a58a13f63c3859c1434b873680e5b86cd5c |
| SHA256 | 4b5f7f8a5817249c25aee24e23833aa15e06a900d56224e9059e4c64ccf1c3f8 |
| SHA512 | 1607457bc46414538824bed9721c14d0255cccdb92167fd6334f6f3a41b99c1806558b29cd0d5f8b5e35a6c7247b6626d66627cf9a267b39f3bb4fb8bc7d478b |
memory/2444-47-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2796-54-0x0000000000400000-0x0000000000418000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:35
Reported
2024-11-13 20:38
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e}\StubPath = "C:\\Windows\\system32\\arloatud-udoab.exe" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e} | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e}\IsInstalled = "1" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\apniheav.exe" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\udkesos-xum.dll" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\udkesos-xum.dll | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File created | C:\Windows\SysWOW64\udkesos-xum.dll | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gymspzd.dll | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File created | C:\Windows\SysWOW64\apniheav.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File created | C:\Windows\SysWOW64\eammoabab.exe | C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\arloatud-udoab.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrnt.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aset32.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\idbg32.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eammoabab.exe | C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eammoabab.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File created | C:\Windows\SysWOW64\arloatud-udoab.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\apniheav.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\aset32.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ahuy.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\idbg32.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ntdbg.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\RECOVER32.DLL | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\gymspzd.dll | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrnt.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\rmass.exe | C:\Windows\SysWOW64\eammoabab.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\eammoabab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\eammoabab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe
"C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe"
C:\Windows\SysWOW64\eammoabab.exe
"C:\Windows\system32\eammoabab.exe"
C:\Windows\SysWOW64\eammoabab.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | goricobsssemo.mp | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | goricobsssemo.mp | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3600-0-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\eammoabab.exe
| MD5 | 263bdd6fbaa7dd34d5ee56b97e2a3cb5 |
| SHA1 | 0e1d446308189ddf8cd9d0719415721b69aa7b67 |
| SHA256 | 275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b |
| SHA512 | b860bab9c045bac958fb92f51d564379235f0fbe398fc164b736406466f3483cf493e220380361da6345e537c5554add7b5dc950ed95edfe572dcd1117b3c3ce |
memory/3600-6-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2796-17-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\arloatud-udoab.exe
| MD5 | fb3cbc2175ffca23f22f180e4e802924 |
| SHA1 | e73c929a2aca73267287b2949084deebdbc15e67 |
| SHA256 | c876cad69aa62d8103792b6cb0a23fd065b57268903c391c13de5bbb9e74dd07 |
| SHA512 | e67fdada6bbdd589d334f7d84ca316c7434d844a5f3b132b433191258392bd58794a53ceffa3db66eb371830808f593d2a60d5170c7a1bc89acdbee08fcb804d |
C:\Windows\SysWOW64\apniheav.exe
| MD5 | e9c15295a50169e715261b9ba063a2a3 |
| SHA1 | dfd45ac161702a22ef5bbb7564360619d79c95ac |
| SHA256 | f3268c62540e769646a3e05fadaaae9f549b8e1f0250d6d62fbacec3503261e8 |
| SHA512 | ffa7b8bf1904d1972a8d3c9bd101ef1985f6f19c0e91187b46e7b6a5f51d5bb6744ea71800f136dc59050241ef37c41a6c4f1669cd8804a9ee20649c0f62d865 |
C:\Windows\SysWOW64\udkesos-xum.dll
| MD5 | c8521a5fdd1c9387d536f599d850b195 |
| SHA1 | a543080665107b7e32bcc1ed19dbfbc1d2931356 |
| SHA256 | fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5 |
| SHA512 | 541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd |
memory/760-42-0x0000000000400000-0x0000000000418000-memory.dmp