002b7dd7d78428b7533bc0becd7b409ff44548935f3a0b6b5a59e1487697678e

General

Target

sample29.exe
Size

749KB
MD5

d99fbbc4c24914cfe2127db57207cce4
SHA1

64504d3fc4b681fc8ff7a48ba600480cab504585
SHA256

002b7dd7d78428b7533bc0becd7b409ff44548935f3a0b6b5a59e1487697678e
SHA512

b9885d3e111cd4933e09d12bdb8e366a59f85eb721f72456ecf4d6455cde1fd2d2610600b6004e8dd714a5cb5a5ccecbe4ab1c7f9f1c31953490da110744ca71

Score

10^/10

evasion persistence spyware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sample29.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\fyAokAIM\\wKQIsMwQ.exe,"	sample29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\fyAokAIM\\wKQIsMwQ.exe,"	sample29.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

EcQgYYog.exewKQIsMwQ.exeMqgAoYQU.execpack.exe

pid process

1620 EcQgYYog.exe
2396 wKQIsMwQ.exe
2684 MqgAoYQU.exe
2932 cpack.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EcQgYYog.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	EcQgYYog.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sample29.exeEcQgYYog.exewKQIsMwQ.exeMqgAoYQU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\EcQgYYog.exe = "C:\\Users\\Admin\\nGQggEwI\\EcQgYYog.exe"	sample29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wKQIsMwQ.exe = "C:\\ProgramData\\fyAokAIM\\wKQIsMwQ.exe"	sample29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\EcQgYYog.exe = "C:\\Users\\Admin\\nGQggEwI\\EcQgYYog.exe"	EcQgYYog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wKQIsMwQ.exe = "C:\\ProgramData\\fyAokAIM\\wKQIsMwQ.exe"	wKQIsMwQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wKQIsMwQ.exe = "C:\\ProgramData\\fyAokAIM\\wKQIsMwQ.exe"	MqgAoYQU.exe

Drops file in System32 directory 9 IoCs

Processes:

MqgAoYQU.exeEcQgYYog.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\nGQggEwI	MqgAoYQU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\nGQggEwI\EcQgYYog	MqgAoYQU.exe
File opened for modification	C:\Windows\SysWOW64\sheRenameSwitch.docx	EcQgYYog.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	EcQgYYog.exe
File opened for modification	C:\Windows\SysWOW64\sheInvokeClear.docx	EcQgYYog.exe
File opened for modification	C:\Windows\SysWOW64\sheOpenPush.jpg	EcQgYYog.exe
File opened for modification	C:\Windows\SysWOW64\shePushUnlock.mpg	EcQgYYog.exe
File opened for modification	C:\Windows\SysWOW64\sheRestoreApprove.png	EcQgYYog.exe
File opened for modification	C:\Windows\SysWOW64\sheRevokeTest.bmp	EcQgYYog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

3184 reg.exe
2348 reg.exe
1932 reg.exe

pid	process
3184	reg.exe
2348	reg.exe
1932	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sample29.exeEcQgYYog.exe

pid	process
4092	sample29.exe
4092	sample29.exe
4092	sample29.exe
4092	sample29.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EcQgYYog.exe

pid process

1620 EcQgYYog.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

EcQgYYog.exe

pid	process
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe
1620	EcQgYYog.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

sample29.execmd.exe

description	pid	process	target process
PID 4092 wrote to memory of 1620	4092	sample29.exe	EcQgYYog.exe
PID 4092 wrote to memory of 1620	4092	sample29.exe	EcQgYYog.exe
PID 4092 wrote to memory of 1620	4092	sample29.exe	EcQgYYog.exe
PID 4092 wrote to memory of 2396	4092	sample29.exe	wKQIsMwQ.exe
PID 4092 wrote to memory of 2396	4092	sample29.exe	wKQIsMwQ.exe
PID 4092 wrote to memory of 2396	4092	sample29.exe	wKQIsMwQ.exe
PID 4092 wrote to memory of 4020	4092	sample29.exe	cmd.exe
PID 4092 wrote to memory of 4020	4092	sample29.exe	cmd.exe
PID 4092 wrote to memory of 4020	4092	sample29.exe	cmd.exe
PID 4020 wrote to memory of 2932	4020	cmd.exe	cpack.exe
PID 4020 wrote to memory of 2932	4020	cmd.exe	cpack.exe
PID 4092 wrote to memory of 3184	4092	sample29.exe	reg.exe
PID 4092 wrote to memory of 3184	4092	sample29.exe	reg.exe
PID 4092 wrote to memory of 3184	4092	sample29.exe	reg.exe
PID 4092 wrote to memory of 2348	4092	sample29.exe	reg.exe
PID 4092 wrote to memory of 2348	4092	sample29.exe	reg.exe
PID 4092 wrote to memory of 2348	4092	sample29.exe	reg.exe
PID 4092 wrote to memory of 1932	4092	sample29.exe	reg.exe
PID 4092 wrote to memory of 1932	4092	sample29.exe	reg.exe
PID 4092 wrote to memory of 1932	4092	sample29.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\sample29.exe
"C:\Users\Admin\AppData\Local\Temp\sample29.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\nGQggEwI\EcQgYYog.exe
"C:\Users\Admin\nGQggEwI\EcQgYYog.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1620

C:\ProgramData\fyAokAIM\wKQIsMwQ.exe
"C:\ProgramData\fyAokAIM\wKQIsMwQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpack.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\cpack.exe
C:\Users\Admin\AppData\Local\Temp\cpack.exe
3⤵
- Executes dropped EXE
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1932

