c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df

General

Target

c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe
Size

184KB
MD5

52616d239c0a3bacef695459e7f3449c
SHA1

9525cf92e6b3bfbbe1109a195eea97af0fa380df
SHA256

c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df
SHA512

40ede96ea3248c9ca6d2ebcb417bec428845cbb537e849a4bf5151f5c181df07b6d49f10df5bde09926b1b92e7e4e3655085e323a06af234d6a2d3e4f723cb2a
SSDEEP

3072:30FEOW7fEQVdXpAxTIfJyX33RPvSk8g0gVTRj:30P2Zd5ARIfA3lvStgtV

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exelbyiiq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lbyiiq.exe

Executes dropped EXE 1 IoCs

Processes:

lbyiiq.exe

pid process

724 lbyiiq.exe

pid	process
724	lbyiiq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lbyiiq.exec70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /C"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /O"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /N"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /t"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /f"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /D"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /s"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /E"	lbyiiq.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /x"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /Z"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /c"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /T"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /I"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /a"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /K"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /h"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /P"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /R"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /d"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /Y"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /z"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /M"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /j"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /i"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /p"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /G"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /y"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /I"	c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /B"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /e"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /m"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /Q"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /v"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /H"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /L"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /U"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /b"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /r"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /o"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /g"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /l"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /J"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /u"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /X"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /A"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /V"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /k"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /F"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /n"	lbyiiq.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /S"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /W"	lbyiiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbyiiq = "C:\\Users\\Admin\\lbyiiq.exe /q"	lbyiiq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exelbyiiq.exe

pid	process
4624	c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe
4624	c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe
724	lbyiiq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exelbyiiq.exe

pid process

4624 c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe
724 lbyiiq.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe

description	pid	process	target process
PID 4624 wrote to memory of 724	4624	c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe	lbyiiq.exe
PID 4624 wrote to memory of 724	4624	c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe	lbyiiq.exe
PID 4624 wrote to memory of 724	4624	c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe	lbyiiq.exe

C:\Users\Admin\AppData\Local\Temp\c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe
"C:\Users\Admin\AppData\Local\Temp\c70b0e90be88882c3fb7e2ceee54c1314f8fd2c3213c2b29ceb9555acea3c6df.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\lbyiiq.exe
  "C:\Users\Admin\lbyiiq.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\lbyiiq.exe

Filesize
184KB

MD5
d366068e3e1999e6108cb93a1271960f

SHA1
a157eca818523ed37af8325750e523fb83627f6b

SHA256
da2b14e57218550d3b5138bb113e5c3c6676186969d1a5bfb780a6c370885560

SHA512
110cf0c58d9a556dc4e6ab542b1ad2d1ab695b54152475e5ab41522c3e10c2e1021b6e608779d6eeb34897e8620b2e3f6c100e01a3e44945e3272fe62ce16337

Download Submit
C:\Users\Admin\lbyiiq.exe

Filesize
184KB

MD5
d366068e3e1999e6108cb93a1271960f

SHA1
a157eca818523ed37af8325750e523fb83627f6b

SHA256
da2b14e57218550d3b5138bb113e5c3c6676186969d1a5bfb780a6c370885560

SHA512
110cf0c58d9a556dc4e6ab542b1ad2d1ab695b54152475e5ab41522c3e10c2e1021b6e608779d6eeb34897e8620b2e3f6c100e01a3e44945e3272fe62ce16337

Download Submit
memory/724-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads