6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b

General

Target

6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe
Size

626KB
MD5

9e10b8240003873cfe523f78ec5f693d
SHA1

a902ef719ebcd1e7eca41d41f8985bea7f345406
SHA256

6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b
SHA512

bdcf32ad849638cdc4b09b7c0af5738676271e61391e0b86bf709b975aea2958b8015b4fb661b6917412cbd27fe1b2753d6fc487983e1acadbc307f7784c488c

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\LYMwkwww\\AsYEUgAY.exe,"	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\LYMwkwww\\AsYEUgAY.exe,"	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

nOMIkYkQ.exeAsYEUgAY.exedswUEwQA.execver.exe

pid process

1908 nOMIkYkQ.exe
2572 AsYEUgAY.exe
3992 dswUEwQA.exe
3848 cver.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

nOMIkYkQ.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation nOMIkYkQ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	nOMIkYkQ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exenOMIkYkQ.exeAsYEUgAY.exedswUEwQA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\nOMIkYkQ.exe = "C:\\Users\\Admin\\xOYUUMAA\\nOMIkYkQ.exe"	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AsYEUgAY.exe = "C:\\ProgramData\\LYMwkwww\\AsYEUgAY.exe"	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\nOMIkYkQ.exe = "C:\\Users\\Admin\\xOYUUMAA\\nOMIkYkQ.exe"	nOMIkYkQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AsYEUgAY.exe = "C:\\ProgramData\\LYMwkwww\\AsYEUgAY.exe"	AsYEUgAY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AsYEUgAY.exe = "C:\\ProgramData\\LYMwkwww\\AsYEUgAY.exe"	dswUEwQA.exe

Drops file in System32 directory 4 IoCs

Processes:

nOMIkYkQ.exedswUEwQA.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	nOMIkYkQ.exe
File opened for modification	C:\Windows\SysWOW64\sheEnableRedo.zip	nOMIkYkQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\xOYUUMAA	dswUEwQA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\xOYUUMAA\nOMIkYkQ	dswUEwQA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

1112 reg.exe
8 reg.exe
4068 reg.exe

pid	process
1112	reg.exe
8	reg.exe
4068	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exenOMIkYkQ.exe

pid	process
1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe
1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe
1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe
1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nOMIkYkQ.exe

pid process

1908 nOMIkYkQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

nOMIkYkQ.exe

pid	process
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe
1908	nOMIkYkQ.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.execmd.exe

description	pid	process	target process
PID 1892 wrote to memory of 1908	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	nOMIkYkQ.exe
PID 1892 wrote to memory of 1908	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	nOMIkYkQ.exe
PID 1892 wrote to memory of 1908	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	nOMIkYkQ.exe
PID 1892 wrote to memory of 2572	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	AsYEUgAY.exe
PID 1892 wrote to memory of 2572	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	AsYEUgAY.exe
PID 1892 wrote to memory of 2572	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	AsYEUgAY.exe
PID 1892 wrote to memory of 3564	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	cmd.exe
PID 1892 wrote to memory of 3564	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	cmd.exe
PID 1892 wrote to memory of 3564	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	cmd.exe
PID 1892 wrote to memory of 8	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	reg.exe
PID 1892 wrote to memory of 8	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	reg.exe
PID 1892 wrote to memory of 8	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	reg.exe
PID 1892 wrote to memory of 4068	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	reg.exe
PID 1892 wrote to memory of 4068	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	reg.exe
PID 1892 wrote to memory of 4068	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	reg.exe
PID 1892 wrote to memory of 1112	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	reg.exe
PID 1892 wrote to memory of 1112	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	reg.exe
PID 1892 wrote to memory of 1112	1892	6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe	reg.exe
PID 3564 wrote to memory of 3848	3564	cmd.exe	cver.exe
PID 3564 wrote to memory of 3848	3564	cmd.exe	cver.exe

C:\Users\Admin\AppData\Local\Temp\6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe
"C:\Users\Admin\AppData\Local\Temp\6aa81273480d8316e91582e10a203628d3944b8ec50aaf9450b6cc9ead32081b.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\xOYUUMAA\nOMIkYkQ.exe
"C:\Users\Admin\xOYUUMAA\nOMIkYkQ.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1908

C:\ProgramData\LYMwkwww\AsYEUgAY.exe
"C:\ProgramData\LYMwkwww\AsYEUgAY.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cver.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\cver.exe
C:\Users\Admin\AppData\Local\Temp\cver.exe
3⤵
- Executes dropped EXE
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1112

C:\ProgramData\XYwAwkIE\dswUEwQA.exe
C:\ProgramData\XYwAwkIE\dswUEwQA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LYMwkwww\AsYEUgAY.exe
MD5
79d79df6ab1126b77edaa346b42e8fef

