0024fbea60c3292bf8e1e842ad33a3dc87700d3c2c0169dbe1890aa2b5deb91c

General

Target

sample26.exe
Size

6.9MB
MD5

44e00afd00a5c8c68c2489be9303dda3
SHA1

15bc3c661fd1bb5cb25117a95402a24a8fa4e08d
SHA256

0024fbea60c3292bf8e1e842ad33a3dc87700d3c2c0169dbe1890aa2b5deb91c
SHA512

6b44c194285602f05df7bc86ca08d2aaea141903d964fb736b5e40b92ac5cd81a8ac98ab88d66aaf17abef92e46658fa45823695c3aca2dd397c1eb9b2eb4d44

Score

10^/10

evasion persistence spyware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sample26.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\NCIIIkUE\\xksoMYkI.exe,"	sample26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\NCIIIkUE\\xksoMYkI.exe,"	sample26.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

xuIkIggA.exexksoMYkI.exeNgogEQQw.exechoco.exe

pid process

3340 xuIkIggA.exe
4056 xksoMYkI.exe
3704 NgogEQQw.exe
3616 choco.exe

pid	process
3340	xuIkIggA.exe
4056	xksoMYkI.exe
3704	NgogEQQw.exe
3616	choco.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xksoMYkI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	xksoMYkI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xksoMYkI.exeNgogEQQw.exesample26.exexuIkIggA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xksoMYkI.exe = "C:\\ProgramData\\NCIIIkUE\\xksoMYkI.exe"	xksoMYkI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xksoMYkI.exe = "C:\\ProgramData\\NCIIIkUE\\xksoMYkI.exe"	NgogEQQw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuIkIggA.exe = "C:\\Users\\Admin\\ZoQIsYsE\\xuIkIggA.exe"	sample26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xksoMYkI.exe = "C:\\ProgramData\\NCIIIkUE\\xksoMYkI.exe"	sample26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuIkIggA.exe = "C:\\Users\\Admin\\ZoQIsYsE\\xuIkIggA.exe"	xuIkIggA.exe

Drops file in System32 directory 7 IoCs

Processes:

xksoMYkI.exeNgogEQQw.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\sheReadRevoke.mpg	xksoMYkI.exe
File opened for modification	C:\Windows\SysWOW64\sheSaveApprove.docx	xksoMYkI.exe
File opened for modification	C:\Windows\SysWOW64\sheSuspendCopy.mpg	xksoMYkI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ZoQIsYsE	NgogEQQw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ZoQIsYsE\xuIkIggA	NgogEQQw.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	xksoMYkI.exe
File opened for modification	C:\Windows\SysWOW64\sheEnterResize.ppt	xksoMYkI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2832 reg.exe
2584 reg.exe
4080 reg.exe

pid	process
2832	reg.exe
2584	reg.exe
4080	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sample26.exexksoMYkI.exe

pid	process
412	sample26.exe
412	sample26.exe
412	sample26.exe
412	sample26.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

xksoMYkI.exe

pid process

4056 xksoMYkI.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

choco.exe

description pid process

Token: SeDebugPrivilege 3616 choco.exe

description	pid	process
Token: SeDebugPrivilege	3616	choco.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

xksoMYkI.exe

pid	process
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe
4056	xksoMYkI.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

sample26.execmd.exe

description	pid	process	target process
PID 412 wrote to memory of 3340	412	sample26.exe	xuIkIggA.exe
PID 412 wrote to memory of 3340	412	sample26.exe	xuIkIggA.exe
PID 412 wrote to memory of 3340	412	sample26.exe	xuIkIggA.exe
PID 412 wrote to memory of 4056	412	sample26.exe	xksoMYkI.exe
PID 412 wrote to memory of 4056	412	sample26.exe	xksoMYkI.exe
PID 412 wrote to memory of 4056	412	sample26.exe	xksoMYkI.exe
PID 412 wrote to memory of 3232	412	sample26.exe	cmd.exe
PID 412 wrote to memory of 3232	412	sample26.exe	cmd.exe
PID 412 wrote to memory of 3232	412	sample26.exe	cmd.exe
PID 412 wrote to memory of 2832	412	sample26.exe	reg.exe
PID 412 wrote to memory of 2832	412	sample26.exe	reg.exe
PID 412 wrote to memory of 2832	412	sample26.exe	reg.exe
PID 412 wrote to memory of 2584	412	sample26.exe	reg.exe
PID 412 wrote to memory of 2584	412	sample26.exe	reg.exe
PID 412 wrote to memory of 2584	412	sample26.exe	reg.exe
PID 412 wrote to memory of 4080	412	sample26.exe	reg.exe
PID 412 wrote to memory of 4080	412	sample26.exe	reg.exe
PID 412 wrote to memory of 4080	412	sample26.exe	reg.exe
PID 3232 wrote to memory of 3616	3232	cmd.exe	choco.exe
PID 3232 wrote to memory of 3616	3232	cmd.exe	choco.exe

C:\Users\Admin\AppData\Local\Temp\sample26.exe
"C:\Users\Admin\AppData\Local\Temp\sample26.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\ZoQIsYsE\xuIkIggA.exe
"C:\Users\Admin\ZoQIsYsE\xuIkIggA.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3340

C:\ProgramData\NCIIIkUE\xksoMYkI.exe
"C:\ProgramData\NCIIIkUE\xksoMYkI.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\choco.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\choco.exe
C:\Users\Admin\AppData\Local\Temp\choco.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:4080

C:\ProgramData\sewUwYAY\NgogEQQw.exe
C:\ProgramData\sewUwYAY\NgogEQQw.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NCIIIkUE\xksoMYkI.exe
MD5
7a23613632a4b7401f2c53b9bbb599c8

SHA1
d23f5d9f88d019944dabe553804d53c3f8c91769

SHA256
22d9a32ce69b8ef406b26a9233e4e2cee5bf50ac3fb35e9df1386b647ac1199e

SHA512
03da544de41e82e42d4110b20a9b87969e8a2bcb9e89b4a78f88fc296bd9873f45c6a4273b27297b6ac43d689c7eb4c5ea4724788becc040940533bb8c438baa

Download Submit
C:\ProgramData\NCIIIkUE\xksoMYkI.exe
MD5
7a23613632a4b7401f2c53b9bbb599c8

SHA1
d23f5d9f88d019944dabe553804d53c3f8c91769

SHA256
22d9a32ce69b8ef406b26a9233e4e2cee5bf50ac3fb35e9df1386b647ac1199e

SHA512
03da544de41e82e42d4110b20a9b87969e8a2bcb9e89b4a78f88fc296bd9873f45c6a4273b27297b6ac43d689c7eb4c5ea4724788becc040940533bb8c438baa

Download Submit
C:\ProgramData\sewUwYAY\NgogEQQw.exe
MD5
81be6e70dc278002ef788dced8f24dea

SHA1
b485749702fbb15297fcba77d2e6522d1f8832e2

SHA256
523e46c91a3b4ddf7c79b7c433db30af9633c5373b39d858795e362c88b4446f

SHA512
50886e8271c66d669683588c6259fd8728eff83a424febb442572d61a4407b2b2ffe0dceddd2b4c39f5ceecb596f6b926b75e091b12bcf3e9f79f4282a13cf74

Download Submit
C:\ProgramData\sewUwYAY\NgogEQQw.exe
MD5
81be6e70dc278002ef788dced8f24dea

SHA1
b485749702fbb15297fcba77d2e6522d1f8832e2

SHA256
523e46c91a3b4ddf7c79b7c433db30af9633c5373b39d858795e362c88b4446f

SHA512
50886e8271c66d669683588c6259fd8728eff83a424febb442572d61a4407b2b2ffe0dceddd2b4c39f5ceecb596f6b926b75e091b12bcf3e9f79f4282a13cf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\choco.exe
MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\choco.exe
MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
C:\Users\Admin\ZoQIsYsE\xuIkIggA.exe
MD5
6f5f6166455e64ecd749f5506a818321

SHA1
3db6b8e5031950a359d7f0ec14115487043f3080

SHA256
5f31baf210c17ae17bf0fc27fe39693d2d440f3f6549ee5ee0acc04ef6ec5e9d

SHA512
c78f427235a3e42d54a08bc1f20fa842cf1b1a7759d3cb440163b516fd72564ad6f5f79bdea1f5387522300c5fb95b1ad9ca47223d594a22b778dda49e28153c

Download Submit
C:\Users\Admin\ZoQIsYsE\xuIkIggA.exe
MD5
6f5f6166455e64ecd749f5506a818321

SHA1
3db6b8e5031950a359d7f0ec14115487043f3080

SHA256
5f31baf210c17ae17bf0fc27fe39693d2d440f3f6549ee5ee0acc04ef6ec5e9d

SHA512
c78f427235a3e42d54a08bc1f20fa842cf1b1a7759d3cb440163b516fd72564ad6f5f79bdea1f5387522300c5fb95b1ad9ca47223d594a22b778dda49e28153c

Download Submit
memory/2584-12-0x0000000000000000-mapping.dmp

Download
memory/2832-11-0x0000000000000000-mapping.dmp

Download
memory/3232-10-0x0000000000000000-mapping.dmp

Download
memory/3340-2-0x0000000000000000-mapping.dmp

Download
memory/3616-17-0x00007FFD88B30000-0x00007FFD8951C000-memory.dmp

Filesize
9.9MB

Download
memory/3616-14-0x0000000000000000-mapping.dmp

Download
memory/3616-18-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3616-19-0x000000001BF90000-0x000000001BF92000-memory.dmp

Filesize
8KB

Download
memory/3616-20-0x000000001BF20000-0x000000001BF21000-memory.dmp

Filesize
4KB

Download
memory/3616-21-0x000000001C830000-0x000000001C831000-memory.dmp

Filesize
4KB

Download
memory/3616-22-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/4056-5-0x0000000000000000-mapping.dmp

Download
memory/4080-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads