147587e77bfd38e2818c96628981744e716aa058dfe6a1ace8e1a1c5cee421be

General

Target

dd5ea9e9_by_Libranalysis.exe
Size

680KB
MD5

dd5ea9e96c9c000379ff5ce132dcc754
SHA1

22fc09ab3506dd5e2ec0688c80763c0bb81ff3ab
SHA256

147587e77bfd38e2818c96628981744e716aa058dfe6a1ace8e1a1c5cee421be
SHA512

08c298e72b3915920f0f9a7cdb848d6721a001c6f3fdd2f0b2f5b8df0493da53dc936d97882a6ec42b013d7f09f0b2e6bded52d2d0a7425a43260ff8c899a537

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

dd5ea9e9_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\IkoMoYQM\\twoEkocI.exe,"	dd5ea9e9_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\IkoMoYQM\\twoEkocI.exe,"	dd5ea9e9_by_Libranalysis.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

qosUMsAc.exetwoEkocI.exenAsockUY.exesetup.exe

pid process

3080 qosUMsAc.exe
2708 twoEkocI.exe
4012 nAsockUY.exe
2796 setup.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

qosUMsAc.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation qosUMsAc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	qosUMsAc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nAsockUY.exedd5ea9e9_by_Libranalysis.exeqosUMsAc.exetwoEkocI.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twoEkocI.exe = "C:\\ProgramData\\IkoMoYQM\\twoEkocI.exe"	nAsockUY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\qosUMsAc.exe = "C:\\Users\\Admin\\LWQEkggA\\qosUMsAc.exe"	dd5ea9e9_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\qosUMsAc.exe = "C:\\Users\\Admin\\LWQEkggA\\qosUMsAc.exe"	qosUMsAc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twoEkocI.exe = "C:\\ProgramData\\IkoMoYQM\\twoEkocI.exe"	dd5ea9e9_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twoEkocI.exe = "C:\\ProgramData\\IkoMoYQM\\twoEkocI.exe"	twoEkocI.exe

Drops file in System32 directory 6 IoCs

Processes:

nAsockUY.exeqosUMsAc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\LWQEkggA	nAsockUY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\LWQEkggA\qosUMsAc	nAsockUY.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	qosUMsAc.exe
File opened for modification	C:\Windows\SysWOW64\sheHideUnblock.jpg	qosUMsAc.exe
File opened for modification	C:\Windows\SysWOW64\sheInvokeExit.bmp	qosUMsAc.exe
File opened for modification	C:\Windows\SysWOW64\sheMoveStep.exe	qosUMsAc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

1780 reg.exe
3556 reg.exe
2776 reg.exe

pid	process
1780	reg.exe
3556	reg.exe
2776	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dd5ea9e9_by_Libranalysis.exeqosUMsAc.exe

pid	process
2672	dd5ea9e9_by_Libranalysis.exe
2672	dd5ea9e9_by_Libranalysis.exe
2672	dd5ea9e9_by_Libranalysis.exe
2672	dd5ea9e9_by_Libranalysis.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qosUMsAc.exe

pid process

3080 qosUMsAc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

qosUMsAc.exe

pid	process
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe
3080	qosUMsAc.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

dd5ea9e9_by_Libranalysis.execmd.exe

description	pid	process	target process
PID 2672 wrote to memory of 3080	2672	dd5ea9e9_by_Libranalysis.exe	qosUMsAc.exe
PID 2672 wrote to memory of 3080	2672	dd5ea9e9_by_Libranalysis.exe	qosUMsAc.exe
PID 2672 wrote to memory of 3080	2672	dd5ea9e9_by_Libranalysis.exe	qosUMsAc.exe
PID 2672 wrote to memory of 2708	2672	dd5ea9e9_by_Libranalysis.exe	twoEkocI.exe
PID 2672 wrote to memory of 2708	2672	dd5ea9e9_by_Libranalysis.exe	twoEkocI.exe
PID 2672 wrote to memory of 2708	2672	dd5ea9e9_by_Libranalysis.exe	twoEkocI.exe
PID 2672 wrote to memory of 2464	2672	dd5ea9e9_by_Libranalysis.exe	cmd.exe
PID 2672 wrote to memory of 2464	2672	dd5ea9e9_by_Libranalysis.exe	cmd.exe
PID 2672 wrote to memory of 2464	2672	dd5ea9e9_by_Libranalysis.exe	cmd.exe
PID 2672 wrote to memory of 2776	2672	dd5ea9e9_by_Libranalysis.exe	reg.exe
PID 2672 wrote to memory of 2776	2672	dd5ea9e9_by_Libranalysis.exe	reg.exe
PID 2672 wrote to memory of 2776	2672	dd5ea9e9_by_Libranalysis.exe	reg.exe
PID 2672 wrote to memory of 3556	2672	dd5ea9e9_by_Libranalysis.exe	reg.exe
PID 2672 wrote to memory of 3556	2672	dd5ea9e9_by_Libranalysis.exe	reg.exe
PID 2672 wrote to memory of 3556	2672	dd5ea9e9_by_Libranalysis.exe	reg.exe
PID 2672 wrote to memory of 1780	2672	dd5ea9e9_by_Libranalysis.exe	reg.exe
PID 2672 wrote to memory of 1780	2672	dd5ea9e9_by_Libranalysis.exe	reg.exe
PID 2672 wrote to memory of 1780	2672	dd5ea9e9_by_Libranalysis.exe	reg.exe
PID 2464 wrote to memory of 2796	2464	cmd.exe	setup.exe
PID 2464 wrote to memory of 2796	2464	cmd.exe	setup.exe
PID 2464 wrote to memory of 2796	2464	cmd.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\dd5ea9e9_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\dd5ea9e9_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\LWQEkggA\qosUMsAc.exe
"C:\Users\Admin\LWQEkggA\qosUMsAc.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3080

C:\ProgramData\IkoMoYQM\twoEkocI.exe
"C:\ProgramData\IkoMoYQM\twoEkocI.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Users\Admin\AppData\Local\Temp\setup.exe
3⤵
- Executes dropped EXE
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2776

C:\ProgramData\DEsAcUgY\nAsockUY.exe
C:\ProgramData\DEsAcUgY\nAsockUY.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DEsAcUgY\nAsockUY.exe
MD5
ba86553a4af448db0cb0c1dcaffccc5f

SHA1
52cab35a1ffeb137078f1e2128b7cea4836358c4

SHA256
e7f19187e01037beeca1d33b7e77cd30902903a6ad27ba3bd56ff2a07ecfb2cf

SHA512
dfa47a18f4f9c64e146c566818d6ca642b3dbc7d9663e5ed0e03258db75d79c704c09c319d74f930eb2b30b8d9e020a04c7f44e09eb9fb16635a15f0d624e22f

Download Submit
C:\ProgramData\DEsAcUgY\nAsockUY.exe
MD5
ba86553a4af448db0cb0c1dcaffccc5f

SHA1
52cab35a1ffeb137078f1e2128b7cea4836358c4

SHA256
e7f19187e01037beeca1d33b7e77cd30902903a6ad27ba3bd56ff2a07ecfb2cf

SHA512
dfa47a18f4f9c64e146c566818d6ca642b3dbc7d9663e5ed0e03258db75d79c704c09c319d74f930eb2b30b8d9e020a04c7f44e09eb9fb16635a15f0d624e22f

Download Submit
C:\ProgramData\IkoMoYQM\twoEkocI.exe
MD5
662e66cb1617ea20760af008580af6df

SHA1
3944aaacef544a9428744e28d201e1cc3990be62

SHA256
c7cfb18a366fcbaf3ec5939387705aa5fbd2ce2e34233bb9d8d71937ea9f2eca

SHA512
53f40d853917d8f20b13f28391d1f0e928b80cfbf832d9313ac1b14837431017e6323725b21cf7e6e0ce5986cfd38792bdaad67c3a8378f3f36d53a50e783099

Download Submit
C:\ProgramData\IkoMoYQM\twoEkocI.exe
MD5
662e66cb1617ea20760af008580af6df

SHA1
3944aaacef544a9428744e28d201e1cc3990be62

SHA256
c7cfb18a366fcbaf3ec5939387705aa5fbd2ce2e34233bb9d8d71937ea9f2eca

SHA512
53f40d853917d8f20b13f28391d1f0e928b80cfbf832d9313ac1b14837431017e6323725b21cf7e6e0ce5986cfd38792bdaad67c3a8378f3f36d53a50e783099

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
25f9dd08ee87842b0aa86c612e86b414

SHA1
406d0d70ea72db3476740e39eaa4e0b3e3ea1ad8

SHA256
35fb21a9f04f0caffc96914a5961d318e78b8500e0611a1d110932df7d61c834

SHA512
dbd6fd8484d90848580aec84aeb9c7942bf1963b413849d5d178b511fd0e54b6d0b4e963d515fc98590de2d9d3e9aafca146cf39d554fd53af756aff8a64a4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
25f9dd08ee87842b0aa86c612e86b414

SHA1
406d0d70ea72db3476740e39eaa4e0b3e3ea1ad8

SHA256
35fb21a9f04f0caffc96914a5961d318e78b8500e0611a1d110932df7d61c834

SHA512
dbd6fd8484d90848580aec84aeb9c7942bf1963b413849d5d178b511fd0e54b6d0b4e963d515fc98590de2d9d3e9aafca146cf39d554fd53af756aff8a64a4d5

Download Submit
C:\Users\Admin\LWQEkggA\qosUMsAc.exe
MD5
520244c059c583c403c19a49b62ded1a

SHA1
ea3d59bfa76bbf2cd952889fc4bf40b9cf6a741a

SHA256
3c0bf06213eb5b07b40bb2c6db2d8e629f417b22dd569adf4387d046fbb4b4e0

SHA512
7244ec881ad7c6120223211911bf90bed427d7d4f960bfeae06a8fc364bfcd2dcb425a898ce54af77d83422aeaec4fc7fc8c3d53dfc78f1a4105981866dac984

Download Submit
C:\Users\Admin\LWQEkggA\qosUMsAc.exe
MD5
520244c059c583c403c19a49b62ded1a

SHA1
ea3d59bfa76bbf2cd952889fc4bf40b9cf6a741a

SHA256
3c0bf06213eb5b07b40bb2c6db2d8e629f417b22dd569adf4387d046fbb4b4e0

SHA512
7244ec881ad7c6120223211911bf90bed427d7d4f960bfeae06a8fc364bfcd2dcb425a898ce54af77d83422aeaec4fc7fc8c3d53dfc78f1a4105981866dac984

Download Submit
memory/1780-125-0x0000000000000000-mapping.dmp

Download
memory/2464-122-0x0000000000000000-mapping.dmp

Download
memory/2708-117-0x0000000000000000-mapping.dmp

Download
memory/2776-123-0x0000000000000000-mapping.dmp

Download
memory/2796-126-0x0000000000000000-mapping.dmp

Download
memory/3080-114-0x0000000000000000-mapping.dmp

Download
memory/3556-124-0x0000000000000000-mapping.dmp

Download

pid	process
3080	qosUMsAc.exe
2708	twoEkocI.exe
4012	nAsockUY.exe
2796	setup.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads