3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97

General

Target

3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe
Size

635KB
MD5

fe61dffc07a3a637ccf775ac015ae4c0
SHA1

90db237ec18e4a8b6f848343cc251f4ff7bfca00
SHA256

3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97
SHA512

72972fd65f6619022c431bf3358a2908006f654a698efaa7d9e47c8aecccc8a4f32ab496736a0130af8a634e003ad152ee3619c10b674adc518d339127951505
SSDEEP

12288:2K2mhAMJ/cPlxipuOeyTaN2uiEqOHYRVPVT04rQWlHkAinpXdZ5FasY:32O/GlxGQUED4RVPVI8Qyqd7FaX

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

tqxcwyvf.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tqxcwyvf.exe

Executes dropped EXE 1 IoCs

Processes:

tqxcwyvf.exe

pid process

2028 tqxcwyvf.exe

Loads dropped DLL 4 IoCs

Processes:

3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe

pid	process
1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe
1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe
1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe
1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tqxcwyvf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	tqxcwyvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\63zb9r132a8x = "\\Users\\Admin\\63zb9r132a8x\\nuycagcfli.vbs"	tqxcwyvf.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RUN	tqxcwyvf.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tqxcwyvf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN	tqxcwyvf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tqxcwyvf.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

tqxcwyvf.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tqxcwyvf.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tqxcwyvf.exe

description pid process target process

PID 2028 set thread context of 524 2028 tqxcwyvf.exe RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tqxcwyvf.exe

description	pid	process	target process
PID 2028 set thread context of 524	2028	tqxcwyvf.exe	RegSvcs.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tqxcwyvf.exe

pid	process
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe
2028	tqxcwyvf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tqxcwyvf.exe

description	pid	process
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe
Token: SeDebugPrivilege	2028	tqxcwyvf.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exetqxcwyvf.exe

description	pid	process	target process
PID 1280 wrote to memory of 2028	1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe	tqxcwyvf.exe
PID 1280 wrote to memory of 2028	1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe	tqxcwyvf.exe
PID 1280 wrote to memory of 2028	1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe	tqxcwyvf.exe
PID 1280 wrote to memory of 2028	1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe	tqxcwyvf.exe
PID 1280 wrote to memory of 2028	1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe	tqxcwyvf.exe
PID 1280 wrote to memory of 2028	1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe	tqxcwyvf.exe
PID 1280 wrote to memory of 2028	1280	3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe	tqxcwyvf.exe
PID 2028 wrote to memory of 524	2028	tqxcwyvf.exe	RegSvcs.exe
PID 2028 wrote to memory of 524	2028	tqxcwyvf.exe	RegSvcs.exe
PID 2028 wrote to memory of 524	2028	tqxcwyvf.exe	RegSvcs.exe
PID 2028 wrote to memory of 524	2028	tqxcwyvf.exe	RegSvcs.exe
PID 2028 wrote to memory of 524	2028	tqxcwyvf.exe	RegSvcs.exe
PID 2028 wrote to memory of 524	2028	tqxcwyvf.exe	RegSvcs.exe
PID 2028 wrote to memory of 524	2028	tqxcwyvf.exe	RegSvcs.exe
PID 2028 wrote to memory of 524	2028	tqxcwyvf.exe	RegSvcs.exe
PID 2028 wrote to memory of 524	2028	tqxcwyvf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe
"C:\Users\Admin\AppData\Local\Temp\3a0ef626219b20797c166cd6348960cd8d3548e886a3fae1221ccf7451580a97.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\63zb9r132a8x\tqxcwyvf.exe
"C:\Users\Admin\63zb9r132a8x\tqxcwyvf.exe" jikzqahddu.YQV
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Drops file in Windows directory
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\63ZB9R~1\fyxnecymda.VJI
Filesize
229B

MD5
f8a18696cc245c90e3fda95a8a9327c8

SHA1
196ebdf852b1356d8828507e01eb486667aa6910

SHA256
114df2b748d1081c32acc4e154864a447e89b3beb4eb6142ad603f37fc0cd4ce

SHA512
1f9423bd55ecdf0a68d3a5c34abe2ae2ecb1cfc7932d729c7ca874172858282f9290df08257df09119fb538a683a8ac17dc2e9fa03a37055ea47d12ee7cbadcb

Download Submit
C:\Users\Admin\63ZB9R~1\gztw.BRH
Filesize
68KB

MD5
4fd9798aa6dbddfe4a3aa736670921af

SHA1
6f1f55856e26b85bd213a000688b38b14b619442

SHA256
1afb7acbc151fe99daa57a29e12f75b2c72de0bdd05c82dc5830600715ecd085

SHA512
4066f2288406dc1438bd43c00cb210a3ec544cd8b2ecb2e27a48f51a19f4d9a5e0215124fd27766bdd05cba64c0b846c71ec3daa9e9cc9c7098f82553c396b83

Download Submit
C:\Users\Admin\63zb9r132a8x\jikzqahddu.YQV
Filesize
35.6MB

MD5
13d7d38239430e4e555ed416dc6366c4

SHA1
f72f82f912a4cafc2dd1d2646c5e89ad0450c521

SHA256
9fb98509ac38f0e2ede552e816a349fffc6a47ccf7512b16d94d60aadb2bbfbc

SHA512
00b1b6d99aaea208c37ebdb86ae91514cee0769faca0a49c031c3118913a0daee4ceeda1fae62be58e528ec777e6db80a895506986ed8eb6e75a74a91384263d

Download Submit
C:\Users\Admin\63zb9r132a8x\tqxcwyvf.exe
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\63zb9r132a8x\tqxcwyvf.exe
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\63zb9r132a8x\tqxcwyvf.exe
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\63zb9r132a8x\tqxcwyvf.exe
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\63zb9r132a8x\tqxcwyvf.exe
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
memory/524-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/524-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/524-68-0x0000000000401F8F-mapping.dmp

Download
memory/524-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/524-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1280-54-0x0000000074C41000-0x0000000074C43000-memory.dmp

Filesize
8KB

Download
memory/2028-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads