d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742

General

Target

d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe
Size

1.6MB
MD5

2b8c9b2b7c5a2700f69abaaaae527c40
SHA1

fa0deb5fb3a10c75538edf79a79aeff532ed7bc5
SHA256

d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742
SHA512

310acbe057d2efe25265712b3a60db46ea32a68775b3857e712dccf2cd89afe3df78e7b90a123de262927a09a8d2f28a17f590be7ed658e0487851c2eda3421b

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\pcooMMUE\\VIcYAEss.exe,"	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\pcooMMUE\\VIcYAEss.exe,"	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

eukcsQck.exeVIcYAEss.exeyyssUwQI.exesetup.exe

pid process

3740 eukcsQck.exe
4024 VIcYAEss.exe
412 yyssUwQI.exe
1600 setup.exe

pid	process
3740	eukcsQck.exe
4024	VIcYAEss.exe
412	yyssUwQI.exe
1600	setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VIcYAEss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	VIcYAEss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eukcsQck.exeVIcYAEss.exeyyssUwQI.exed9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\eukcsQck.exe = "C:\\Users\\Admin\\TukwEAAQ\\eukcsQck.exe"	eukcsQck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VIcYAEss.exe = "C:\\ProgramData\\pcooMMUE\\VIcYAEss.exe"	VIcYAEss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VIcYAEss.exe = "C:\\ProgramData\\pcooMMUE\\VIcYAEss.exe"	yyssUwQI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\eukcsQck.exe = "C:\\Users\\Admin\\TukwEAAQ\\eukcsQck.exe"	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VIcYAEss.exe = "C:\\ProgramData\\pcooMMUE\\VIcYAEss.exe"	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe

Drops file in System32 directory 4 IoCs

Processes:

yyssUwQI.exeVIcYAEss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\TukwEAAQ\eukcsQck	yyssUwQI.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	VIcYAEss.exe
File opened for modification	C:\Windows\SysWOW64\sheUninstallWait.mpg	VIcYAEss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\TukwEAAQ	yyssUwQI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

212 reg.exe
2304 reg.exe
1352 reg.exe

pid	process
212	reg.exe
2304	reg.exe
1352	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exeVIcYAEss.exe

pid	process
740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe
740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe
740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe
740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

VIcYAEss.exe

pid process

4024 VIcYAEss.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

VIcYAEss.exe

pid	process
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe
4024	VIcYAEss.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 3740	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	eukcsQck.exe
PID 740 wrote to memory of 3740	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	eukcsQck.exe
PID 740 wrote to memory of 3740	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	eukcsQck.exe
PID 740 wrote to memory of 4024	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	VIcYAEss.exe
PID 740 wrote to memory of 4024	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	VIcYAEss.exe
PID 740 wrote to memory of 4024	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	VIcYAEss.exe
PID 740 wrote to memory of 544	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	cmd.exe
PID 740 wrote to memory of 544	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	cmd.exe
PID 740 wrote to memory of 544	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	cmd.exe
PID 740 wrote to memory of 212	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	reg.exe
PID 740 wrote to memory of 212	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	reg.exe
PID 740 wrote to memory of 212	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	reg.exe
PID 740 wrote to memory of 2304	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	reg.exe
PID 740 wrote to memory of 2304	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	reg.exe
PID 740 wrote to memory of 2304	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	reg.exe
PID 740 wrote to memory of 1352	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	reg.exe
PID 740 wrote to memory of 1352	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	reg.exe
PID 740 wrote to memory of 1352	740	d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe	reg.exe
PID 544 wrote to memory of 1600	544	cmd.exe	setup.exe
PID 544 wrote to memory of 1600	544	cmd.exe	setup.exe
PID 544 wrote to memory of 1600	544	cmd.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe
"C:\Users\Admin\AppData\Local\Temp\d9ac8cb2cac5a0eb7a96d928cb3c384c747813eed62e5acbcc58989341d4b742.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\TukwEAAQ\eukcsQck.exe
"C:\Users\Admin\TukwEAAQ\eukcsQck.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3740

C:\ProgramData\pcooMMUE\VIcYAEss.exe
"C:\ProgramData\pcooMMUE\VIcYAEss.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Users\Admin\AppData\Local\Temp\setup.exe
3⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1352

C:\ProgramData\KmogcYwc\yyssUwQI.exe
C:\ProgramData\KmogcYwc\yyssUwQI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KmogcYwc\yyssUwQI.exe
MD5
6c69c74a5a227927b9b4b5363a9033bb

SHA1
b0d280c590ef9f50e2e61699b40ca25d0d55efa5

SHA256
7e82b3f4be8329b49463492ba14ed9681b39faeae767115f4c482b6438e923af

SHA512
48192f96a0eb4646039bf4da3f5aa2073bb44f5e9c82b8db19377de12bf17d4465305ec0c706576eea45c0f6dd9245c9983a3b0b56ecb23614f1c8e9000fa1c4

Download Submit
C:\ProgramData\KmogcYwc\yyssUwQI.exe
MD5
6c69c74a5a227927b9b4b5363a9033bb

SHA1
b0d280c590ef9f50e2e61699b40ca25d0d55efa5

SHA256
7e82b3f4be8329b49463492ba14ed9681b39faeae767115f4c482b6438e923af

SHA512
48192f96a0eb4646039bf4da3f5aa2073bb44f5e9c82b8db19377de12bf17d4465305ec0c706576eea45c0f6dd9245c9983a3b0b56ecb23614f1c8e9000fa1c4

Download Submit
C:\ProgramData\pcooMMUE\VIcYAEss.exe
MD5
c728649c7e321de80896eda5faf47808

SHA1
31f9b5c6c15a749d9d69b8592af8765321f9e31f

SHA256
a19bf50798c57e1d7a73bcb9baefc90bd78f5115a9f0e2149d6c118788255ada

SHA512
db42f45783f21b593e7e0a6d75f2626f928dc92b8888f1af1242d7397e0cc7c57f95b20f853a66f717866a09b8c36c3ab7097bf65a40a942439970600ef2f2a0

Download Submit
C:\ProgramData\pcooMMUE\VIcYAEss.exe
MD5
c728649c7e321de80896eda5faf47808

SHA1
31f9b5c6c15a749d9d69b8592af8765321f9e31f

SHA256
a19bf50798c57e1d7a73bcb9baefc90bd78f5115a9f0e2149d6c118788255ada

SHA512
db42f45783f21b593e7e0a6d75f2626f928dc92b8888f1af1242d7397e0cc7c57f95b20f853a66f717866a09b8c36c3ab7097bf65a40a942439970600ef2f2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
C:\Users\Admin\TukwEAAQ\eukcsQck.exe
MD5
f4bd1aa3b6840db3df49185d0fa7d8ef

SHA1
c806da0dd645575a48e0fc0a059b91190f29524b

SHA256
7ad43b19b73aff2d3f4def64cc56d6247384a0f2f1473c0de83f9cc1dc805355

SHA512
308f33b7ea88f466b64834a28d523cccb4f4bfe58802634fa85631c30e602c59e6c668d338b0f4ff21a2a1a5569e9d796b79a08bb3df706dab071b5e32be3d2f

Download Submit
C:\Users\Admin\TukwEAAQ\eukcsQck.exe
MD5
f4bd1aa3b6840db3df49185d0fa7d8ef

SHA1
c806da0dd645575a48e0fc0a059b91190f29524b

SHA256
7ad43b19b73aff2d3f4def64cc56d6247384a0f2f1473c0de83f9cc1dc805355

SHA512
308f33b7ea88f466b64834a28d523cccb4f4bfe58802634fa85631c30e602c59e6c668d338b0f4ff21a2a1a5569e9d796b79a08bb3df706dab071b5e32be3d2f

Download Submit
memory/212-123-0x0000000000000000-mapping.dmp

Download
memory/544-122-0x0000000000000000-mapping.dmp

Download
memory/1352-125-0x0000000000000000-mapping.dmp

Download
memory/1600-126-0x0000000000000000-mapping.dmp

Download
memory/2304-124-0x0000000000000000-mapping.dmp

Download
memory/3740-114-0x0000000000000000-mapping.dmp

Download
memory/4024-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads