942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
Size

2.4MB
MD5

97f4bfce48908daf8548c94680cdd926
SHA1

b6921fa66184350511ffeac6f7a14308bf830928
SHA256

942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1
SHA512

39ef56903b60a4a67b8863bb2ffdeed934ebe97e8223e16d7135017e20e07575e3a81076104bf37917b0ef6202a69335e66b0c137de83818fbdfb177d52b82e9
SSDEEP

49152:HQqiSbst0sL7R38+1uKnzzaKu4QHNHxU/lAZ1PXiEQMy2vm9ytkB4nX:xstZLNe5Hwl0kDB4n

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

EYNTOZEU.exeEYNTOZEU.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	EYNTOZEU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	EYNTOZEU.exe

Possible privilege escalation attempt 3 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exe

pid process

2624 takeown.exe
2628 icacls.exe
2492 takeown.exe
Executes dropped EXE 4 IoCs

Processes:

EYNTOZEU.exeEYNTOZEU.exeEs4.Deploy.exe

pid process

2552 EYNTOZEU.exe
2680 EYNTOZEU.exe
2564 Es4.Deploy.exe
1180

pid	process
2624	takeown.exe
2628	icacls.exe
2492	takeown.exe

pid	process
2552	EYNTOZEU.exe
2680	EYNTOZEU.exe
2564	Es4.Deploy.exe
1180

Loads dropped DLL 4 IoCs

Processes:

942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exeEYNTOZEU.exe

pid	process
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
2552	EYNTOZEU.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exe

pid process

2624 takeown.exe
2628 icacls.exe
2492 takeown.exe

pid	process
2624	takeown.exe
2628	icacls.exe
2492	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\!! = "AXAYJAUV.exe VXYFCKXQC EYNTOZEU.exe"	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

EYNTOZEU.exe

description ioc process

File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini EYNTOZEU.exe
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

\Windows\System32\EYNTOZEU.exe autoit_exe
\Windows\System32\Es4.Deploy.exe autoit_exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	EYNTOZEU.exe

resource	yara_rule
\Windows\System32\EYNTOZEU.exe	autoit_exe
\Windows\System32\Es4.Deploy.exe	autoit_exe

Drops file in System32 directory 6 IoCs

Processes:

942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

description	ioc	process
File created	C:\Windows\system32\Es4.Deploy.exe	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
File opened for modification	C:\Windows\system32\Es4.Deploy.exe	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
File created	C:\Windows\system32\EYNTOZEU.exe	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
File opened for modification	C:\Windows\system32\EYNTOZEU.exe	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
File created	C:\Windows\system32\AXAYJAUV.exe	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
File opened for modification	C:\Windows\system32\AXAYJAUV.exe	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

Drops file in Windows directory 2 IoCs

Processes:

942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

description	ioc	process
File created	C:\Windows\ES4\Es4Set.step1\Es4Set.es4	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
File created	C:\Windows\ES4\Es4Set.step2\Es4Set.es4	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies data under HKEY_USERS 1 IoCs

Processes:

reg.exe

description ioc process

Key created \REGISTRY\USER\a reg.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

EYNTOZEU.exeEYNTOZEU.exe

pid process

2552 EYNTOZEU.exe
2552 EYNTOZEU.exe
2552 EYNTOZEU.exe
2552 EYNTOZEU.exe
2552 EYNTOZEU.exe
2552 EYNTOZEU.exe
2552 EYNTOZEU.exe
2680 EYNTOZEU.exe
2680 EYNTOZEU.exe
2680 EYNTOZEU.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

reg.exereg.exetakeown.exe

description pid process

Token: SeRestorePrivilege 2596 reg.exe
Token: SeRestorePrivilege 2452 reg.exe
Token: SeTakeOwnershipPrivilege 2492 takeown.exe

description	ioc	process
Key created	\REGISTRY\USER\a	reg.exe

pid	process
2552	EYNTOZEU.exe
2552	EYNTOZEU.exe
2552	EYNTOZEU.exe
2552	EYNTOZEU.exe
2552	EYNTOZEU.exe
2552	EYNTOZEU.exe
2552	EYNTOZEU.exe
2680	EYNTOZEU.exe
2680	EYNTOZEU.exe
2680	EYNTOZEU.exe

description	pid	process
Token: SeRestorePrivilege	2596	reg.exe
Token: SeRestorePrivilege	2452	reg.exe
Token: SeTakeOwnershipPrivilege	2492	takeown.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

pid	process
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

pid	process
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exeEYNTOZEU.execmd.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 2552	1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe	EYNTOZEU.exe
PID 1668 wrote to memory of 2552	1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe	EYNTOZEU.exe
PID 1668 wrote to memory of 2552	1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe	EYNTOZEU.exe
PID 2552 wrote to memory of 2596	2552	EYNTOZEU.exe	reg.exe
PID 2552 wrote to memory of 2596	2552	EYNTOZEU.exe	reg.exe
PID 2552 wrote to memory of 2596	2552	EYNTOZEU.exe	reg.exe
PID 2552 wrote to memory of 2452	2552	EYNTOZEU.exe	reg.exe
PID 2552 wrote to memory of 2452	2552	EYNTOZEU.exe	reg.exe
PID 2552 wrote to memory of 2452	2552	EYNTOZEU.exe	reg.exe
PID 2552 wrote to memory of 2560	2552	EYNTOZEU.exe	cmd.exe
PID 2552 wrote to memory of 2560	2552	EYNTOZEU.exe	cmd.exe
PID 2552 wrote to memory of 2560	2552	EYNTOZEU.exe	cmd.exe
PID 2560 wrote to memory of 2624	2560	cmd.exe	takeown.exe
PID 2560 wrote to memory of 2624	2560	cmd.exe	takeown.exe
PID 2560 wrote to memory of 2624	2560	cmd.exe	takeown.exe
PID 2560 wrote to memory of 2628	2560	cmd.exe	icacls.exe
PID 2560 wrote to memory of 2628	2560	cmd.exe	icacls.exe
PID 2560 wrote to memory of 2628	2560	cmd.exe	icacls.exe
PID 2552 wrote to memory of 2468	2552	EYNTOZEU.exe	cmd.exe
PID 2552 wrote to memory of 2468	2552	EYNTOZEU.exe	cmd.exe
PID 2552 wrote to memory of 2468	2552	EYNTOZEU.exe	cmd.exe
PID 2468 wrote to memory of 2492	2468	cmd.exe	takeown.exe
PID 2468 wrote to memory of 2492	2468	cmd.exe	takeown.exe
PID 2468 wrote to memory of 2492	2468	cmd.exe	takeown.exe
PID 2552 wrote to memory of 2680	2552	EYNTOZEU.exe	EYNTOZEU.exe
PID 2552 wrote to memory of 2680	2552	EYNTOZEU.exe	EYNTOZEU.exe
PID 2552 wrote to memory of 2680	2552	EYNTOZEU.exe	EYNTOZEU.exe
PID 1668 wrote to memory of 2564	1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe	Es4.Deploy.exe
PID 1668 wrote to memory of 2564	1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe	Es4.Deploy.exe
PID 1668 wrote to memory of 2564	1668	942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe	Es4.Deploy.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

EYNTOZEU.exeEYNTOZEU.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	EYNTOZEU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	EYNTOZEU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	EYNTOZEU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	EYNTOZEU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	EYNTOZEU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	EYNTOZEU.exe

C:\Users\Admin\AppData\Local\Temp\942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
"C:\Users\Admin\AppData\Local\Temp\942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\system32\EYNTOZEU.exe
C:\Windows\system32\EYNTOZEU.exe
2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2552

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe load HKEY_USERS\a C:\Users\Administrator\NTUSER.DAT
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe unload HKEY_USERS\a
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
3⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\takeown.exe
takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2624

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
3⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\system32\takeown.exe
takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\EYNTOZEU.exe
EYNTOZEU.exe 2552 1668 0
3⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2680

C:\Windows\system32\Es4.Deploy.exe
C:\Windows\system32\Es4.Deploy.exe
2⤵
- Executes dropped EXE
PID:2564

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2680eyntoze
Filesize
26KB

MD5
0c27221488e69caa0a441b30e5d6d46c

SHA1
82fceca6dbc8932d4bead6ce872965fac35d0c99

SHA256
bae73fb2e8de92ae84565a2e98530a0584ade7bc69603f14906375a68f9fed3d

SHA512
9ad868e0897475082c63e5fcca91594c4568f15e442907b21bcd844dc8022986995f895b97aa649e2a523d08a4c37a324447b48475c7bf816a1dce734988eaed

Download Submit
\Windows\System32\EYNTOZEU.exe
Filesize
964KB

MD5
7359ea3476e9f5d7f5e6845007531b4b

SHA1
ec48e75b6a03979a1af7d993c55a76bc5a7780fe

SHA256
43b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc

SHA512
01317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce

Download Submit
\Windows\System32\Es4.Deploy.exe
Filesize
970KB

MD5
ceaea72deefc6bce78f56efd6df30018

SHA1
d9dd7dc3cf9b040f5add454a2eefc1e5d48a137c

SHA256
e6c9beddaf2b77747834a6855ab88c43dc8feb5ad74e6da9d55e30a8e8299d63

SHA512
e0b70a188f7bca695cf1e4a117dad94d76799b2187e03bf3a3ac78a015742aac845025e9ee6200379f357b6896a294a83ecbe4ce9d8eabdf25e2510088ca62ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads