Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 10:37
Static task
static1
Behavioral task
behavioral1
Sample
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
Resource
win10v2004-20240508-en
General
-
Target
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
-
Size
2.4MB
-
MD5
97f4bfce48908daf8548c94680cdd926
-
SHA1
b6921fa66184350511ffeac6f7a14308bf830928
-
SHA256
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1
-
SHA512
39ef56903b60a4a67b8863bb2ffdeed934ebe97e8223e16d7135017e20e07575e3a81076104bf37917b0ef6202a69335e66b0c137de83818fbdfb177d52b82e9
-
SSDEEP
49152:HQqiSbst0sL7R38+1uKnzzaKu4QHNHxU/lAZ1PXiEQMy2vm9ytkB4nX:xstZLNe5Hwl0kDB4n
Malware Config
Signatures
-
Processes:
EYNTOZEU.exeEYNTOZEU.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" EYNTOZEU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" EYNTOZEU.exe -
Possible privilege escalation attempt 3 IoCs
Processes:
takeown.exeicacls.exetakeown.exepid process 2624 takeown.exe 2628 icacls.exe 2492 takeown.exe -
Executes dropped EXE 4 IoCs
Processes:
EYNTOZEU.exeEYNTOZEU.exeEs4.Deploy.exepid process 2552 EYNTOZEU.exe 2680 EYNTOZEU.exe 2564 Es4.Deploy.exe 1180 -
Loads dropped DLL 4 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exeEYNTOZEU.exepid process 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 2552 EYNTOZEU.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exetakeown.exepid process 2624 takeown.exe 2628 icacls.exe 2492 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\!! = "AXAYJAUV.exe VXYFCKXQC EYNTOZEU.exe" 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
EYNTOZEU.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini EYNTOZEU.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Windows\System32\EYNTOZEU.exe autoit_exe \Windows\System32\Es4.Deploy.exe autoit_exe -
Drops file in System32 directory 6 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exedescription ioc process File created C:\Windows\system32\Es4.Deploy.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File opened for modification C:\Windows\system32\Es4.Deploy.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File created C:\Windows\system32\EYNTOZEU.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File opened for modification C:\Windows\system32\EYNTOZEU.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File created C:\Windows\system32\AXAYJAUV.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File opened for modification C:\Windows\system32\AXAYJAUV.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Drops file in Windows directory 2 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exedescription ioc process File created C:\Windows\ES4\Es4Set.step1\Es4Set.es4 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File created C:\Windows\ES4\Es4Set.step2\Es4Set.es4 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\a reg.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
EYNTOZEU.exeEYNTOZEU.exepid process 2552 EYNTOZEU.exe 2552 EYNTOZEU.exe 2552 EYNTOZEU.exe 2552 EYNTOZEU.exe 2552 EYNTOZEU.exe 2552 EYNTOZEU.exe 2552 EYNTOZEU.exe 2680 EYNTOZEU.exe 2680 EYNTOZEU.exe 2680 EYNTOZEU.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
reg.exereg.exetakeown.exedescription pid process Token: SeRestorePrivilege 2596 reg.exe Token: SeRestorePrivilege 2452 reg.exe Token: SeTakeOwnershipPrivilege 2492 takeown.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exepid process 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exepid process 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exeEYNTOZEU.execmd.execmd.exedescription pid process target process PID 1668 wrote to memory of 2552 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe EYNTOZEU.exe PID 1668 wrote to memory of 2552 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe EYNTOZEU.exe PID 1668 wrote to memory of 2552 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe EYNTOZEU.exe PID 2552 wrote to memory of 2596 2552 EYNTOZEU.exe reg.exe PID 2552 wrote to memory of 2596 2552 EYNTOZEU.exe reg.exe PID 2552 wrote to memory of 2596 2552 EYNTOZEU.exe reg.exe PID 2552 wrote to memory of 2452 2552 EYNTOZEU.exe reg.exe PID 2552 wrote to memory of 2452 2552 EYNTOZEU.exe reg.exe PID 2552 wrote to memory of 2452 2552 EYNTOZEU.exe reg.exe PID 2552 wrote to memory of 2560 2552 EYNTOZEU.exe cmd.exe PID 2552 wrote to memory of 2560 2552 EYNTOZEU.exe cmd.exe PID 2552 wrote to memory of 2560 2552 EYNTOZEU.exe cmd.exe PID 2560 wrote to memory of 2624 2560 cmd.exe takeown.exe PID 2560 wrote to memory of 2624 2560 cmd.exe takeown.exe PID 2560 wrote to memory of 2624 2560 cmd.exe takeown.exe PID 2560 wrote to memory of 2628 2560 cmd.exe icacls.exe PID 2560 wrote to memory of 2628 2560 cmd.exe icacls.exe PID 2560 wrote to memory of 2628 2560 cmd.exe icacls.exe PID 2552 wrote to memory of 2468 2552 EYNTOZEU.exe cmd.exe PID 2552 wrote to memory of 2468 2552 EYNTOZEU.exe cmd.exe PID 2552 wrote to memory of 2468 2552 EYNTOZEU.exe cmd.exe PID 2468 wrote to memory of 2492 2468 cmd.exe takeown.exe PID 2468 wrote to memory of 2492 2468 cmd.exe takeown.exe PID 2468 wrote to memory of 2492 2468 cmd.exe takeown.exe PID 2552 wrote to memory of 2680 2552 EYNTOZEU.exe EYNTOZEU.exe PID 2552 wrote to memory of 2680 2552 EYNTOZEU.exe EYNTOZEU.exe PID 2552 wrote to memory of 2680 2552 EYNTOZEU.exe EYNTOZEU.exe PID 1668 wrote to memory of 2564 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe Es4.Deploy.exe PID 1668 wrote to memory of 2564 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe Es4.Deploy.exe PID 1668 wrote to memory of 2564 1668 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe Es4.Deploy.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
EYNTOZEU.exeEYNTOZEU.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EYNTOZEU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" EYNTOZEU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" EYNTOZEU.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EYNTOZEU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" EYNTOZEU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" EYNTOZEU.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe"C:\Users\Admin\AppData\Local\Temp\942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\EYNTOZEU.exeC:\Windows\system32\EYNTOZEU.exe2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe load HKEY_USERS\a C:\Users\Administrator\NTUSER.DAT3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe unload HKEY_USERS\a3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\EYNTOZEU.exeEYNTOZEU.exe 2552 1668 03⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\system32\Es4.Deploy.exeC:\Windows\system32\Es4.Deploy.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2680eyntozeFilesize
26KB
MD50c27221488e69caa0a441b30e5d6d46c
SHA182fceca6dbc8932d4bead6ce872965fac35d0c99
SHA256bae73fb2e8de92ae84565a2e98530a0584ade7bc69603f14906375a68f9fed3d
SHA5129ad868e0897475082c63e5fcca91594c4568f15e442907b21bcd844dc8022986995f895b97aa649e2a523d08a4c37a324447b48475c7bf816a1dce734988eaed
-
\Windows\System32\EYNTOZEU.exeFilesize
964KB
MD57359ea3476e9f5d7f5e6845007531b4b
SHA1ec48e75b6a03979a1af7d993c55a76bc5a7780fe
SHA25643b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc
SHA51201317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce
-
\Windows\System32\Es4.Deploy.exeFilesize
970KB
MD5ceaea72deefc6bce78f56efd6df30018
SHA1d9dd7dc3cf9b040f5add454a2eefc1e5d48a137c
SHA256e6c9beddaf2b77747834a6855ab88c43dc8feb5ad74e6da9d55e30a8e8299d63
SHA512e0b70a188f7bca695cf1e4a117dad94d76799b2187e03bf3a3ac78a015742aac845025e9ee6200379f357b6896a294a83ecbe4ce9d8eabdf25e2510088ca62ae