Overview

overview

10

Static

static

94cbc3c99c...d1.exe

windows7_x64

10

94cbc3c99c...d1.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    05-05-2021 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94cbc3c99cf5fe566336268bce3d686f379fbdda333942fdcd4237d9976014d1.exe

  • Size

    1.0MB

  • MD5

    aefe361fe383f84049085089e15dc737

  • SHA1

    b918b4c4441c522cd277b644f7881512095cfbe6

  • SHA256

    94cbc3c99cf5fe566336268bce3d686f379fbdda333942fdcd4237d9976014d1

  • SHA512

    99439c74c5a05ac67deb7fd78f70b1f041963eba2868eb1465b27185617873a168828a9e42ceb9ac8ef464fedb2da00c3ca9a3b66b34b01c8964fedd44264621

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs
    evasion
  • UAC bypass 3 TTPs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94cbc3c99cf5fe566336268bce3d686f379fbdda333942fdcd4237d9976014d1.exe
    "C:\Users\Admin\AppData\Local\Temp\94cbc3c99cf5fe566336268bce3d686f379fbdda333942fdcd4237d9976014d1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\KssUMgMY\AWIIYAAg.exe
      "C:\Users\Admin\KssUMgMY\AWIIYAAg.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1756
    • C:\ProgramData\vQQAIMIk\SOAccIAw.exe
      "C:\ProgramData\vQQAIMIk\SOAccIAw.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:3736
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Setup.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:496
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        C:\Users\Admin\AppData\Local\Temp\Setup.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1084
    • C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      2⤵
      • Modifies registry key
      PID:652
    • C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      2⤵
      • Modifies registry key
      PID:3596
    • C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      2⤵
      • Modifies registry key
      PID:2284
  • C:\ProgramData\QegAAkck\QOEoQUEQ.exe
    C:\ProgramData\QegAAkck\QOEoQUEQ.exe
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Drops file in System32 directory
    PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

5
T1112

Hidden Files and Directories

1
T1158

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\QegAAkck\QOEoQUEQ.exe
    MD5

    bf30dd467ea8dfa7f39b4d8dcc5bdfe8

    SHA1

    94d2eff5b0bfd5e111b164bc203b3a27bd9050a9

    SHA256

    2bf8dbc5d66e8dbf66b739851c65788fd458fd562cd9f4829e9cacc296a9dbc7

    SHA512

    2278a3413e417bef119957cd27690ad4fa53b72c83c87486380b3ffd914eb40b4705c4e91d3e9f014fcae1c151cb2a69a69291414f61ad252473b8a39f4b4545

    Download Submit
  • C:\ProgramData\QegAAkck\QOEoQUEQ.exe
    MD5

    bf30dd467ea8dfa7f39b4d8dcc5bdfe8

    SHA1

    94d2eff5b0bfd5e111b164bc203b3a27bd9050a9

    SHA256

    2bf8dbc5d66e8dbf66b739851c65788fd458fd562cd9f4829e9cacc296a9dbc7

    SHA512

    2278a3413e417bef119957cd27690ad4fa53b72c83c87486380b3ffd914eb40b4705c4e91d3e9f014fcae1c151cb2a69a69291414f61ad252473b8a39f4b4545

    Download Submit
  • C:\ProgramData\vQQAIMIk\SOAccIAw.exe
    MD5

    19ba4fccc651ee035f5d781f6f1cdad5

    SHA1

    e1cd819ed20f4333b241733e025b49b7c88ceb4a

    SHA256

    6b97d293b69cd4d74aaa1adf470aeeab4bd69d5710d6655138aa91748831a2be

    SHA512

    5de20346ff6d2bde2c0fbb89def10ee525318faa683208e276225e9c552fc75e1b236123c0c6f6f659389087239f1f2e28b06770923d346e1fff336a00251242

    Download Submit
  • C:\ProgramData\vQQAIMIk\SOAccIAw.exe
    MD5

    19ba4fccc651ee035f5d781f6f1cdad5

    SHA1

    e1cd819ed20f4333b241733e025b49b7c88ceb4a

    SHA256

    6b97d293b69cd4d74aaa1adf470aeeab4bd69d5710d6655138aa91748831a2be

    SHA512

    5de20346ff6d2bde2c0fbb89def10ee525318faa683208e276225e9c552fc75e1b236123c0c6f6f659389087239f1f2e28b06770923d346e1fff336a00251242

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    MD5

    96f7cb9f7481a279bd4bc0681a3b993e

    SHA1

    deaedb5becc6c0bd263d7cf81e0909b912a1afd4

    SHA256

    d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

    SHA512

    694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    MD5

    96f7cb9f7481a279bd4bc0681a3b993e

    SHA1

    deaedb5becc6c0bd263d7cf81e0909b912a1afd4

    SHA256

    d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

    SHA512

    694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

    Download Submit
  • C:\Users\Admin\KssUMgMY\AWIIYAAg.exe
    MD5

    e1a9d1ef722bbf09efe62110cbb3602b

    SHA1

    3f4d224c1df87da9dee874d39132641ffcc8d3d9

    SHA256

    c641804ac0e743ef25dbd83f92cae81f41ea00fa13985e780608fc32e2821b70

    SHA512

    6aeeeb25276a9c364e79ddaf69932dbc7d857e3bf89fff1248df6a34764852cec00c4437bf190a8a6254a0524dbe73f4074fb7a915b68e95018a66d1932b918b

    Download Submit
  • C:\Users\Admin\KssUMgMY\AWIIYAAg.exe
    MD5

    e1a9d1ef722bbf09efe62110cbb3602b

    SHA1

    3f4d224c1df87da9dee874d39132641ffcc8d3d9

    SHA256

    c641804ac0e743ef25dbd83f92cae81f41ea00fa13985e780608fc32e2821b70

    SHA512

    6aeeeb25276a9c364e79ddaf69932dbc7d857e3bf89fff1248df6a34764852cec00c4437bf190a8a6254a0524dbe73f4074fb7a915b68e95018a66d1932b918b

    Download Submit
  • memory/496-122-0x0000000000000000-mapping.dmp
    Download
  • memory/652-123-0x0000000000000000-mapping.dmp
    Download
  • memory/1084-126-0x0000000000000000-mapping.dmp
    Download
  • memory/1756-114-0x0000000000000000-mapping.dmp
    Download
  • memory/2284-125-0x0000000000000000-mapping.dmp
    Download
  • memory/3596-124-0x0000000000000000-mapping.dmp
    Download
  • memory/3736-117-0x0000000000000000-mapping.dmp
    Download