SHA1
5da75a4a3fcbf09e2487193e4c853720cf09fb2a

SHA256
5c6e3d8046c8e767c85e1adbbed2b8443b94857adef2d6129b2c783fde3d428f

SHA512
c61a5c5f626abe6d835dd11d8705152e325aaa379398a370d507b94d7ac67be36b88d806a5c24f44dc8528cc5541e80bab27c248a9cb5a9f99efeb75a8936bbc

Download Submit
C:\ProgramData\LYMwkwww\AsYEUgAY.exe
MD5
79d79df6ab1126b77edaa346b42e8fef

SHA1
5da75a4a3fcbf09e2487193e4c853720cf09fb2a

SHA256
5c6e3d8046c8e767c85e1adbbed2b8443b94857adef2d6129b2c783fde3d428f

SHA512
c61a5c5f626abe6d835dd11d8705152e325aaa379398a370d507b94d7ac67be36b88d806a5c24f44dc8528cc5541e80bab27c248a9cb5a9f99efeb75a8936bbc

Download Submit
C:\ProgramData\XYwAwkIE\dswUEwQA.exe
MD5
59593c16a83b019f962ce4bd3d931a8a

SHA1
493d263f87e1070dce4e84e061e3f873007e73ce

SHA256
9f2bcfc6975e343679608bd01eaf7efa454384bde11e4ee2b26e5d92f1e96653

SHA512
690f53ac2866e4267ab786b23d613810ec846683fac73b92af83398ec83eb57aaa4c6082c5fb7bdfe71bf07ab479dfd3c6e25161728a0bdb377740c0c4141b3e

Download Submit
C:\ProgramData\XYwAwkIE\dswUEwQA.exe
MD5
59593c16a83b019f962ce4bd3d931a8a

SHA1
493d263f87e1070dce4e84e061e3f873007e73ce

SHA256
9f2bcfc6975e343679608bd01eaf7efa454384bde11e4ee2b26e5d92f1e96653

SHA512
690f53ac2866e4267ab786b23d613810ec846683fac73b92af83398ec83eb57aaa4c6082c5fb7bdfe71bf07ab479dfd3c6e25161728a0bdb377740c0c4141b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cver.exe
MD5
0d0b992d2d4b7619f49ee0458d3469b1

SHA1
5d9835b408a231902654d516b48843890f4130e5

SHA256
55c3f3f02b48a1e69d8b58d195c53f2d604acd890d09d7310272dcd289cf2d94

SHA512
8435b079d408689fabb3d8713c2d4b86f85f1b9bc4bc79427ee0ae069fafd23a703d71d481a1515bb98a31b90171a75a97c1ec6a9df63170a4961940e04494b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cver.exe
MD5
0d0b992d2d4b7619f49ee0458d3469b1

SHA1
5d9835b408a231902654d516b48843890f4130e5

SHA256
55c3f3f02b48a1e69d8b58d195c53f2d604acd890d09d7310272dcd289cf2d94

SHA512
8435b079d408689fabb3d8713c2d4b86f85f1b9bc4bc79427ee0ae069fafd23a703d71d481a1515bb98a31b90171a75a97c1ec6a9df63170a4961940e04494b7

Download Submit
C:\Users\Admin\xOYUUMAA\nOMIkYkQ.exe
MD5
12e12f0622279e2520cdebe2c6ed8311

SHA1
8df9696311037cc2a5e291a4cc40d4339e2f18d7

SHA256
bfd37e45734183db8f76bd48b2f269d17fdba1b21331fa20a66266c132c8cf88

SHA512
f81875c4230e3df4ba8cb8ce1b49029463e2143a8ed81b4a71c2ef1351d84eb02827f5c75a59846d5896e662aa286f13ceb91278fcf5713faf68bf6c47559488

Download Submit
C:\Users\Admin\xOYUUMAA\nOMIkYkQ.exe
MD5
12e12f0622279e2520cdebe2c6ed8311

SHA1
8df9696311037cc2a5e291a4cc40d4339e2f18d7

SHA256
bfd37e45734183db8f76bd48b2f269d17fdba1b21331fa20a66266c132c8cf88

SHA512
f81875c4230e3df4ba8cb8ce1b49029463e2143a8ed81b4a71c2ef1351d84eb02827f5c75a59846d5896e662aa286f13ceb91278fcf5713faf68bf6c47559488

Download Submit
memory/8-123-0x0000000000000000-mapping.dmp

Download
memory/1112-125-0x0000000000000000-mapping.dmp

Download
memory/1908-114-0x0000000000000000-mapping.dmp

Download
memory/2572-117-0x0000000000000000-mapping.dmp

Download
memory/3564-122-0x0000000000000000-mapping.dmp

Download
memory/3848-126-0x0000000000000000-mapping.dmp

Download
memory/3848-129-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3848-131-0x000000001BB00000-0x000000001BB02000-memory.dmp

Filesize
8KB

Download
memory/4068-124-0x0000000000000000-mapping.dmp

Download

pid	process
1908	nOMIkYkQ.exe
2572	AsYEUgAY.exe
3992	dswUEwQA.exe
3848	cver.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads