7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f

General

Target

7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
Size

746KB
MD5

e391c23c26e087d7c4b787617b5a54ed
SHA1

19862b345a3a84b54802fc6700e06b2bba7e7622
SHA256

7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f
SHA512

12bcb3fbc54400ff3d304335998fe98886b2f8901bb083f2e2033570158a49f963d056d50abdbff40b75723c251fe8b8eb34663f0d2c6a271ed04ef2bf2f162a

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\PiYMsAgg\\EeUYYEAY.exe,"	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\PiYMsAgg\\EeUYYEAY.exe,"	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

zccMYAMQ.exeEeUYYEAY.exemQgkYcYI.execlist.exe

pid process

3596 zccMYAMQ.exe
3040 EeUYYEAY.exe
60 mQgkYcYI.exe
412 clist.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zccMYAMQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	zccMYAMQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mQgkYcYI.exe7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exezccMYAMQ.exeEeUYYEAY.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EeUYYEAY.exe = "C:\\ProgramData\\PiYMsAgg\\EeUYYEAY.exe"	mQgkYcYI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zccMYAMQ.exe = "C:\\Users\\Admin\\JeIYkAwA\\zccMYAMQ.exe"	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EeUYYEAY.exe = "C:\\ProgramData\\PiYMsAgg\\EeUYYEAY.exe"	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zccMYAMQ.exe = "C:\\Users\\Admin\\JeIYkAwA\\zccMYAMQ.exe"	zccMYAMQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EeUYYEAY.exe = "C:\\ProgramData\\PiYMsAgg\\EeUYYEAY.exe"	EeUYYEAY.exe

Drops file in System32 directory 5 IoCs

Processes:

mQgkYcYI.exezccMYAMQ.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\JeIYkAwA	mQgkYcYI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\JeIYkAwA\zccMYAMQ	mQgkYcYI.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	zccMYAMQ.exe
File opened for modification	C:\Windows\SysWOW64\sheRequestConfirm.gif	zccMYAMQ.exe
File opened for modification	C:\Windows\SysWOW64\sheTestEdit.jpg	zccMYAMQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

3032 reg.exe
3832 reg.exe
3132 reg.exe

pid	process
3032	reg.exe
3832	reg.exe
3132	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exezccMYAMQ.exe

pid	process
4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

zccMYAMQ.exe

pid process

3596 zccMYAMQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

zccMYAMQ.exe

pid	process
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe
3596	zccMYAMQ.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.execmd.exe

description	pid	process	target process
PID 4656 wrote to memory of 3596	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	zccMYAMQ.exe
PID 4656 wrote to memory of 3596	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	zccMYAMQ.exe
PID 4656 wrote to memory of 3596	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	zccMYAMQ.exe
PID 4656 wrote to memory of 3040	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	EeUYYEAY.exe
PID 4656 wrote to memory of 3040	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	EeUYYEAY.exe
PID 4656 wrote to memory of 3040	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	EeUYYEAY.exe
PID 4656 wrote to memory of 4268	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	cmd.exe
PID 4656 wrote to memory of 4268	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	cmd.exe
PID 4656 wrote to memory of 4268	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	cmd.exe
PID 4656 wrote to memory of 3032	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	reg.exe
PID 4656 wrote to memory of 3032	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	reg.exe
PID 4656 wrote to memory of 3032	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	reg.exe
PID 4656 wrote to memory of 3832	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	reg.exe
PID 4656 wrote to memory of 3832	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	reg.exe
PID 4656 wrote to memory of 3832	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	reg.exe
PID 4656 wrote to memory of 3132	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	reg.exe
PID 4656 wrote to memory of 3132	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	reg.exe
PID 4656 wrote to memory of 3132	4656	7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe	reg.exe
PID 4268 wrote to memory of 412	4268	cmd.exe	clist.exe
PID 4268 wrote to memory of 412	4268	cmd.exe	clist.exe

C:\Users\Admin\AppData\Local\Temp\7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe
"C:\Users\Admin\AppData\Local\Temp\7f5fcf6f4b3b575dad5d3d6c7f504c0d3377174c7a899412086e32dc7f85905f.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\JeIYkAwA\zccMYAMQ.exe
"C:\Users\Admin\JeIYkAwA\zccMYAMQ.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3596

C:\ProgramData\PiYMsAgg\EeUYYEAY.exe
"C:\ProgramData\PiYMsAgg\EeUYYEAY.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\clist.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\clist.exe
C:\Users\Admin\AppData\Local\Temp\clist.exe
3⤵
- Executes dropped EXE
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:3132

C:\ProgramData\ZgEwAIcc\mQgkYcYI.exe
C:\ProgramData\ZgEwAIcc\mQgkYcYI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:60

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PiYMsAgg\EeUYYEAY.exe
MD5
bd0d47ffa9d2fa31478391952f0aa2fc

SHA1
47cafabb0fcb43952a37dc752e735e15fff60d06

SHA256
aa4e136f67621203a919e5c7258fedb0cc8638222032d2febc983e51be4d5647

SHA512
a0e1d1e84f2d000fc859e961c099bfd41cbbbfb8b6b934f933c1ecfa2a761607ec272baa88a1257a4ba26aea88e78b133cee871f55ef7da9f7cd8291bc27e993

Download Submit
C:\ProgramData\PiYMsAgg\EeUYYEAY.exe
MD5
bd0d47ffa9d2fa31478391952f0aa2fc

SHA1
47cafabb0fcb43952a37dc752e735e15fff60d06

SHA256
aa4e136f67621203a919e5c7258fedb0cc8638222032d2febc983e51be4d5647

SHA512
a0e1d1e84f2d000fc859e961c099bfd41cbbbfb8b6b934f933c1ecfa2a761607ec272baa88a1257a4ba26aea88e78b133cee871f55ef7da9f7cd8291bc27e993

Download Submit
C:\ProgramData\ZgEwAIcc\mQgkYcYI.exe
MD5
19c8c6469c05b2aabf1fada45ccfb375

SHA1
baa0e34ca5451ff9068123d3cf3d61397c239441

SHA256
50eafea4a94624d8f283d846956fba68c20b7e1ded298f96c4a46e5a17aab617

SHA512
fc1ab4285afbae12eb9982d351fb87c0da30b4ede54cd0dbd2bfca4f3027280b13dc3bf65547b7588efa89f7d1a1e9edb4bf457215e96ed85eaccde9338873e0

Download Submit
C:\ProgramData\ZgEwAIcc\mQgkYcYI.exe
MD5
19c8c6469c05b2aabf1fada45ccfb375

SHA1
baa0e34ca5451ff9068123d3cf3d61397c239441

SHA256
50eafea4a94624d8f283d846956fba68c20b7e1ded298f96c4a46e5a17aab617

SHA512
fc1ab4285afbae12eb9982d351fb87c0da30b4ede54cd0dbd2bfca4f3027280b13dc3bf65547b7588efa89f7d1a1e9edb4bf457215e96ed85eaccde9338873e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\clist.exe
MD5
af6d4428fb42903b1578b31bd333bf16

SHA1
c0d52a608a428397140a772920b9c3ea627c2cf3

SHA256
52090bc03a83c42081d6c6329874bb6a0701adecc07499a86c59a0fa831ff0e4

SHA512
eaae4756d133631aa476363ef8aaed30520088769702264e64c1f1acfc0cd880e3145158940edc4b7930ff5b2fd524bb6663a48c4420c7b8432d9843baa0e71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\clist.exe
MD5
af6d4428fb42903b1578b31bd333bf16

SHA1
c0d52a608a428397140a772920b9c3ea627c2cf3

SHA256
52090bc03a83c42081d6c6329874bb6a0701adecc07499a86c59a0fa831ff0e4

SHA512
eaae4756d133631aa476363ef8aaed30520088769702264e64c1f1acfc0cd880e3145158940edc4b7930ff5b2fd524bb6663a48c4420c7b8432d9843baa0e71a

Download Submit
C:\Users\Admin\JeIYkAwA\zccMYAMQ.exe
MD5
32a8c423541ca3833c43faa26450fcf6

SHA1
17f520a8f940a286c508df08afab9e352e62bbf4

SHA256
50a866e31a0ea3277b904d518c6f7f5212156e0716a4d508a47db31ff20c6be0

SHA512
eac5c142d9424ec6fa5003f32b88e61f8543b8953d133eb35c3fc32f236d27993ce30bf3b8fd54a4199da4098ea4fa8b8d5052cb741215876250e4e819a2cfda

Download Submit
C:\Users\Admin\JeIYkAwA\zccMYAMQ.exe
MD5
32a8c423541ca3833c43faa26450fcf6

SHA1
17f520a8f940a286c508df08afab9e352e62bbf4

SHA256
50a866e31a0ea3277b904d518c6f7f5212156e0716a4d508a47db31ff20c6be0

SHA512
eac5c142d9424ec6fa5003f32b88e61f8543b8953d133eb35c3fc32f236d27993ce30bf3b8fd54a4199da4098ea4fa8b8d5052cb741215876250e4e819a2cfda

Download Submit
memory/412-126-0x0000000000000000-mapping.dmp

Download
memory/412-129-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/412-131-0x00000000029F0000-0x00000000029F2000-memory.dmp

Filesize
8KB

Download
memory/3032-123-0x0000000000000000-mapping.dmp

Download
memory/3040-117-0x0000000000000000-mapping.dmp

Download
memory/3132-125-0x0000000000000000-mapping.dmp

Download
memory/3596-114-0x0000000000000000-mapping.dmp

Download
memory/3832-124-0x0000000000000000-mapping.dmp

Download
memory/4268-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads