ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252

General

Target

ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe
Size

2.1MB
MD5

58b8d6df10fc2e2819250ec641eecd9f
SHA1

7ddd603ec1f95f5208ec20c10988e9ed562e94ea
SHA256

ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252
SHA512

ef9a8d0fccfff7d75aa6180eda6a09b0ea1accb5d5e99ec3ac2e28151f6d76a25f702003af675b5937e2ec98a4f7d5eb6a921e9bede3b7e8a3fcc459e76d900c

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\NWEosUkQ\\BiIMcAYY.exe,"	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\NWEosUkQ\\BiIMcAYY.exe,"	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

uQcMUUEs.exeBiIMcAYY.exeggQUYQkY.exeSDKSetup.exe

pid process

2220 uQcMUUEs.exe
1480 BiIMcAYY.exe
1952 ggQUYQkY.exe
2768 SDKSetup.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

BiIMcAYY.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation BiIMcAYY.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2220	uQcMUUEs.exe
1480	BiIMcAYY.exe
1952	ggQUYQkY.exe
2768	SDKSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	BiIMcAYY.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BiIMcAYY.exeggQUYQkY.exeebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exeuQcMUUEs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BiIMcAYY.exe = "C:\\ProgramData\\NWEosUkQ\\BiIMcAYY.exe"	BiIMcAYY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BiIMcAYY.exe = "C:\\ProgramData\\NWEosUkQ\\BiIMcAYY.exe"	ggQUYQkY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\uQcMUUEs.exe = "C:\\Users\\Admin\\HMEsIkIk\\uQcMUUEs.exe"	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\uQcMUUEs.exe = "C:\\Users\\Admin\\HMEsIkIk\\uQcMUUEs.exe"	uQcMUUEs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BiIMcAYY.exe = "C:\\ProgramData\\NWEosUkQ\\BiIMcAYY.exe"	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe

Drops file in System32 directory 6 IoCs

Processes:

BiIMcAYY.exeggQUYQkY.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	BiIMcAYY.exe
File opened for modification	C:\Windows\SysWOW64\sheHideUnblock.jpg	BiIMcAYY.exe
File opened for modification	C:\Windows\SysWOW64\sheInvokeExit.bmp	BiIMcAYY.exe
File opened for modification	C:\Windows\SysWOW64\sheMoveStep.exe	BiIMcAYY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\HMEsIkIk	ggQUYQkY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\HMEsIkIk\uQcMUUEs	ggQUYQkY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2732 reg.exe
1780 reg.exe
528 reg.exe

pid	process
2732	reg.exe
1780	reg.exe
528	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exeSDKSetup.exeBiIMcAYY.exe

pid	process
4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe
4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe
4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe
4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe
2768	SDKSetup.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

BiIMcAYY.exe

pid process

1480 BiIMcAYY.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SDKSetup.exe

description pid process

Token: SeDebugPrivilege 2768 SDKSetup.exe

description	pid	process
Token: SeDebugPrivilege	2768	SDKSetup.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

BiIMcAYY.exe

pid	process
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe
1480	BiIMcAYY.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.execmd.exe

description	pid	process	target process
PID 4060 wrote to memory of 2220	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	uQcMUUEs.exe
PID 4060 wrote to memory of 2220	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	uQcMUUEs.exe
PID 4060 wrote to memory of 2220	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	uQcMUUEs.exe
PID 4060 wrote to memory of 1480	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	BiIMcAYY.exe
PID 4060 wrote to memory of 1480	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	BiIMcAYY.exe
PID 4060 wrote to memory of 1480	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	BiIMcAYY.exe
PID 4060 wrote to memory of 2468	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	cmd.exe
PID 4060 wrote to memory of 2468	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	cmd.exe
PID 4060 wrote to memory of 2468	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	cmd.exe
PID 4060 wrote to memory of 2732	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	reg.exe
PID 4060 wrote to memory of 2732	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	reg.exe
PID 4060 wrote to memory of 2732	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	reg.exe
PID 4060 wrote to memory of 528	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	reg.exe
PID 4060 wrote to memory of 528	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	reg.exe
PID 4060 wrote to memory of 528	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	reg.exe
PID 2468 wrote to memory of 2768	2468	cmd.exe	SDKSetup.exe
PID 2468 wrote to memory of 2768	2468	cmd.exe	SDKSetup.exe
PID 4060 wrote to memory of 1780	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	reg.exe
PID 4060 wrote to memory of 1780	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	reg.exe
PID 4060 wrote to memory of 1780	4060	ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe
"C:\Users\Admin\AppData\Local\Temp\ebbaf2b63b0578cee52b64718052ac71f38d7c533a4489abb4e1076d140de252.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\HMEsIkIk\uQcMUUEs.exe
"C:\Users\Admin\HMEsIkIk\uQcMUUEs.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2220

C:\ProgramData\NWEosUkQ\BiIMcAYY.exe
"C:\ProgramData\NWEosUkQ\BiIMcAYY.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SDKSetup.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\SDKSetup.exe
C:\Users\Admin\AppData\Local\Temp\SDKSetup.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:528

C:\ProgramData\qWsQUUkA\ggQUYQkY.exe
C:\ProgramData\qWsQUUkA\ggQUYQkY.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NWEosUkQ\BiIMcAYY.exe
MD5
b2f1c905267d0455f79f1a516d1158ae

SHA1
36b5946e143e3cd09282a1a8f359ec9bea425d00

SHA256
f6e4d9678b3813403ee6df7b0a8527f5c27120f271106af1009abef4fc32b0ee

SHA512
70a0007b92b0cb23f18278f2dd862204fd1bd11e0e2711866b9ad8613e9422a4e9136c39bbd704e651452eb6e4c37c2568fbc3885d884f20bb4798e4052bb51b

Download Submit
C:\ProgramData\NWEosUkQ\BiIMcAYY.exe
MD5
b2f1c905267d0455f79f1a516d1158ae

SHA1
36b5946e143e3cd09282a1a8f359ec9bea425d00

SHA256
f6e4d9678b3813403ee6df7b0a8527f5c27120f271106af1009abef4fc32b0ee

SHA512
70a0007b92b0cb23f18278f2dd862204fd1bd11e0e2711866b9ad8613e9422a4e9136c39bbd704e651452eb6e4c37c2568fbc3885d884f20bb4798e4052bb51b

Download Submit
C:\ProgramData\qWsQUUkA\ggQUYQkY.exe
MD5
052e8ce0d1c3a1ed0066c51cb024d7cd

SHA1
b55963a7519961659e119f68882066c075ee12f3

SHA256
3791155febf0e1b2f2c23b13558de74f674c9934df262cddb593449d6123d3b0

SHA512
ff5494b019d9222a60b8938e2c90ce428e00c1a707770fd6db7792b1c85fa3f57c8518e9c22dae9a4392787671b96bc4b77fbd02c246f00e8fe20dc3005ad15e

Download Submit
C:\ProgramData\qWsQUUkA\ggQUYQkY.exe
MD5
052e8ce0d1c3a1ed0066c51cb024d7cd

SHA1
b55963a7519961659e119f68882066c075ee12f3

SHA256
3791155febf0e1b2f2c23b13558de74f674c9934df262cddb593449d6123d3b0

SHA512
ff5494b019d9222a60b8938e2c90ce428e00c1a707770fd6db7792b1c85fa3f57c8518e9c22dae9a4392787671b96bc4b77fbd02c246f00e8fe20dc3005ad15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDKSetup.exe
MD5
772e1dc9442497aaa78f4f377d5e289d

SHA1
37ad65c7c451ce87e98db4b0b7d1531a730a9134

SHA256
5f8fff194eaff9e3da3a334cbc08ec942fe4ec107e575d61f2301ba85b8f3800

SHA512
b4912dc967fd355956daa8e231e6bdfcf17238986e2e273ebaf70e3706f1d0ad19cccafedd0aa71cd138df351f2b74147fe868ef326b5dde135d628c0c386b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDKSetup.exe
MD5
772e1dc9442497aaa78f4f377d5e289d

SHA1
37ad65c7c451ce87e98db4b0b7d1531a730a9134

SHA256
5f8fff194eaff9e3da3a334cbc08ec942fe4ec107e575d61f2301ba85b8f3800

SHA512
b4912dc967fd355956daa8e231e6bdfcf17238986e2e273ebaf70e3706f1d0ad19cccafedd0aa71cd138df351f2b74147fe868ef326b5dde135d628c0c386b8e

Download Submit
C:\Users\Admin\HMEsIkIk\uQcMUUEs.exe
MD5
6e5c98b4be5c3a9725d7d633b139595a

SHA1
28cea3b3dc392a4581e219ed5f78ed24b91f41bf

SHA256
3f2bca8cf20ec3a8db948a63f16372eba579dfa00bd906a40cac9a9f1d20e12e

SHA512
16d8c1815783371ab21a51469c4d6535d50bb28aab091e5ba10da08a4f7f519ff084795a4fdbe8a05707c9576114774929812857fa83f444c7c2d264668cfb79

Download Submit
C:\Users\Admin\HMEsIkIk\uQcMUUEs.exe
MD5
6e5c98b4be5c3a9725d7d633b139595a

SHA1
28cea3b3dc392a4581e219ed5f78ed24b91f41bf

SHA256
3f2bca8cf20ec3a8db948a63f16372eba579dfa00bd906a40cac9a9f1d20e12e

SHA512
16d8c1815783371ab21a51469c4d6535d50bb28aab091e5ba10da08a4f7f519ff084795a4fdbe8a05707c9576114774929812857fa83f444c7c2d264668cfb79

Download Submit
memory/528-124-0x0000000000000000-mapping.dmp

Download
memory/1480-117-0x0000000000000000-mapping.dmp

Download
memory/1780-128-0x0000000000000000-mapping.dmp

Download
memory/2220-114-0x0000000000000000-mapping.dmp

Download
memory/2468-122-0x0000000000000000-mapping.dmp

Download
memory/2732-123-0x0000000000000000-mapping.dmp

Download
memory/2768-125-0x0000000000000000-mapping.dmp

Download
memory/2768-129-0x00000000023E0000-0x00000000023E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads