Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 11:08
Static task
static1
Behavioral task
behavioral1
Sample
dd5ea9e9_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
dd5ea9e9_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
dd5ea9e9_by_Libranalysis.exe
-
Size
680KB
-
MD5
dd5ea9e96c9c000379ff5ce132dcc754
-
SHA1
22fc09ab3506dd5e2ec0688c80763c0bb81ff3ab
-
SHA256
147587e77bfd38e2818c96628981744e716aa058dfe6a1ace8e1a1c5cee421be
-
SHA512
08c298e72b3915920f0f9a7cdb848d6721a001c6f3fdd2f0b2f5b8df0493da53dc936d97882a6ec42b013d7f09f0b2e6bded52d2d0a7425a43260ff8c899a537
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
dd5ea9e9_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\IkoMoYQM\\twoEkocI.exe," dd5ea9e9_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\IkoMoYQM\\twoEkocI.exe," dd5ea9e9_by_Libranalysis.exe -
Modifies visibility of file extensions in Explorer 2 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
qosUMsAc.exetwoEkocI.exenAsockUY.exesetup.exepid process 3080 qosUMsAc.exe 2708 twoEkocI.exe 4012 nAsockUY.exe 2796 setup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
qosUMsAc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation qosUMsAc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
nAsockUY.exedd5ea9e9_by_Libranalysis.exeqosUMsAc.exetwoEkocI.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twoEkocI.exe = "C:\\ProgramData\\IkoMoYQM\\twoEkocI.exe" nAsockUY.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\qosUMsAc.exe = "C:\\Users\\Admin\\LWQEkggA\\qosUMsAc.exe" dd5ea9e9_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\qosUMsAc.exe = "C:\\Users\\Admin\\LWQEkggA\\qosUMsAc.exe" qosUMsAc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twoEkocI.exe = "C:\\ProgramData\\IkoMoYQM\\twoEkocI.exe" dd5ea9e9_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twoEkocI.exe = "C:\\ProgramData\\IkoMoYQM\\twoEkocI.exe" twoEkocI.exe -
Drops file in System32 directory 6 IoCs
Processes:
nAsockUY.exeqosUMsAc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\LWQEkggA nAsockUY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\LWQEkggA\qosUMsAc nAsockUY.exe File created C:\Windows\SysWOW64\shell32.dll.exe qosUMsAc.exe File opened for modification C:\Windows\SysWOW64\sheHideUnblock.jpg qosUMsAc.exe File opened for modification C:\Windows\SysWOW64\sheInvokeExit.bmp qosUMsAc.exe File opened for modification C:\Windows\SysWOW64\sheMoveStep.exe qosUMsAc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dd5ea9e9_by_Libranalysis.exeqosUMsAc.exepid process 2672 dd5ea9e9_by_Libranalysis.exe 2672 dd5ea9e9_by_Libranalysis.exe 2672 dd5ea9e9_by_Libranalysis.exe 2672 dd5ea9e9_by_Libranalysis.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
qosUMsAc.exepid process 3080 qosUMsAc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
qosUMsAc.exepid process 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe 3080 qosUMsAc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
dd5ea9e9_by_Libranalysis.execmd.exedescription pid process target process PID 2672 wrote to memory of 3080 2672 dd5ea9e9_by_Libranalysis.exe qosUMsAc.exe PID 2672 wrote to memory of 3080 2672 dd5ea9e9_by_Libranalysis.exe qosUMsAc.exe PID 2672 wrote to memory of 3080 2672 dd5ea9e9_by_Libranalysis.exe qosUMsAc.exe PID 2672 wrote to memory of 2708 2672 dd5ea9e9_by_Libranalysis.exe twoEkocI.exe PID 2672 wrote to memory of 2708 2672 dd5ea9e9_by_Libranalysis.exe twoEkocI.exe PID 2672 wrote to memory of 2708 2672 dd5ea9e9_by_Libranalysis.exe twoEkocI.exe PID 2672 wrote to memory of 2464 2672 dd5ea9e9_by_Libranalysis.exe cmd.exe PID 2672 wrote to memory of 2464 2672 dd5ea9e9_by_Libranalysis.exe cmd.exe PID 2672 wrote to memory of 2464 2672 dd5ea9e9_by_Libranalysis.exe cmd.exe PID 2672 wrote to memory of 2776 2672 dd5ea9e9_by_Libranalysis.exe reg.exe PID 2672 wrote to memory of 2776 2672 dd5ea9e9_by_Libranalysis.exe reg.exe PID 2672 wrote to memory of 2776 2672 dd5ea9e9_by_Libranalysis.exe reg.exe PID 2672 wrote to memory of 3556 2672 dd5ea9e9_by_Libranalysis.exe reg.exe PID 2672 wrote to memory of 3556 2672 dd5ea9e9_by_Libranalysis.exe reg.exe PID 2672 wrote to memory of 3556 2672 dd5ea9e9_by_Libranalysis.exe reg.exe PID 2672 wrote to memory of 1780 2672 dd5ea9e9_by_Libranalysis.exe reg.exe PID 2672 wrote to memory of 1780 2672 dd5ea9e9_by_Libranalysis.exe reg.exe PID 2672 wrote to memory of 1780 2672 dd5ea9e9_by_Libranalysis.exe reg.exe PID 2464 wrote to memory of 2796 2464 cmd.exe setup.exe PID 2464 wrote to memory of 2796 2464 cmd.exe setup.exe PID 2464 wrote to memory of 2796 2464 cmd.exe setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd5ea9e9_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\dd5ea9e9_by_Libranalysis.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\LWQEkggA\qosUMsAc.exe"C:\Users\Admin\LWQEkggA\qosUMsAc.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\ProgramData\IkoMoYQM\twoEkocI.exe"C:\ProgramData\IkoMoYQM\twoEkocI.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup.exeC:\Users\Admin\AppData\Local\Temp\setup.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\ProgramData\DEsAcUgY\nAsockUY.exeC:\ProgramData\DEsAcUgY\nAsockUY.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DEsAcUgY\nAsockUY.exeMD5
ba86553a4af448db0cb0c1dcaffccc5f
SHA152cab35a1ffeb137078f1e2128b7cea4836358c4
SHA256e7f19187e01037beeca1d33b7e77cd30902903a6ad27ba3bd56ff2a07ecfb2cf
SHA512dfa47a18f4f9c64e146c566818d6ca642b3dbc7d9663e5ed0e03258db75d79c704c09c319d74f930eb2b30b8d9e020a04c7f44e09eb9fb16635a15f0d624e22f
-
C:\ProgramData\DEsAcUgY\nAsockUY.exeMD5
ba86553a4af448db0cb0c1dcaffccc5f
SHA152cab35a1ffeb137078f1e2128b7cea4836358c4
SHA256e7f19187e01037beeca1d33b7e77cd30902903a6ad27ba3bd56ff2a07ecfb2cf
SHA512dfa47a18f4f9c64e146c566818d6ca642b3dbc7d9663e5ed0e03258db75d79c704c09c319d74f930eb2b30b8d9e020a04c7f44e09eb9fb16635a15f0d624e22f
-
C:\ProgramData\IkoMoYQM\twoEkocI.exeMD5
662e66cb1617ea20760af008580af6df
SHA13944aaacef544a9428744e28d201e1cc3990be62
SHA256c7cfb18a366fcbaf3ec5939387705aa5fbd2ce2e34233bb9d8d71937ea9f2eca
SHA51253f40d853917d8f20b13f28391d1f0e928b80cfbf832d9313ac1b14837431017e6323725b21cf7e6e0ce5986cfd38792bdaad67c3a8378f3f36d53a50e783099
-
C:\ProgramData\IkoMoYQM\twoEkocI.exeMD5
662e66cb1617ea20760af008580af6df
SHA13944aaacef544a9428744e28d201e1cc3990be62
SHA256c7cfb18a366fcbaf3ec5939387705aa5fbd2ce2e34233bb9d8d71937ea9f2eca
SHA51253f40d853917d8f20b13f28391d1f0e928b80cfbf832d9313ac1b14837431017e6323725b21cf7e6e0ce5986cfd38792bdaad67c3a8378f3f36d53a50e783099
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
25f9dd08ee87842b0aa86c612e86b414
SHA1406d0d70ea72db3476740e39eaa4e0b3e3ea1ad8
SHA25635fb21a9f04f0caffc96914a5961d318e78b8500e0611a1d110932df7d61c834
SHA512dbd6fd8484d90848580aec84aeb9c7942bf1963b413849d5d178b511fd0e54b6d0b4e963d515fc98590de2d9d3e9aafca146cf39d554fd53af756aff8a64a4d5
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
25f9dd08ee87842b0aa86c612e86b414
SHA1406d0d70ea72db3476740e39eaa4e0b3e3ea1ad8
SHA25635fb21a9f04f0caffc96914a5961d318e78b8500e0611a1d110932df7d61c834
SHA512dbd6fd8484d90848580aec84aeb9c7942bf1963b413849d5d178b511fd0e54b6d0b4e963d515fc98590de2d9d3e9aafca146cf39d554fd53af756aff8a64a4d5
-
C:\Users\Admin\LWQEkggA\qosUMsAc.exeMD5
520244c059c583c403c19a49b62ded1a
SHA1ea3d59bfa76bbf2cd952889fc4bf40b9cf6a741a
SHA2563c0bf06213eb5b07b40bb2c6db2d8e629f417b22dd569adf4387d046fbb4b4e0
SHA5127244ec881ad7c6120223211911bf90bed427d7d4f960bfeae06a8fc364bfcd2dcb425a898ce54af77d83422aeaec4fc7fc8c3d53dfc78f1a4105981866dac984
-
C:\Users\Admin\LWQEkggA\qosUMsAc.exeMD5
520244c059c583c403c19a49b62ded1a
SHA1ea3d59bfa76bbf2cd952889fc4bf40b9cf6a741a
SHA2563c0bf06213eb5b07b40bb2c6db2d8e629f417b22dd569adf4387d046fbb4b4e0
SHA5127244ec881ad7c6120223211911bf90bed427d7d4f960bfeae06a8fc364bfcd2dcb425a898ce54af77d83422aeaec4fc7fc8c3d53dfc78f1a4105981866dac984
-
memory/1780-125-0x0000000000000000-mapping.dmp
-
memory/2464-122-0x0000000000000000-mapping.dmp
-
memory/2708-117-0x0000000000000000-mapping.dmp
-
memory/2776-123-0x0000000000000000-mapping.dmp
-
memory/2796-126-0x0000000000000000-mapping.dmp
-
memory/3080-114-0x0000000000000000-mapping.dmp
-
memory/3556-124-0x0000000000000000-mapping.dmp