158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e

General

Target

158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe
Size

1.0MB
MD5

55ac736a7fd1e0a00afb7a1bf889acf5
SHA1

dbd3f2f7553d5f3059a7144e2f4ae4f7d9e2e01c
SHA256

158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e
SHA512

3f0d00e4567295501b421e3e749fec215c9a119413b90fde56ac0eefcfd3727eb42bb9456196a818c5990bfb57de1649409dc9d159c2713a294c114160eb05d2

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\XyUYgMgw\\oeckQIEM.exe,"	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\XyUYgMgw\\oeckQIEM.exe,"	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

IywUYIUY.exeoeckQIEM.exelMgQcYYs.exeSetup.exe

pid process

2892 IywUYIUY.exe
3780 oeckQIEM.exe
192 lMgQcYYs.exe
1196 Setup.exe

pid	process
2892	IywUYIUY.exe
3780	oeckQIEM.exe
192	lMgQcYYs.exe
1196	Setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oeckQIEM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	oeckQIEM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

oeckQIEM.exelMgQcYYs.exe158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exeIywUYIUY.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oeckQIEM.exe = "C:\\ProgramData\\XyUYgMgw\\oeckQIEM.exe"	oeckQIEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oeckQIEM.exe = "C:\\ProgramData\\XyUYgMgw\\oeckQIEM.exe"	lMgQcYYs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\IywUYIUY.exe = "C:\\Users\\Admin\\fyMgEkUY\\IywUYIUY.exe"	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\IywUYIUY.exe = "C:\\Users\\Admin\\fyMgEkUY\\IywUYIUY.exe"	IywUYIUY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oeckQIEM.exe = "C:\\ProgramData\\XyUYgMgw\\oeckQIEM.exe"	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe

Drops file in System32 directory 4 IoCs

Processes:

lMgQcYYs.exeoeckQIEM.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\fyMgEkUY	lMgQcYYs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\fyMgEkUY\IywUYIUY	lMgQcYYs.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	oeckQIEM.exe
File opened for modification	C:\Windows\SysWOW64\sheProtectStep.jpg	oeckQIEM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2216 reg.exe
1284 reg.exe
956 reg.exe

pid	process
2216	reg.exe
1284	reg.exe
956	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exeoeckQIEM.exe

pid	process
660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe
660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe
660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe
660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

oeckQIEM.exe

pid process

3780 oeckQIEM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

oeckQIEM.exe

pid	process
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe
3780	oeckQIEM.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Setup.exe

pid process

1196 Setup.exe
1196 Setup.exe
1196 Setup.exe

pid	process
1196	Setup.exe
1196	Setup.exe
1196	Setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.execmd.exe

description	pid	process	target process
PID 660 wrote to memory of 2892	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	IywUYIUY.exe
PID 660 wrote to memory of 2892	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	IywUYIUY.exe
PID 660 wrote to memory of 2892	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	IywUYIUY.exe
PID 660 wrote to memory of 3780	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	oeckQIEM.exe
PID 660 wrote to memory of 3780	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	oeckQIEM.exe
PID 660 wrote to memory of 3780	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	oeckQIEM.exe
PID 660 wrote to memory of 3744	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	cmd.exe
PID 660 wrote to memory of 3744	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	cmd.exe
PID 660 wrote to memory of 3744	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	cmd.exe
PID 660 wrote to memory of 2216	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	reg.exe
PID 660 wrote to memory of 2216	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	reg.exe
PID 660 wrote to memory of 2216	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	reg.exe
PID 660 wrote to memory of 956	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	reg.exe
PID 660 wrote to memory of 956	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	reg.exe
PID 660 wrote to memory of 956	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	reg.exe
PID 660 wrote to memory of 1284	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	reg.exe
PID 660 wrote to memory of 1284	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	reg.exe
PID 660 wrote to memory of 1284	660	158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe	reg.exe
PID 3744 wrote to memory of 1196	3744	cmd.exe	Setup.exe
PID 3744 wrote to memory of 1196	3744	cmd.exe	Setup.exe
PID 3744 wrote to memory of 1196	3744	cmd.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe
"C:\Users\Admin\AppData\Local\Temp\158a1982fe4817594301200a8cbadf44d0b893bdd9060f9e7790fae0b556ef9e.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\fyMgEkUY\IywUYIUY.exe
"C:\Users\Admin\fyMgEkUY\IywUYIUY.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2892

C:\ProgramData\XyUYgMgw\oeckQIEM.exe
"C:\ProgramData\XyUYgMgw\oeckQIEM.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:956

C:\ProgramData\AmMwEkMQ\lMgQcYYs.exe
C:\ProgramData\AmMwEkMQ\lMgQcYYs.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AmMwEkMQ\lMgQcYYs.exe
MD5
99b2f2905f7f0690ce591c606b8c55a3

SHA1
ce14bdae8f87322e536ac0cf8ce4620fe04fdc6d

SHA256
74ecae225809e3c1fe0d1b795d76dfdd41f6a6f66d238e71bca510c6d27c2a1f

SHA512
f940c952aaae0dd922dbbc08d5ee1fd9e4618cf9b1d1c83fe21fc65f86eced13ad0b96cab9d1ed7554106f7531808753f5e87b890884c042250237c68ca079c6

Download Submit
C:\ProgramData\AmMwEkMQ\lMgQcYYs.exe
MD5
99b2f2905f7f0690ce591c606b8c55a3

SHA1
ce14bdae8f87322e536ac0cf8ce4620fe04fdc6d

SHA256
74ecae225809e3c1fe0d1b795d76dfdd41f6a6f66d238e71bca510c6d27c2a1f

SHA512
f940c952aaae0dd922dbbc08d5ee1fd9e4618cf9b1d1c83fe21fc65f86eced13ad0b96cab9d1ed7554106f7531808753f5e87b890884c042250237c68ca079c6

Download Submit
C:\ProgramData\XyUYgMgw\oeckQIEM.exe
MD5
9d3123c39b6ec74d7f04b150adb480eb

SHA1
f49010252e02a0695b689faa5432ed0eda57973f

SHA256
544dbc13df63cdd0723b46f9fdfb55f0e55bb3f5da8f21b956cddac5fe9d193b

SHA512
c69a9e9cb5b0e435bbc5763f48a405f4688101287123eeca5ec5d2370539af91d4bfd3736c87471bd3dba9259e06108fd914dcfd4afaa8e3a3a65270bf991323

Download Submit
C:\ProgramData\XyUYgMgw\oeckQIEM.exe
MD5
9d3123c39b6ec74d7f04b150adb480eb

SHA1
f49010252e02a0695b689faa5432ed0eda57973f

SHA256
544dbc13df63cdd0723b46f9fdfb55f0e55bb3f5da8f21b956cddac5fe9d193b

SHA512
c69a9e9cb5b0e435bbc5763f48a405f4688101287123eeca5ec5d2370539af91d4bfd3736c87471bd3dba9259e06108fd914dcfd4afaa8e3a3a65270bf991323

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
C:\Users\Admin\fyMgEkUY\IywUYIUY.exe
MD5
286bb1450e6afda450968f742231fbba

SHA1
15887807dda4d7c320e6204677e1758d81a0565d

SHA256
e90dca3a771d43e438cd0d799ae66f79b0c6a8b89d8a2ad0665c2d695a0c6e0d

SHA512
1a17df021ecef07f06b1125422dd31736e1c0a6fe0ed0fdab70ca1f92c4c66b0c62eb5542f826975fbfa15c5a451328b780751cf42a433148dba7577306542ce

Download Submit
C:\Users\Admin\fyMgEkUY\IywUYIUY.exe
MD5
286bb1450e6afda450968f742231fbba

SHA1
15887807dda4d7c320e6204677e1758d81a0565d

SHA256
e90dca3a771d43e438cd0d799ae66f79b0c6a8b89d8a2ad0665c2d695a0c6e0d

SHA512
1a17df021ecef07f06b1125422dd31736e1c0a6fe0ed0fdab70ca1f92c4c66b0c62eb5542f826975fbfa15c5a451328b780751cf42a433148dba7577306542ce

Download Submit
memory/956-124-0x0000000000000000-mapping.dmp

Download
memory/1196-126-0x0000000000000000-mapping.dmp

Download
memory/1284-125-0x0000000000000000-mapping.dmp

Download
memory/2216-123-0x0000000000000000-mapping.dmp

Download
memory/2892-114-0x0000000000000000-mapping.dmp

Download
memory/3744-122-0x0000000000000000-mapping.dmp

Download
memory/3780-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads