9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781

Analysis

max time kernel
145s
max time network
111s
platform
windows10_x64
resource
win10v20210410
submitted
13-05-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
Size

1.3MB
MD5

b6bf1024a339b24ec6faf8ade009645f
SHA1

d981043d5064781e8f3914db2526841d46ddcf46
SHA256

9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781
SHA512

5e99ad1e58dc671952647c2793a51f16a82349bb39b1952b1df00f3f80cc14252dbb657ff57b0fe316b6cbdf2740396ba59c94c27709579b15a5b4a7b1c5738e

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\EegYYocU\\wkcgMUQM.exe,"	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\EegYYocU\\wkcgMUQM.exe,"	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe

Executes dropped EXE 4 IoCs

Processes:

YUkAcYAg.exewkcgMUQM.exewAMcUcEM.exewAMcUcEM.exe

pid process

2100 YUkAcYAg.exe
3936 wkcgMUQM.exe
1000 wAMcUcEM.exe
3928 wAMcUcEM.exe

pid	process
2100	YUkAcYAg.exe
3936	wkcgMUQM.exe
1000	wAMcUcEM.exe
3928	wAMcUcEM.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\YUkAcYAg.exe = "C:\\Users\\Admin\\ciUIQEYY\\YUkAcYAg.exe"	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkcgMUQM.exe = "C:\\ProgramData\\EegYYocU\\wkcgMUQM.exe"	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe

pid	process
2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wkcgMUQM.exe

pid process

3936 wkcgMUQM.exe

pid	process
3936	wkcgMUQM.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exewAMcUcEM.exe

description	pid	process	target process
PID 2112 wrote to memory of 1228	2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
PID 2112 wrote to memory of 1228	2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
PID 2112 wrote to memory of 1228	2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
PID 2112 wrote to memory of 2100	2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe	YUkAcYAg.exe
PID 2112 wrote to memory of 2100	2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe	YUkAcYAg.exe
PID 2112 wrote to memory of 2100	2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe	YUkAcYAg.exe
PID 2112 wrote to memory of 3936	2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe	wkcgMUQM.exe
PID 2112 wrote to memory of 3936	2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe	wkcgMUQM.exe
PID 2112 wrote to memory of 3936	2112	9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe	wkcgMUQM.exe
PID 1000 wrote to memory of 3928	1000	wAMcUcEM.exe	wAMcUcEM.exe
PID 1000 wrote to memory of 3928	1000	wAMcUcEM.exe	wAMcUcEM.exe
PID 1000 wrote to memory of 3928	1000	wAMcUcEM.exe	wAMcUcEM.exe

C:\Users\Admin\AppData\Local\Temp\9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
"C:\Users\Admin\AppData\Local\Temp\9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781.exe
QVIE
2⤵
PID:1228

C:\Users\Admin\ciUIQEYY\YUkAcYAg.exe
"C:\Users\Admin\ciUIQEYY\YUkAcYAg.exe"
2⤵
- Executes dropped EXE
PID:2100

C:\ProgramData\EegYYocU\wkcgMUQM.exe
"C:\ProgramData\EegYYocU\wkcgMUQM.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3936

C:\ProgramData\EegYYocU\wkcgMUQM.exe
IEPF
3⤵
PID:3916

C:\ProgramData\tgEgoAUI\wAMcUcEM.exe
C:\ProgramData\tgEgoAUI\wAMcUcEM.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000

C:\ProgramData\tgEgoAUI\wAMcUcEM.exe
ZXJP
2⤵
- Executes dropped EXE
PID:3928

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EegYYocU\wkcgMUQM.exe
MD5
dc3f885a8e5d3a342d499a4430e028e6

SHA1
c4df23eb8a4f1ef8e58d96f605d597c9b3928a81

SHA256
44472792a3fdcdc8e63346703127b7dff780bc3e7de5093bd83ec25c0b3b4abf

SHA512
6c3551597326c34f4d2fb05a0d6ee132c83768416252851f57d4070b9a93faa5f3d9c7a30f08ef8e27ac85b84231a2bd418254225d7eb5b74e6638b4d7f38ae3

Download Submit
C:\ProgramData\EegYYocU\wkcgMUQM.exe
MD5
dc3f885a8e5d3a342d499a4430e028e6

SHA1
c4df23eb8a4f1ef8e58d96f605d597c9b3928a81

SHA256
44472792a3fdcdc8e63346703127b7dff780bc3e7de5093bd83ec25c0b3b4abf

SHA512
6c3551597326c34f4d2fb05a0d6ee132c83768416252851f57d4070b9a93faa5f3d9c7a30f08ef8e27ac85b84231a2bd418254225d7eb5b74e6638b4d7f38ae3

Download Submit
C:\ProgramData\EegYYocU\wkcgMUQM.exe
MD5
b80e95f27347ca8ba2d9cdd69483e9b0

SHA1
c5154f8988f74638a45a3fbef01a3ab550f94c8d

SHA256
c0ad8f90b5186a0745d4a33005cb033a12aaa8a5f45fcd615c51149c446b1163

SHA512
178233225b88abebef0c29d84c99edcae39f55c457c65a88ac88e822b891e19623543479446df159225b0625df715aeb557e94f125ca47f636ecae5b89825792

Download Submit
C:\ProgramData\tgEgoAUI\wAMcUcEM.exe
MD5
b6effc199ac6c824399ca8fb0b7cf528

SHA1
1129cf807190af7a0ae8c7e4bf94c6305704387d

SHA256
60516503a64949376cd945c20fb2181cf28d51a8439aa89de737bce179bd0e70

SHA512
8d6604a32a9eb6090965cfe5e9bae31da8a5812978a2155cda2de5561a4aaeb00b35be73bdefc2e988f037b0a0cb8199ef5232fa9a2d08e65070fd286fc96905

Download Submit
C:\ProgramData\tgEgoAUI\wAMcUcEM.exe
MD5
b6effc199ac6c824399ca8fb0b7cf528

SHA1
1129cf807190af7a0ae8c7e4bf94c6305704387d

SHA256
60516503a64949376cd945c20fb2181cf28d51a8439aa89de737bce179bd0e70

SHA512
8d6604a32a9eb6090965cfe5e9bae31da8a5812978a2155cda2de5561a4aaeb00b35be73bdefc2e988f037b0a0cb8199ef5232fa9a2d08e65070fd286fc96905

Download Submit
C:\ProgramData\tgEgoAUI\wAMcUcEM.exe
MD5
b6effc199ac6c824399ca8fb0b7cf528

SHA1
1129cf807190af7a0ae8c7e4bf94c6305704387d

SHA256
60516503a64949376cd945c20fb2181cf28d51a8439aa89de737bce179bd0e70

SHA512
8d6604a32a9eb6090965cfe5e9bae31da8a5812978a2155cda2de5561a4aaeb00b35be73bdefc2e988f037b0a0cb8199ef5232fa9a2d08e65070fd286fc96905

Download Submit
C:\Users\Admin\AppData\Local\Temp\9148e924aa7ef9637e0409175cc53f4d96839de56b954be98df99bd407e3e781QVIE
MD5
8404b14022865fed08d20a9e3541732c

SHA1
4ae5717b0f7303896d1e738ffb33fe0e93fd0e19

SHA256
f8b3dc820f35fed5f1a330011008ca0d4b4f1a6a638f7da8cd3b7b923babcd7e

SHA512
9f55032feb7e3d1eccf6b0eaec621021f4755cca8f2abb83cf17ebfba38854cf9adcf20a8076ddbcfa47f9e4dd350b45046e460584ce722838fb125dfdc571fc

Download Submit
C:\Users\Admin\ciUIQEYY\YUkAcYAg.exe
MD5
3fce0ec56f53c18757a0ce1b04df3fe1

SHA1
48bad69efda774d96e6db8bac04accfb922239bb

SHA256
a190adb5c15860808e5e979831444521574203df252316273e6c87d322c9408b

SHA512
9c729af67635c358a750c7ac3a76cffe07214963c0aa73d29f5ad6394bc159a35933169283595332cf8ad92368a5bea88fbc9f326b73f8b0f5d7b1c3b2cbf682

Download Submit
C:\Users\Admin\ciUIQEYY\YUkAcYAg.exe
MD5
3fce0ec56f53c18757a0ce1b04df3fe1

SHA1
48bad69efda774d96e6db8bac04accfb922239bb

SHA256
a190adb5c15860808e5e979831444521574203df252316273e6c87d322c9408b

SHA512
9c729af67635c358a750c7ac3a76cffe07214963c0aa73d29f5ad6394bc159a35933169283595332cf8ad92368a5bea88fbc9f326b73f8b0f5d7b1c3b2cbf682

Download Submit
memory/1000-128-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/1228-115-0x0000000000000000-mapping.dmp

Download
memory/1228-116-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2100-124-0x0000000000560000-0x000000000060E000-memory.dmp

Filesize
696KB

Download
memory/2100-118-0x0000000000000000-mapping.dmp

Download
memory/2112-114-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/3916-132-0x0000000000000000-mapping.dmp

Download
memory/3916-134-0x0000000000570000-0x000000000058B000-memory.dmp

Filesize
108KB

Download
memory/3928-129-0x0000000000000000-mapping.dmp

Download
memory/3936-125-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/3936-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads