Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-02-2021 23:45
Static task
static1
Behavioral task
behavioral1
Sample
sample26.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
sample26.exe
Resource
win10v20201028
General
-
Target
sample26.exe
-
Size
6.9MB
-
MD5
44e00afd00a5c8c68c2489be9303dda3
-
SHA1
15bc3c661fd1bb5cb25117a95402a24a8fa4e08d
-
SHA256
0024fbea60c3292bf8e1e842ad33a3dc87700d3c2c0169dbe1890aa2b5deb91c
-
SHA512
6b44c194285602f05df7bc86ca08d2aaea141903d964fb736b5e40b92ac5cd81a8ac98ab88d66aaf17abef92e46658fa45823695c3aca2dd397c1eb9b2eb4d44
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
sample26.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\NCIIIkUE\\xksoMYkI.exe," sample26.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\NCIIIkUE\\xksoMYkI.exe," sample26.exe -
Modifies visibility of file extensions in Explorer 2 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
xuIkIggA.exexksoMYkI.exeNgogEQQw.exechoco.exepid process 3340 xuIkIggA.exe 4056 xksoMYkI.exe 3704 NgogEQQw.exe 3616 choco.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xksoMYkI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation xksoMYkI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
xksoMYkI.exeNgogEQQw.exesample26.exexuIkIggA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xksoMYkI.exe = "C:\\ProgramData\\NCIIIkUE\\xksoMYkI.exe" xksoMYkI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xksoMYkI.exe = "C:\\ProgramData\\NCIIIkUE\\xksoMYkI.exe" NgogEQQw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuIkIggA.exe = "C:\\Users\\Admin\\ZoQIsYsE\\xuIkIggA.exe" sample26.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xksoMYkI.exe = "C:\\ProgramData\\NCIIIkUE\\xksoMYkI.exe" sample26.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuIkIggA.exe = "C:\\Users\\Admin\\ZoQIsYsE\\xuIkIggA.exe" xuIkIggA.exe -
Drops file in System32 directory 7 IoCs
Processes:
xksoMYkI.exeNgogEQQw.exedescription ioc process File opened for modification C:\Windows\SysWOW64\sheReadRevoke.mpg xksoMYkI.exe File opened for modification C:\Windows\SysWOW64\sheSaveApprove.docx xksoMYkI.exe File opened for modification C:\Windows\SysWOW64\sheSuspendCopy.mpg xksoMYkI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\ZoQIsYsE NgogEQQw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\ZoQIsYsE\xuIkIggA NgogEQQw.exe File created C:\Windows\SysWOW64\shell32.dll.exe xksoMYkI.exe File opened for modification C:\Windows\SysWOW64\sheEnterResize.ppt xksoMYkI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sample26.exexksoMYkI.exepid process 412 sample26.exe 412 sample26.exe 412 sample26.exe 412 sample26.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
xksoMYkI.exepid process 4056 xksoMYkI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
choco.exedescription pid process Token: SeDebugPrivilege 3616 choco.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
xksoMYkI.exepid process 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe 4056 xksoMYkI.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
sample26.execmd.exedescription pid process target process PID 412 wrote to memory of 3340 412 sample26.exe xuIkIggA.exe PID 412 wrote to memory of 3340 412 sample26.exe xuIkIggA.exe PID 412 wrote to memory of 3340 412 sample26.exe xuIkIggA.exe PID 412 wrote to memory of 4056 412 sample26.exe xksoMYkI.exe PID 412 wrote to memory of 4056 412 sample26.exe xksoMYkI.exe PID 412 wrote to memory of 4056 412 sample26.exe xksoMYkI.exe PID 412 wrote to memory of 3232 412 sample26.exe cmd.exe PID 412 wrote to memory of 3232 412 sample26.exe cmd.exe PID 412 wrote to memory of 3232 412 sample26.exe cmd.exe PID 412 wrote to memory of 2832 412 sample26.exe reg.exe PID 412 wrote to memory of 2832 412 sample26.exe reg.exe PID 412 wrote to memory of 2832 412 sample26.exe reg.exe PID 412 wrote to memory of 2584 412 sample26.exe reg.exe PID 412 wrote to memory of 2584 412 sample26.exe reg.exe PID 412 wrote to memory of 2584 412 sample26.exe reg.exe PID 412 wrote to memory of 4080 412 sample26.exe reg.exe PID 412 wrote to memory of 4080 412 sample26.exe reg.exe PID 412 wrote to memory of 4080 412 sample26.exe reg.exe PID 3232 wrote to memory of 3616 3232 cmd.exe choco.exe PID 3232 wrote to memory of 3616 3232 cmd.exe choco.