C:\ProgramData\sgUcQoMs\MqgAoYQU.exe
C:\ProgramData\sgUcQoMs\MqgAoYQU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fyAokAIM\wKQIsMwQ.exe
MD5
9c19127ddd5eeb2ae5b6b12b4d5110b7

SHA1
da7706a7f120d5a6fe4d75fb2ed10818ec32a965

SHA256
f5e38e6f8a988dfd0c8178e41bdb397ed8fc702b9c71860b358498963d34aee4

SHA512
66f96bb83cd8ca50e2274d4360c09343f74835ffce797d940bdf88713c41ec34c59d89555e7dc6d339ee9eaa6ad7cfc30f905a33f21e1d9dc4f28e17ef2bc6f6

Download Submit
C:\ProgramData\fyAokAIM\wKQIsMwQ.exe
MD5
9c19127ddd5eeb2ae5b6b12b4d5110b7

SHA1
da7706a7f120d5a6fe4d75fb2ed10818ec32a965

SHA256
f5e38e6f8a988dfd0c8178e41bdb397ed8fc702b9c71860b358498963d34aee4

SHA512
66f96bb83cd8ca50e2274d4360c09343f74835ffce797d940bdf88713c41ec34c59d89555e7dc6d339ee9eaa6ad7cfc30f905a33f21e1d9dc4f28e17ef2bc6f6

Download Submit
C:\ProgramData\sgUcQoMs\MqgAoYQU.exe
MD5
90d2f65255d964d399e66a28a4a3f7f3

SHA1
58ef8127e837e145ff6cf82b34928696c09a985d

SHA256
fd3e423a77223029790e468ff077ee5e2d57a5065caa21c080c2e50eeaab4286

SHA512
e99954c7a7332ebf79feefc60d6cc7bc35bcf287855b7b8e908cb3960892acaf127b907f2000484ac07d42d432f0a636556f8680ff15f6dcc02fb836173e20e6

Download Submit
C:\ProgramData\sgUcQoMs\MqgAoYQU.exe
MD5
90d2f65255d964d399e66a28a4a3f7f3

SHA1
58ef8127e837e145ff6cf82b34928696c09a985d

SHA256
fd3e423a77223029790e468ff077ee5e2d57a5065caa21c080c2e50eeaab4286

SHA512
e99954c7a7332ebf79feefc60d6cc7bc35bcf287855b7b8e908cb3960892acaf127b907f2000484ac07d42d432f0a636556f8680ff15f6dcc02fb836173e20e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpack.exe
MD5
335d29efe02df08e6e2563bfca5e3c96

SHA1
b94ffc679f9c06a5bd7c1ff26428f536a1bd7a6d

SHA256
191d4982ce9dd2877d69b8190c84d62d343077218765a6beae116d2c17a10a03

SHA512
8b92f4bfa9826a8fe8bf04a71cea34eff974bc2cd33c1bb41e4f560b05b821e9079d4808fe9f87015a633a99aed450516f93c9af4e145868bbf8c1ebbf112ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpack.exe
MD5
335d29efe02df08e6e2563bfca5e3c96

SHA1
b94ffc679f9c06a5bd7c1ff26428f536a1bd7a6d

SHA256
191d4982ce9dd2877d69b8190c84d62d343077218765a6beae116d2c17a10a03

SHA512
8b92f4bfa9826a8fe8bf04a71cea34eff974bc2cd33c1bb41e4f560b05b821e9079d4808fe9f87015a633a99aed450516f93c9af4e145868bbf8c1ebbf112ecc

Download Submit
C:\Users\Admin\nGQggEwI\EcQgYYog.exe
MD5
b5cf8bf6e466e842fbf2e7e1d9c9a712

SHA1
9b281e5a66e0bfccbd862b4360a7a37006f78716

SHA256
d43a40c1d2a4c32bf7aae5588477ab81af11da0b90253b860255271ad94a6e0e

SHA512
3a6de72a8d841445be8cf5664cbfaa7a797d139b6c3ddc1fa98cbbeba8e5385baf63f8dd825cae74d4924d1b5f89c5cbb1ccb2472023dca1df164cc5d233d828

Download Submit
C:\Users\Admin\nGQggEwI\EcQgYYog.exe
MD5
b5cf8bf6e466e842fbf2e7e1d9c9a712

SHA1
9b281e5a66e0bfccbd862b4360a7a37006f78716

SHA256
d43a40c1d2a4c32bf7aae5588477ab81af11da0b90253b860255271ad94a6e0e

SHA512
3a6de72a8d841445be8cf5664cbfaa7a797d139b6c3ddc1fa98cbbeba8e5385baf63f8dd825cae74d4924d1b5f89c5cbb1ccb2472023dca1df164cc5d233d828

Download Submit
memory/1620-2-0x0000000000000000-mapping.dmp

Download
memory/1932-17-0x0000000000000000-mapping.dmp

Download
memory/2348-16-0x0000000000000000-mapping.dmp

Download
memory/2396-5-0x0000000000000000-mapping.dmp

Download
memory/2932-11-0x0000000000000000-mapping.dmp

Download
memory/2932-15-0x00007FFFCEFC0000-0x00007FFFCF9AC000-memory.dmp

Filesize
9.9MB

Download
memory/2932-18-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2932-20-0x000000001B320000-0x000000001B322000-memory.dmp

Filesize
8KB

Download
memory/3184-13-0x0000000000000000-mapping.dmp

Download
memory/4020-10-0x0000000000000000-mapping.dmp

Download

pid	process
1620	EcQgYYog.exe
2396	wKQIsMwQ.exe
2684	MqgAoYQU.exe
2932	cpack.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads