Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 11:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe
-
Size
68KB
-
MD5
7691aa28003988f89e254ed84d0d89a7
-
SHA1
4db0424907adeab1f71ca061a53fe52feddcd1bf
-
SHA256
f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a
-
SHA512
c588fd8d211c1fa011bf515af4b849e2a9419bb6a243f2aaef116dd3311269a9d64391a274df6589118a94a2922360e9a0c56d734f85870ca2ac51fcf48b8153
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8MI:Olg35GTslA5t3/w8MI
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" rmaxon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" rmaxon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" rmaxon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" rmaxon.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A534D55-524e-5054-4A53-4D55524E5054} rmaxon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A534D55-524e-5054-4A53-4D55524E5054}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" rmaxon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A534D55-524e-5054-4A53-4D55524E5054}\IsInstalled = "1" rmaxon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A534D55-524e-5054-4A53-4D55524E5054}\StubPath = "C:\\Windows\\system32\\udgerub.exe" rmaxon.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe rmaxon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" rmaxon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\erxofuf.exe" rmaxon.exe -
Executes dropped EXE 2 IoCs
pid Process 2300 rmaxon.exe 1908 rmaxon.exe -
Loads dropped DLL 3 IoCs
pid Process 2516 f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe 2516 f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe 2300 rmaxon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" rmaxon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" rmaxon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" rmaxon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" rmaxon.exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger rmaxon.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" rmaxon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} rmaxon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify rmaxon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" rmaxon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\axcisux-odor.dll" rmaxon.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\rmaxon.exe f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe File opened for modification C:\Windows\SysWOW64\erxofuf.exe rmaxon.exe File opened for modification C:\Windows\SysWOW64\udgerub.exe rmaxon.exe File opened for modification C:\Windows\SysWOW64\axcisux-odor.dll rmaxon.exe File created C:\Windows\SysWOW64\axcisux-odor.dll rmaxon.exe File opened for modification C:\Windows\SysWOW64\rmaxon.exe f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe File created C:\Windows\SysWOW64\udgerub.exe rmaxon.exe File opened for modification C:\Windows\SysWOW64\rmaxon.exe rmaxon.exe File created C:\Windows\SysWOW64\erxofuf.exe rmaxon.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rmaxon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 1908 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe 2300 rmaxon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2516 f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe Token: SeDebugPrivilege 2300 rmaxon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2300 2516 f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe 30 PID 2516 wrote to memory of 2300 2516 f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe 30 PID 2516 wrote to memory of 2300 2516 f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe 30 PID 2516 wrote to memory of 2300 2516 f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe 30 PID 2300 wrote to memory of 432 2300 rmaxon.exe 5 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1908 2300 rmaxon.exe 31 PID 2300 wrote to memory of 1908 2300 rmaxon.exe 31 PID 2300 wrote to memory of 1908 2300 rmaxon.exe 31 PID 2300 wrote to memory of 1908 2300 rmaxon.exe 31 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21 PID 2300 wrote to memory of 1216 2300 rmaxon.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe"C:\Users\Admin\AppData\Local\Temp\f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\rmaxon.exe"C:\Windows\system32\rmaxon.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\rmaxon.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1908
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
71KB
MD59d0843aac08724baccb1534403d1bc74
SHA1cbf943201a1ef2cbf052837631a53bbbc1bf39fe
SHA25620d68fa76798b9d286977c08420375357e56841b69005131c9cca0728b4b56f5
SHA51201933582a8f8c0f0df88ec41e3bf5c694ebe362d5034f93ed8f8f27eeead5205421fd9ae3de266e19df28a456b9ed2e2e534f8cff5658bbfd50f2e01af07b9a8
-
Filesize
68KB
MD57691aa28003988f89e254ed84d0d89a7
SHA14db0424907adeab1f71ca061a53fe52feddcd1bf
SHA256f047245ab51de5214c3261f783d35cbf8f0433b2ceffa565aba3d71b25be579a
SHA512c588fd8d211c1fa011bf515af4b849e2a9419bb6a243f2aaef116dd3311269a9d64391a274df6589118a94a2922360e9a0c56d734f85870ca2ac51fcf48b8153
-
Filesize
70KB
MD53e20ee5aa9b86b76bed5ed6f3adeec35
SHA16a205c38a50bcfa5e793a98460e6fa4a704c8ff2
SHA25681981be0eafc80108b008430bd2e0a38ca0105995171ca0a883db20614c3952d
SHA51297afa37ca481bd5985d6dd1598744cbff0d7b560b82ab0da73f6d7a021a4a1d063c5291df3e2b0d26b4e076ca26e784ec11d2c889c6b26160ff84bec6d016a67