Analysis
-
max time kernel
150s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-02-2021 23:50
Static task
static1
Behavioral task
behavioral1
Sample
sample29.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
sample29.exe
Resource
win10v20201028
General
-
Target
sample29.exe
-
Size
749KB
-
MD5
d99fbbc4c24914cfe2127db57207cce4
-
SHA1
64504d3fc4b681fc8ff7a48ba600480cab504585
-
SHA256
002b7dd7d78428b7533bc0becd7b409ff44548935f3a0b6b5a59e1487697678e
-
SHA512
b9885d3e111cd4933e09d12bdb8e366a59f85eb721f72456ecf4d6455cde1fd2d2610600b6004e8dd714a5cb5a5ccecbe4ab1c7f9f1c31953490da110744ca71
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
sample29.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\fyAokAIM\\wKQIsMwQ.exe," sample29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\fyAokAIM\\wKQIsMwQ.exe," sample29.exe -
Modifies visibility of file extensions in Explorer 2 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
EcQgYYog.exewKQIsMwQ.exeMqgAoYQU.execpack.exepid process 1620 EcQgYYog.exe 2396 wKQIsMwQ.exe 2684 MqgAoYQU.exe 2932 cpack.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
EcQgYYog.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation EcQgYYog.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
sample29.exeEcQgYYog.exewKQIsMwQ.exeMqgAoYQU.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\EcQgYYog.exe = "C:\\Users\\Admin\\nGQggEwI\\EcQgYYog.exe" sample29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wKQIsMwQ.exe = "C:\\ProgramData\\fyAokAIM\\wKQIsMwQ.exe" sample29.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\EcQgYYog.exe = "C:\\Users\\Admin\\nGQggEwI\\EcQgYYog.exe" EcQgYYog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wKQIsMwQ.exe = "C:\\ProgramData\\fyAokAIM\\wKQIsMwQ.exe" wKQIsMwQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wKQIsMwQ.exe = "C:\\ProgramData\\fyAokAIM\\wKQIsMwQ.exe" MqgAoYQU.exe -
Drops file in System32 directory 9 IoCs
Processes:
MqgAoYQU.exeEcQgYYog.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\nGQggEwI MqgAoYQU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\nGQggEwI\EcQgYYog MqgAoYQU.exe File opened for modification C:\Windows\SysWOW64\sheRenameSwitch.docx EcQgYYog.exe File created C:\Windows\SysWOW64\shell32.dll.exe EcQgYYog.exe File opened for modification C:\Windows\SysWOW64\sheInvokeClear.docx EcQgYYog.exe File opened for modification C:\Windows\SysWOW64\sheOpenPush.jpg EcQgYYog.exe File opened for modification C:\Windows\SysWOW64\shePushUnlock.mpg EcQgYYog.exe File opened for modification C:\Windows\SysWOW64\sheRestoreApprove.png EcQgYYog.exe File opened for modification C:\Windows\SysWOW64\sheRevokeTest.bmp EcQgYYog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sample29.exeEcQgYYog.exepid process 4092 sample29.exe 4092 sample29.exe 4092 sample29.exe 4092 sample29.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
EcQgYYog.exepid process 1620 EcQgYYog.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
EcQgYYog.exepid process 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe 1620 EcQgYYog.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
sample29.execmd.exedescription pid process target process PID 4092 wrote to memory of 1620 4092 sample29.exe EcQgYYog.exe PID 4092 wrote to memory of 1620 4092 sample29.exe EcQgYYog.exe PID 4092 wrote to memory of 1620 4092 sample29.exe EcQgYYog.exe PID 4092 wrote to memory of 2396 4092 sample29.exe wKQIsMwQ.exe PID 4092 wrote to memory of 2396 4092 sample29.exe wKQIsMwQ.exe PID 4092 wrote to memory of 2396 4092 sample29.exe wKQIsMwQ.exe PID 4092 wrote to memory of 4020 4092 sample29.exe cmd.exe PID 4092 wrote to memory of 4020 4092 sample29.exe cmd.exe PID 4092 wrote to memory of 4020 4092 sample29.exe cmd.exe PID 4020 wrote to memory of 2932 4020 cmd.exe cpack.exe PID 4020 wrote to memory of 2932 4020 cmd.exe cpack.exe PID 4092 wrote to memory of 3184 4092 sample29.exe reg.exe PID 4092 wrote to memory of 3184 4092 sample29.exe reg.exe PID 4092 wrote to memory of 3184 4092 sample29.exe reg.exe PID 4092 wrote to memory of 2348 4092 sample29.exe reg.exe PID 4092 wrote to memory of 2348 4092 sample29.exe reg.exe PID 4092 wrote to memory of 2348 4092 sample29.exe reg.exe PID 4092 wrote to memory of 1932 4092 sample29.exe reg.exe PID 4092 wrote to memory of 1932 4092 sample29.exe reg.exe PID 4092 wrote to memory of 1932 4092 sample29.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample29.exe"C:\Users\Admin\AppData\Local\Temp\sample29.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\nGQggEwI\EcQgYYog.exe"C:\Users\Admin\nGQggEwI\EcQgYYog.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\ProgramData\fyAokAIM\wKQIsMwQ.exe"C:\ProgramData\fyAokAIM\wKQIsMwQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpack.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cpack.exeC:\Users\Admin\AppData\Local\Temp\cpack.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
C:\ProgramData\sgUcQoMs\MqgAoYQU.exeC:\ProgramData\sgUcQoMs\MqgAoYQU.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\fyAokAIM\wKQIsMwQ.exeMD5
9c19127ddd5eeb2ae5b6b12b4d5110b7
SHA1da7706a7f120d5a6fe4d75fb2ed10818ec32a965
SHA256f5e38e6f8a988dfd0c8178e41bdb397ed8fc702b9c71860b358498963d34aee4
SHA51266f96bb83cd8ca50e2274d4360c09343f74835ffce797d940bdf88713c41ec34c59d89555e7dc6d339ee9eaa6ad7cfc30f905a33f21e1d9dc4f28e17ef2bc6f6
-
C:\ProgramData\fyAokAIM\wKQIsMwQ.exeMD5
9c19127ddd5eeb2ae5b6b12b4d5110b7
SHA1da7706a7f120d5a6fe4d75fb2ed10818ec32a965
SHA256f5e38e6f8a988dfd0c8178e41bdb397ed8fc702b9c71860b358498963d34aee4
SHA51266f96bb83cd8ca50e2274d4360c09343f74835ffce797d940bdf88713c41ec34c59d89555e7dc6d339ee9eaa6ad7cfc30f905a33f21e1d9dc4f28e17ef2bc6f6
-
C:\ProgramData\sgUcQoMs\MqgAoYQU.exeMD5
90d2f65255d964d399e66a28a4a3f7f3
SHA158ef8127e837e145ff6cf82b34928696c09a985d
SHA256fd3e423a77223029790e468ff077ee5e2d57a5065caa21c080c2e50eeaab4286
SHA512e99954c7a7332ebf79feefc60d6cc7bc35bcf287855b7b8e908cb3960892acaf127b907f2000484ac07d42d432f0a636556f8680ff15f6dcc02fb836173e20e6
-
C:\ProgramData\sgUcQoMs\MqgAoYQU.exeMD5
90d2f65255d964d399e66a28a4a3f7f3
SHA158ef8127e837e145ff6cf82b34928696c09a985d
SHA256fd3e423a77223029790e468ff077ee5e2d57a5065caa21c080c2e50eeaab4286
SHA512e99954c7a7332ebf79feefc60d6cc7bc35bcf287855b7b8e908cb3960892acaf127b907f2000484ac07d42d432f0a636556f8680ff15f6dcc02fb836173e20e6
-
C:\Users\Admin\AppData\Local\Temp\cpack.exeMD5
335d29efe02df08e6e2563bfca5e3c96
SHA1b94ffc679f9c06a5bd7c1ff26428f536a1bd7a6d
SHA256191d4982ce9dd2877d69b8190c84d62d343077218765a6beae116d2c17a10a03
SHA5128b92f4bfa9826a8fe8bf04a71cea34eff974bc2cd33c1bb41e4f560b05b821e9079d4808fe9f87015a633a99aed450516f93c9af4e145868bbf8c1ebbf112ecc
-
C:\Users\Admin\AppData\Local\Temp\cpack.exeMD5
335d29efe02df08e6e2563bfca5e3c96
SHA1b94ffc679f9c06a5bd7c1ff26428f536a1bd7a6d
SHA256191d4982ce9dd2877d69b8190c84d62d343077218765a6beae116d2c17a10a03
SHA5128b92f4bfa9826a8fe8bf04a71cea34eff974bc2cd33c1bb41e4f560b05b821e9079d4808fe9f87015a633a99aed450516f93c9af4e145868bbf8c1ebbf112ecc
-
C:\Users\Admin\nGQggEwI\EcQgYYog.exeMD5
b5cf8bf6e466e842fbf2e7e1d9c9a712
SHA19b281e5a66e0bfccbd862b4360a7a37006f78716
SHA256d43a40c1d2a4c32bf7aae5588477ab81af11da0b90253b860255271ad94a6e0e
SHA5123a6de72a8d841445be8cf5664cbfaa7a797d139b6c3ddc1fa98cbbeba8e5385baf63f8dd825cae74d4924d1b5f89c5cbb1ccb2472023dca1df164cc5d233d828
-
C:\Users\Admin\nGQggEwI\EcQgYYog.exeMD5
b5cf8bf6e466e842fbf2e7e1d9c9a712
SHA19b281e5a66e0bfccbd862b4360a7a37006f78716
SHA256d43a40c1d2a4c32bf7aae5588477ab81af11da0b90253b860255271ad94a6e0e
SHA5123a6de72a8d841445be8cf5664cbfaa7a797d139b6c3ddc1fa98cbbeba8e5385baf63f8dd825cae74d4924d1b5f89c5cbb1ccb2472023dca1df164cc5d233d828
-
memory/1620-2-0x0000000000000000-mapping.dmp
-
memory/1932-17-0x0000000000000000-mapping.dmp
-
memory/2348-16-0x0000000000000000-mapping.dmp
-
memory/2396-5-0x0000000000000000-mapping.dmp
-
memory/2932-11-0x0000000000000000-mapping.dmp
-
memory/2932-15-0x00007FFFCEFC0000-0x00007FFFCF9AC000-memory.dmpFilesize
9.9MB
-
memory/2932-18-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/2932-20-0x000000001B320000-0x000000001B322000-memory.dmpFilesize
8KB
-
memory/3184-13-0x0000000000000000-mapping.dmp
-
memory/4020-10-0x0000000000000000-mapping.dmp