Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-05-2021 10:12
Static task
static1
Behavioral task
behavioral1
Sample
7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
Resource
win10v20210408
General
-
Target
7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
-
Size
746KB
-
MD5
e391c23c26e087d7c4b787617b5a54ed
-
SHA1
19862b345a3a84b54802fc6700e06b2bba7e7622
-
SHA256
7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f
-
SHA512
12bcb3fbc54400ff3d304335998fe98886b2f8901bb083f2e2033570158a49f963d056d50abdbff40b75723c251fe8b8eb34663f0d2c6a271ed04ef2bf2f162a
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\PiYMsAgg\\EeUYYEAY.exe," 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\PiYMsAgg\\EeUYYEAY.exe," 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe -
Modifies visibility of file extensions in Explorer 2 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
zccMYAMQ.exeEeUYYEAY.exemQgkYcYI.execlist.exepid process 3596 zccMYAMQ.exe 3040 EeUYYEAY.exe 60 mQgkYcYI.exe 412 clist.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
zccMYAMQ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation zccMYAMQ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
mQgkYcYI.exe7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exezccMYAMQ.exeEeUYYEAY.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EeUYYEAY.exe = "C:\\ProgramData\\PiYMsAgg\\EeUYYEAY.exe" mQgkYcYI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zccMYAMQ.exe = "C:\\Users\\Admin\\JeIYkAwA\\zccMYAMQ.exe" 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EeUYYEAY.exe = "C:\\ProgramData\\PiYMsAgg\\EeUYYEAY.exe" 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zccMYAMQ.exe = "C:\\Users\\Admin\\JeIYkAwA\\zccMYAMQ.exe" zccMYAMQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EeUYYEAY.exe = "C:\\ProgramData\\PiYMsAgg\\EeUYYEAY.exe" EeUYYEAY.exe -
Drops file in System32 directory 5 IoCs
Processes:
mQgkYcYI.exezccMYAMQ.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\JeIYkAwA mQgkYcYI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\JeIYkAwA\zccMYAMQ mQgkYcYI.exe File created C:\Windows\SysWOW64\shell32.dll.exe zccMYAMQ.exe File opened for modification C:\Windows\SysWOW64\sheRequestConfirm.gif zccMYAMQ.exe File opened for modification C:\Windows\SysWOW64\sheTestEdit.jpg zccMYAMQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exezccMYAMQ.exepid process 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
zccMYAMQ.exepid process 3596 zccMYAMQ.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
zccMYAMQ.exepid process 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe 3596 zccMYAMQ.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.execmd.exedescription pid process target process PID 4656 wrote to memory of 3596 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe zccMYAMQ.exe PID 4656 wrote to memory of 3596 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe zccMYAMQ.exe PID 4656 wrote to memory of 3596 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe zccMYAMQ.exe PID 4656 wrote to memory of 3040 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe EeUYYEAY.exe PID 4656 wrote to memory of 3040 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe EeUYYEAY.exe PID 4656 wrote to memory of 3040 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe EeUYYEAY.exe PID 4656 wrote to memory of 4268 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe cmd.exe PID 4656 wrote to memory of 4268 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe cmd.exe PID 4656 wrote to memory of 4268 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe cmd.exe PID 4656 wrote to memory of 3032 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe reg.exe PID 4656 wrote to memory of 3032 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe reg.exe PID 4656 wrote to memory of 3032 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe reg.exe PID 4656 wrote to memory of 3832 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe reg.exe PID 4656 wrote to memory of 3832 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe reg.exe PID 4656 wrote to memory of 3832 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe reg.exe PID 4656 wrote to memory of 3132 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe reg.exe PID 4656 wrote to memory of 3132 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe reg.exe PID 4656 wrote to memory of 3132 4656 7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe reg.exe PID 4268 wrote to memory of 412 4268 cmd.exe clist.exe PID 4268 wrote to memory of 412 4268 cmd.exe clist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe"C:\Users\Admin\AppData\Local\Temp\7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\JeIYkAwA\zccMYAMQ.exe"C:\Users\Admin\JeIYkAwA\zccMYAMQ.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\ProgramData\PiYMsAgg\EeUYYEAY.exe"C:\ProgramData\PiYMsAgg\EeUYYEAY.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\clist.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\clist.exeC:\Users\Admin\AppData\Local\Temp\clist.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
C:\ProgramData\ZgEwAIcc\mQgkYcYI.exeC:\ProgramData\ZgEwAIcc\mQgkYcYI.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\PiYMsAgg\EeUYYEAY.exeMD5
bd0d47ffa9d2fa31478391952f0aa2fc
SHA147cafabb0fcb43952a37dc752e735e15fff60d06
SHA256aa4e136f67621203a919e5c7258fedb0cc8638222032d2febc983e51be4d5647
SHA512a0e1d1e84f2d000fc859e961c099bfd41cbbbfb8b6b934f933c1ecfa2a761607ec272baa88a1257a4ba26aea88e78b133cee871f55ef7da9f7cd8291bc27e993
-
C:\ProgramData\PiYMsAgg\EeUYYEAY.exeMD5
bd0d47ffa9d2fa31478391952f0aa2fc
SHA147cafabb0fcb43952a37dc752e735e15fff60d06
SHA256aa4e136f67621203a919e5c7258fedb0cc8638222032d2febc983e51be4d5647
SHA512a0e1d1e84f2d000fc859e961c099bfd41cbbbfb8b6b934f933c1ecfa2a761607ec272baa88a1257a4ba26aea88e78b133cee871f55ef7da9f7cd8291bc27e993
-
C:\ProgramData\ZgEwAIcc\mQgkYcYI.exeMD5
19c8c6469c05b2aabf1fada45ccfb375
SHA1baa0e34ca5451ff9068123d3cf3d61397c239441
SHA25650eafea4a94624d8f283d846956fba68c20b7e1ded298f96c4a46e5a17aab617
SHA512fc1ab4285afbae12eb9982d351fb87c0da30b4ede54cd0dbd2bfca4f3027280b13dc3bf65547b7588efa89f7d1a1e9edb4bf457215e96ed85eaccde9338873e0
-
C:\ProgramData\ZgEwAIcc\mQgkYcYI.exeMD5
19c8c6469c05b2aabf1fada45ccfb375
SHA1baa0e34ca5451ff9068123d3cf3d61397c239441
SHA25650eafea4a94624d8f283d846956fba68c20b7e1ded298f96c4a46e5a17aab617
SHA512fc1ab4285afbae12eb9982d351fb87c0da30b4ede54cd0dbd2bfca4f3027280b13dc3bf65547b7588efa89f7d1a1e9edb4bf457215e96ed85eaccde9338873e0
-
C:\Users\Admin\AppData\Local\Temp\clist.exeMD5
af6d4428fb42903b1578b31bd333bf16
SHA1c0d52a608a428397140a772920b9c3ea627c2cf3
SHA25652090bc03a83c42081d6c6329874bb6a0701adecc07499a86c59a0fa831ff0e4
SHA512eaae4756d133631aa476363ef8aaed30520088769702264e64c1f1acfc0cd880e3145158940edc4b7930ff5b2fd524bb6663a48c4420c7b8432d9843baa0e71a
-
C:\Users\Admin\AppData\Local\Temp\clist.exeMD5
af6d4428fb42903b1578b31bd333bf16
SHA1c0d52a608a428397140a772920b9c3ea627c2cf3
SHA25652090bc03a83c42081d6c6329874bb6a0701adecc07499a86c59a0fa831ff0e4
SHA512eaae4756d133631aa476363ef8aaed30520088769702264e64c1f1acfc0cd880e3145158940edc4b7930ff5b2fd524bb6663a48c4420c7b8432d9843baa0e71a
-
C:\Users\Admin\JeIYkAwA\zccMYAMQ.exeMD5
32a8c423541ca3833c43faa26450fcf6
SHA117f520a8f940a286c508df08afab9e352e62bbf4
SHA25650a866e31a0ea3277b904d518c6f7f5212156e0716a4d508a47db31ff20c6be0
SHA512eac5c142d9424ec6fa5003f32b88e61f8543b8953d133eb35c3fc32f236d27993ce30bf3b8fd54a4199da4098ea4fa8b8d5052cb741215876250e4e819a2cfda
-
C:\Users\Admin\JeIYkAwA\zccMYAMQ.exeMD5
32a8c423541ca3833c43faa26450fcf6
SHA117f520a8f940a286c508df08afab9e352e62bbf4
SHA25650a866e31a0ea3277b904d518c6f7f5212156e0716a4d508a47db31ff20c6be0
SHA512eac5c142d9424ec6fa5003f32b88e61f8543b8953d133eb35c3fc32f236d27993ce30bf3b8fd54a4199da4098ea4fa8b8d5052cb741215876250e4e819a2cfda
-
memory/412-126-0x0000000000000000-mapping.dmp
-
memory/412-129-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/412-131-0x00000000029F0000-0x00000000029F2000-memory.dmpFilesize
8KB
-
memory/3032-123-0x0000000000000000-mapping.dmp
-
memory/3040-117-0x0000000000000000-mapping.dmp
-
memory/3132-125-0x0000000000000000-mapping.dmp
-
memory/3596-114-0x0000000000000000-mapping.dmp
-
memory/3832-124-0x0000000000000000-mapping.dmp
-
memory/4268-122-0x0000000000000000-mapping.dmp