1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47

General

Target

1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe
Size

1019KB
MD5

d80731db1bbef88fef86ecdb8ed74dc3
SHA1

e439a112d2cb675dc2989a5962f25a7eb4e53dd5
SHA256

1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47
SHA512

668ea73ee65a79f8a429fe70e51524c3d7499be4eca08626e22766384034b71eb2219936c72360caa96569ec5d9dafa511534a93a26b37b2ff920199116b0323

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\jmUYkwsw\\OCoEQUcc.exe,"	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\jmUYkwsw\\OCoEQUcc.exe,"	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

dKscscsc.exeOCoEQUcc.exeHYYAoskY.exesetup.exe

pid process

3036 dKscscsc.exe
3524 OCoEQUcc.exe
4004 HYYAoskY.exe
2328 setup.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

dKscscsc.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation dKscscsc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	dKscscsc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OCoEQUcc.exeHYYAoskY.exe1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exedKscscsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OCoEQUcc.exe = "C:\\ProgramData\\jmUYkwsw\\OCoEQUcc.exe"	OCoEQUcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OCoEQUcc.exe = "C:\\ProgramData\\jmUYkwsw\\OCoEQUcc.exe"	HYYAoskY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\dKscscsc.exe = "C:\\Users\\Admin\\cmgwUEow\\dKscscsc.exe"	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OCoEQUcc.exe = "C:\\ProgramData\\jmUYkwsw\\OCoEQUcc.exe"	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\dKscscsc.exe = "C:\\Users\\Admin\\cmgwUEow\\dKscscsc.exe"	dKscscsc.exe

Drops file in System32 directory 7 IoCs

Processes:

dKscscsc.exeHYYAoskY.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\sheSwitchReceive.rar	dKscscsc.exe
File opened for modification	C:\Windows\SysWOW64\sheUnprotectSearch.bmp	dKscscsc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\cmgwUEow	HYYAoskY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\cmgwUEow\dKscscsc	HYYAoskY.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	dKscscsc.exe
File opened for modification	C:\Windows\SysWOW64\shePingAdd.jpeg	dKscscsc.exe
File opened for modification	C:\Windows\SysWOW64\sheRequestLock.xls	dKscscsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2444 reg.exe
1972 reg.exe
3840 reg.exe

pid	process
2444	reg.exe
1972	reg.exe
3840	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exedKscscsc.exe

pid	process
2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe
2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe
2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe
2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dKscscsc.exe

pid process

3036 dKscscsc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dKscscsc.exe

pid	process
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe
3036	dKscscsc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

setup.exe

pid process

2328 setup.exe
2328 setup.exe
2328 setup.exe

pid	process
2328	setup.exe
2328	setup.exe
2328	setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.execmd.exe

description	pid	process	target process
PID 2116 wrote to memory of 3036	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	dKscscsc.exe
PID 2116 wrote to memory of 3036	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	dKscscsc.exe
PID 2116 wrote to memory of 3036	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	dKscscsc.exe
PID 2116 wrote to memory of 3524	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	OCoEQUcc.exe
PID 2116 wrote to memory of 3524	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	OCoEQUcc.exe
PID 2116 wrote to memory of 3524	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	OCoEQUcc.exe
PID 2116 wrote to memory of 3140	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	cmd.exe
PID 2116 wrote to memory of 3140	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	cmd.exe
PID 2116 wrote to memory of 3140	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	cmd.exe
PID 2116 wrote to memory of 2444	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	reg.exe
PID 2116 wrote to memory of 2444	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	reg.exe
PID 2116 wrote to memory of 2444	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	reg.exe
PID 2116 wrote to memory of 1972	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	reg.exe
PID 2116 wrote to memory of 1972	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	reg.exe
PID 2116 wrote to memory of 1972	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	reg.exe
PID 2116 wrote to memory of 3840	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	reg.exe
PID 2116 wrote to memory of 3840	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	reg.exe
PID 2116 wrote to memory of 3840	2116	1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe	reg.exe
PID 3140 wrote to memory of 2328	3140	cmd.exe	setup.exe
PID 3140 wrote to memory of 2328	3140	cmd.exe	setup.exe
PID 3140 wrote to memory of 2328	3140	cmd.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe
"C:\Users\Admin\AppData\Local\Temp\1edf2704fcf6ca4b13ba4b06a5b2ece770a9465391e527d9bc08689ccf1b8e47.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\cmgwUEow\dKscscsc.exe
"C:\Users\Admin\cmgwUEow\dKscscsc.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3036

C:\ProgramData\jmUYkwsw\OCoEQUcc.exe
"C:\ProgramData\jmUYkwsw\OCoEQUcc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Users\Admin\AppData\Local\Temp\setup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:3840

C:\ProgramData\WKIYsgAY\HYYAoskY.exe
C:\ProgramData\WKIYsgAY\HYYAoskY.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WKIYsgAY\HYYAoskY.exe
MD5
0a5c49b89fd7091404915ba4db00b113

SHA1
8851fd6914cdb9857618491b2893f4f20154becc

SHA256
84a4fa384f1e9123c6a87b211905441976e657af22310f78137036d64094c3ae

SHA512
8a17a9dc2ad6495c6e6b8ef9833f17cf139d6304bf6d9f987f3860e7e247935781975e4ceeae1c8479fec7be13a2d35589a123d70065b6381652e12b056d08a3

Download Submit
C:\ProgramData\WKIYsgAY\HYYAoskY.exe
MD5
0a5c49b89fd7091404915ba4db00b113

SHA1
8851fd6914cdb9857618491b2893f4f20154becc

SHA256
84a4fa384f1e9123c6a87b211905441976e657af22310f78137036d64094c3ae

SHA512
8a17a9dc2ad6495c6e6b8ef9833f17cf139d6304bf6d9f987f3860e7e247935781975e4ceeae1c8479fec7be13a2d35589a123d70065b6381652e12b056d08a3

Download Submit
C:\ProgramData\jmUYkwsw\OCoEQUcc.exe
MD5
fad6d3b60dc1f126b867c8c2da6cef71

SHA1
f9be6dee3195e8f65e62b629405ba4f83a806dce

SHA256
c301da7113dd94950ddd5d5c5c2634077e29d6a0e51c94fdd237b75f48ec3c53

SHA512
17c6ad445c43c3d0cc66ea67b0ce7e92fd3c7dd6158c96c1cb50494a8fca3048dfed187f495e17f973b97c774c64bf4ab812b813fdeb2b6144a5fb56c299178d

Download Submit
C:\ProgramData\jmUYkwsw\OCoEQUcc.exe
MD5
fad6d3b60dc1f126b867c8c2da6cef71

SHA1
f9be6dee3195e8f65e62b629405ba4f83a806dce

SHA256
c301da7113dd94950ddd5d5c5c2634077e29d6a0e51c94fdd237b75f48ec3c53

SHA512
17c6ad445c43c3d0cc66ea67b0ce7e92fd3c7dd6158c96c1cb50494a8fca3048dfed187f495e17f973b97c774c64bf4ab812b813fdeb2b6144a5fb56c299178d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
7c02f4ea3ea05524631db43cef2e0bfb

SHA1
f4a33008e5040faaf32ab995a11b91c16e80a46b

SHA256
bd38517adb5b8e86ae8543f860bda1284f0ba1c006923fbb582551e7502d908e

SHA512
22ba4621f66384005502ddeb117afd6b042368f9a6f537cc16037925104181679f63fe4cd9da0236ee4f741aaf181b95d29af311b762e3e18d75867c794ccec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
7c02f4ea3ea05524631db43cef2e0bfb

SHA1
f4a33008e5040faaf32ab995a11b91c16e80a46b

SHA256
bd38517adb5b8e86ae8543f860bda1284f0ba1c006923fbb582551e7502d908e

SHA512
22ba4621f66384005502ddeb117afd6b042368f9a6f537cc16037925104181679f63fe4cd9da0236ee4f741aaf181b95d29af311b762e3e18d75867c794ccec7

Download Submit
C:\Users\Admin\cmgwUEow\dKscscsc.exe
MD5
238d44689875a30cc81593d65bc3c83d

SHA1
1e70f8285c73a0b9d0111baa62e0537466b7119e

SHA256
9b9a7a86ae87976495a2b3495420651a185a5a9d0bed10d43fc570874fed93e3

SHA512
c99a1a8e9a2b294b76f9f8a51f8341c8788e6bc6e850fb8aff407ddf9e8d666f1b0ede4deb865c619d5dbfce5a248aa91bd3fb4235b4503acb27fb06371b817d

Download Submit
C:\Users\Admin\cmgwUEow\dKscscsc.exe
MD5
238d44689875a30cc81593d65bc3c83d

SHA1
1e70f8285c73a0b9d0111baa62e0537466b7119e

SHA256
9b9a7a86ae87976495a2b3495420651a185a5a9d0bed10d43fc570874fed93e3

SHA512
c99a1a8e9a2b294b76f9f8a51f8341c8788e6bc6e850fb8aff407ddf9e8d666f1b0ede4deb865c619d5dbfce5a248aa91bd3fb4235b4503acb27fb06371b817d

Download Submit
memory/1972-124-0x0000000000000000-mapping.dmp

Download
memory/2328-126-0x0000000000000000-mapping.dmp

Download
memory/2444-123-0x0000000000000000-mapping.dmp

Download
memory/3036-114-0x0000000000000000-mapping.dmp

Download
memory/3140-122-0x0000000000000000-mapping.dmp

Download
memory/3524-117-0x0000000000000000-mapping.dmp

Download
memory/3840-125-0x0000000000000000-mapping.dmp

Download

pid	process
3036	dKscscsc.exe
3524	OCoEQUcc.exe
4004	HYYAoskY.exe
2328	setup.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads