Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/11/2024, 05:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
120 seconds
Behavioral task
behavioral2
Sample
646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe
-
Size
88KB
-
MD5
61616fda06b8daf259c0a121d1789d70
-
SHA1
a624a79c505c9d4cd3ee6a9b2eac31e76b5b2240
-
SHA256
646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000
-
SHA512
e2c0a636097650ba6f208f3f25fec2add4c283ef35568a10066eb632e5fe2ec8894da99e17a1be562884705cc9f1813f9354bea843b752499253742231d17b0f
-
SSDEEP
768:sIUdWE7LeTqm+63K5a+gN2blw01sZoy4/naT8cIRMtZtUFjHLJgWiEEDZWGxLXle:sJ7LEq6OHg7ro/CQPipwgWiEwgql9Kj
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" ektiveax-easat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" ektiveax-easat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" ektiveax-easat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" ektiveax-easat.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e} ektiveax-easat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ektiveax-easat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e}\IsInstalled = "1" ektiveax-easat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e}\StubPath = "C:\\Windows\\system32\\ucmeavoh.exe" ektiveax-easat.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ektiveax-easat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ektiveax-easat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\imdoavex-umid.exe" ektiveax-easat.exe -
Executes dropped EXE 2 IoCs
pid Process 1972 ektiveax-easat.exe 2572 ektiveax-easat.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" ektiveax-easat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" ektiveax-easat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" ektiveax-easat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" ektiveax-easat.exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger ektiveax-easat.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ektiveax-easat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ektiveax-easat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ocnuces-obur.dll" ektiveax-easat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ektiveax-easat.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ektiveax-easat.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\gymspzd.dll ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\imdoavex-umid.exe ektiveax-easat.exe File created C:\Windows\SysWOW64\imdoavex-umid.exe ektiveax-easat.exe File created C:\Windows\SysWOW64\ocnuces-obur.dll ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\winrnt.exe ektiveax-easat.exe File created C:\Windows\SysWOW64\ektiveax-easat.exe 646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe File opened for modification C:\Windows\SysWOW64\rmass.exe ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\ektiveax-easat.exe ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\ucmeavoh.exe ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\ocnuces-obur.dll ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\ektiveax-easat.exe 646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe File created C:\Windows\SysWOW64\ucmeavoh.exe ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\aset32.exe ektiveax-easat.exe File opened for modification C:\Windows\SysWOW64\ahuy.exe ektiveax-easat.exe -
resource yara_rule behavioral2/files/0x000a000000023c01-2.dat upx behavioral2/memory/1972-4-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/1972-39-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2572-44-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\RECOVER32.DLL ektiveax-easat.exe File opened for modification C:\Program Files (x86)\Common Files\System\gymspzd.dll ektiveax-easat.exe File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe ektiveax-easat.exe File opened for modification C:\Program Files (x86)\Common Files\System\rmass.exe ektiveax-easat.exe File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe ektiveax-easat.exe File opened for modification C:\Program Files (x86)\Common Files\System\ahuy.exe ektiveax-easat.exe File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe ektiveax-easat.exe File opened for modification C:\Program Files (x86)\Common Files\System\ntdbg.exe ektiveax-easat.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ektiveax-easat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 2572 ektiveax-easat.exe 2572 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe 1972 ektiveax-easat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1972 ektiveax-easat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1256 wrote to memory of 1972 1256 646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe 82 PID 1256 wrote to memory of 1972 1256 646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe 82 PID 1256 wrote to memory of 1972 1256 646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe 82 PID 1972 wrote to memory of 608 1972 ektiveax-easat.exe 5 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 2572 1972 ektiveax-easat.exe 83 PID 1972 wrote to memory of 2572 1972 ektiveax-easat.exe 83 PID 1972 wrote to memory of 2572 1972 ektiveax-easat.exe 83 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56 PID 1972 wrote to memory of 3392 1972 ektiveax-easat.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:608
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe"C:\Users\Admin\AppData\Local\Temp\646f0410180fb0bb7ff882e0ec3d33dbc529c41e49282db85bd20b7676aa8000N.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\ektiveax-easat.exe"C:\Windows\SysWOW64\ektiveax-easat.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\ektiveax-easat.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2572
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53a9d9a42d837c07e9316533bccd969ea
SHA114d43d38fcfb7a78fef0552df9c0be9ce1370a88
SHA256975479862cd774f2ce3d344fd3280e4af96c7915e9524785d9e9197c62866a06
SHA51235bc75f06c8b5d8ec905fbf713c4348dca73f7aaee2db4936d0b22ca58591d42fdf8d970b0eb9d5f04a6303516772e535486fcc6141c40057a18f1f7817eccb6
-
Filesize
89KB
MD50d541838a3bca5764dc0a15da0919f09
SHA1413038ebe62adcfb0ca9742119ee2b93d483741f
SHA2568ee871a3e3774ec9119d752ba7f43a2c34a4d194cc1c587a0cb808d3c41edac6
SHA51277b9d777d8a96ea834bccff0eab844a1aa4d54b53d5efdfb9f9e051197781e6caff09579bd35c9febe1b069215f30e787bb13c6cdff3e0f8f1e5e993aa8df34d
-
Filesize
5KB
MD5c8521a5fdd1c9387d536f599d850b195
SHA1a543080665107b7e32bcc1ed19dbfbc1d2931356
SHA256fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5
SHA512541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd
-
Filesize
88KB
MD5ef6ed4b9ecc392c05f1c4dadf7c452ae
SHA1e0d2518913e5a5467a65c0d01aca86563ce77731
SHA256ac002f947b5e42a4ac477f2d53929b609e8854f0d993396bb8eda108b563cac4
SHA51207c204d23e7e5d250b24bac7f9fad7621b0957c137c891351060316c5bd13d410805cca5053acba319334052ed916d9de0cc10631b4310e64708249d1ef0660a