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample26.exe"C:\Users\Admin\AppData\Local\Temp\sample26.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ZoQIsYsE\xuIkIggA.exe"C:\Users\Admin\ZoQIsYsE\xuIkIggA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\NCIIIkUE\xksoMYkI.exe"C:\ProgramData\NCIIIkUE\xksoMYkI.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\choco.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\choco.exeC:\Users\Admin\AppData\Local\Temp\choco.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
C:\ProgramData\sewUwYAY\NgogEQQw.exeC:\ProgramData\sewUwYAY\NgogEQQw.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\NCIIIkUE\xksoMYkI.exeMD5
7a23613632a4b7401f2c53b9bbb599c8
SHA1d23f5d9f88d019944dabe553804d53c3f8c91769
SHA25622d9a32ce69b8ef406b26a9233e4e2cee5bf50ac3fb35e9df1386b647ac1199e
SHA51203da544de41e82e42d4110b20a9b87969e8a2bcb9e89b4a78f88fc296bd9873f45c6a4273b27297b6ac43d689c7eb4c5ea4724788becc040940533bb8c438baa
-
C:\ProgramData\NCIIIkUE\xksoMYkI.exeMD5
7a23613632a4b7401f2c53b9bbb599c8
SHA1d23f5d9f88d019944dabe553804d53c3f8c91769
SHA25622d9a32ce69b8ef406b26a9233e4e2cee5bf50ac3fb35e9df1386b647ac1199e
SHA51203da544de41e82e42d4110b20a9b87969e8a2bcb9e89b4a78f88fc296bd9873f45c6a4273b27297b6ac43d689c7eb4c5ea4724788becc040940533bb8c438baa
-
C:\ProgramData\sewUwYAY\NgogEQQw.exeMD5
81be6e70dc278002ef788dced8f24dea
SHA1b485749702fbb15297fcba77d2e6522d1f8832e2
SHA256523e46c91a3b4ddf7c79b7c433db30af9633c5373b39d858795e362c88b4446f
SHA51250886e8271c66d669683588c6259fd8728eff83a424febb442572d61a4407b2b2ffe0dceddd2b4c39f5ceecb596f6b926b75e091b12bcf3e9f79f4282a13cf74
-
C:\ProgramData\sewUwYAY\NgogEQQw.exeMD5
81be6e70dc278002ef788dced8f24dea
SHA1b485749702fbb15297fcba77d2e6522d1f8832e2
SHA256523e46c91a3b4ddf7c79b7c433db30af9633c5373b39d858795e362c88b4446f
SHA51250886e8271c66d669683588c6259fd8728eff83a424febb442572d61a4407b2b2ffe0dceddd2b4c39f5ceecb596f6b926b75e091b12bcf3e9f79f4282a13cf74
-
C:\Users\Admin\AppData\Local\Temp\choco.exeMD5
f24affc10132405930282aaeb206b7b7
SHA1462d7a447a7d6f06bf3083c2af2f00b615c6a1a0
SHA256abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc
SHA512c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe
-
C:\Users\Admin\AppData\Local\Temp\choco.exeMD5
f24affc10132405930282aaeb206b7b7
SHA1462d7a447a7d6f06bf3083c2af2f00b615c6a1a0
SHA256abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc
SHA512c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe
-
C:\Users\Admin\ZoQIsYsE\xuIkIggA.exeMD5
6f5f6166455e64ecd749f5506a818321
SHA13db6b8e5031950a359d7f0ec14115487043f3080
SHA2565f31baf210c17ae17bf0fc27fe39693d2d440f3f6549ee5ee0acc04ef6ec5e9d
SHA512c78f427235a3e42d54a08bc1f20fa842cf1b1a7759d3cb440163b516fd72564ad6f5f79bdea1f5387522300c5fb95b1ad9ca47223d594a22b778dda49e28153c
-
C:\Users\Admin\ZoQIsYsE\xuIkIggA.exeMD5
6f5f6166455e64ecd749f5506a818321
SHA13db6b8e5031950a359d7f0ec14115487043f3080
SHA2565f31baf210c17ae17bf0fc27fe39693d2d440f3f6549ee5ee0acc04ef6ec5e9d
SHA512c78f427235a3e42d54a08bc1f20fa842cf1b1a7759d3cb440163b516fd72564ad6f5f79bdea1f5387522300c5fb95b1ad9ca47223d594a22b778dda49e28153c
-
memory/2584-12-0x0000000000000000-mapping.dmp
-
memory/2832-11-0x0000000000000000-mapping.dmp
-
memory/3232-10-0x0000000000000000-mapping.dmp
-
memory/3340-2-0x0000000000000000-mapping.dmp
-
memory/3616-17-0x00007FFD88B30000-0x00007FFD8951C000-memory.dmpFilesize
9.9MB
-
memory/3616-14-0x0000000000000000-mapping.dmp
-
memory/3616-18-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/3616-19-0x000000001BF90000-0x000000001BF92000-memory.dmpFilesize
8KB
-
memory/3616-20-0x000000001BF20000-0x000000001BF21000-memory.dmpFilesize
4KB
-
memory/3616-21-0x000000001C830000-0x000000001C831000-memory.dmpFilesize
4KB
-
memory/3616-22-0x0000000003320000-0x0000000003321000-memory.dmpFilesize
4KB
-
memory/4056-5-0x0000000000000000-mapping.dmp
-
memory/4080-13-0x0000000000000000-mapping.dmp