a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9

General

Target

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
Size

1.8MB
MD5

a9c865933b8aa2b12f65b1ee21b2e67e
SHA1

7431a1d9b783c506871ab142bec03075d81325b9
SHA256

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9
SHA512

22e23b9e591ffd2fc46d3b1548df5710c10357ddc9259ee0f6d9aa31850baa4d05229d13731226171641c495448528c02083e21056349413308ae1d5d5464bd1
SSDEEP

49152:akwkn9IMHea846H3G6PwLELhrIuXlyP9AgaPCS:JdnVmGakkrIuXlyPiPC

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

Executes dropped EXE 2 IoCs

Processes:

4140.exeqyadk.exe

pid process

2204 4140.exe
5040 qyadk.exe

pid	process
2204	4140.exe
5040	qyadk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qyadk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Buzei = "C:\\Users\\Admin\\AppData\\Roaming\\Eroho\\qyadk.exe"	qyadk.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\Currentversion\Run	qyadk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	qyadk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4140.exe

description pid process target process

PID 2204 set thread context of 2400 2204 4140.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2204 set thread context of 2400	2204	4140.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

4140.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4140.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Privacy	4140.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

qyadk.exe

pid	process
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe
5040	qyadk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

4140.exe

description	pid	process
Token: SeSecurityPrivilege	2204	4140.exe
Token: SeSecurityPrivilege	2204	4140.exe
Token: SeSecurityPrivilege	2204	4140.exe
Token: SeSecurityPrivilege	2204	4140.exe
Token: SeSecurityPrivilege	2204	4140.exe
Token: SeSecurityPrivilege	2204	4140.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe4140.exeqyadk.exe

description	pid	process	target process
PID 4396 wrote to memory of 2204	4396	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe	4140.exe
PID 4396 wrote to memory of 2204	4396	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe	4140.exe
PID 4396 wrote to memory of 2204	4396	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe	4140.exe
PID 2204 wrote to memory of 5040	2204	4140.exe	qyadk.exe
PID 2204 wrote to memory of 5040	2204	4140.exe	qyadk.exe
PID 2204 wrote to memory of 5040	2204	4140.exe	qyadk.exe
PID 5040 wrote to memory of 2336	5040	qyadk.exe	sihost.exe
PID 5040 wrote to memory of 2336	5040	qyadk.exe	sihost.exe
PID 5040 wrote to memory of 2336	5040	qyadk.exe	sihost.exe
PID 5040 wrote to memory of 2336	5040	qyadk.exe	sihost.exe
PID 5040 wrote to memory of 2336	5040	qyadk.exe	sihost.exe
PID 5040 wrote to memory of 2360	5040	qyadk.exe	svchost.exe
PID 5040 wrote to memory of 2360	5040	qyadk.exe	svchost.exe
PID 5040 wrote to memory of 2360	5040	qyadk.exe	svchost.exe
PID 5040 wrote to memory of 2360	5040	qyadk.exe	svchost.exe
PID 5040 wrote to memory of 2360	5040	qyadk.exe	svchost.exe
PID 5040 wrote to memory of 2464	5040	qyadk.exe	taskhostw.exe
PID 5040 wrote to memory of 2464	5040	qyadk.exe	taskhostw.exe
PID 5040 wrote to memory of 2464	5040	qyadk.exe	taskhostw.exe
PID 5040 wrote to memory of 2464	5040	qyadk.exe	taskhostw.exe
PID 5040 wrote to memory of 2464	5040	qyadk.exe	taskhostw.exe
PID 5040 wrote to memory of 2440	5040	qyadk.exe	Explorer.EXE
PID 5040 wrote to memory of 2440	5040	qyadk.exe	Explorer.EXE
PID 5040 wrote to memory of 2440	5040	qyadk.exe	Explorer.EXE
PID 5040 wrote to memory of 2440	5040	qyadk.exe	Explorer.EXE
PID 5040 wrote to memory of 2440	5040	qyadk.exe	Explorer.EXE
PID 5040 wrote to memory of 2740	5040	qyadk.exe	svchost.exe
PID 5040 wrote to memory of 2740	5040	qyadk.exe	svchost.exe
PID 5040 wrote to memory of 2740	5040	qyadk.exe	svchost.exe
PID 5040 wrote to memory of 2740	5040	qyadk.exe	svchost.exe
PID 5040 wrote to memory of 2740	5040	qyadk.exe	svchost.exe
PID 5040 wrote to memory of 3252	5040	qyadk.exe	DllHost.exe
PID 5040 wrote to memory of 3252	5040	qyadk.exe	DllHost.exe
PID 5040 wrote to memory of 3252	5040	qyadk.exe	DllHost.exe
PID 5040 wrote to memory of 3252	5040	qyadk.exe	DllHost.exe
PID 5040 wrote to memory of 3252	5040	qyadk.exe	DllHost.exe
PID 5040 wrote to memory of 3356	5040	qyadk.exe	StartMenuExperienceHost.exe
PID 5040 wrote to memory of 3356	5040	qyadk.exe	StartMenuExperienceHost.exe
PID 5040 wrote to memory of 3356	5040	qyadk.exe	StartMenuExperienceHost.exe
PID 5040 wrote to memory of 3356	5040	qyadk.exe	StartMenuExperienceHost.exe
PID 5040 wrote to memory of 3356	5040	qyadk.exe	StartMenuExperienceHost.exe
PID 5040 wrote to memory of 3456	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3456	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3456	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3456	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3456	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3572	5040	qyadk.exe	SearchApp.exe
PID 5040 wrote to memory of 3572	5040	qyadk.exe	SearchApp.exe
PID 5040 wrote to memory of 3572	5040	qyadk.exe	SearchApp.exe
PID 5040 wrote to memory of 3572	5040	qyadk.exe	SearchApp.exe
PID 5040 wrote to memory of 3572	5040	qyadk.exe	SearchApp.exe
PID 5040 wrote to memory of 3764	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3764	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3764	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3764	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3764	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 4620	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 4620	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 4620	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 4620	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 4620	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 2320	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 2320	5040	qyadk.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 2320	5040	qyadk.exe	RuntimeBroker.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2320

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4620

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2740

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
"C:\Users\Admin\AppData\Local\Temp\a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe"
2⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4396

C:\Users\Admin\AppData\Local\Temp\4140\4140.exe
"C:\Users\Admin\AppData\Local\Temp\4140\4140.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Roaming\Eroho\qyadk.exe
"C:\Users\Admin\AppData\Roaming\Eroho\qyadk.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4c4235ad.bat"
4⤵
PID:2400

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2360

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4140\4140.exe

Filesize
221KB

MD5
6ebdd2a615d1514c9fe6eb924301ffc3

SHA1
0abb35b008f89d4f37e5db1ce42dc18e212d2243

SHA256
5da7beb43ed1a185967a28a4f4b029e157eb15166b1ee3c6fdec02f7160b04da

SHA512
8186e16c07dc7fc1e585e0bfedb53df8fdfeb09481ee9699d369fb69a794d4c88df09cadacd9f6e7a607d5033ff1af3942eebc7e01954f67e47dbd911d8a10b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4140\4140.exe

Filesize
221KB

MD5
6ebdd2a615d1514c9fe6eb924301ffc3

SHA1
0abb35b008f89d4f37e5db1ce42dc18e212d2243

SHA256
5da7beb43ed1a185967a28a4f4b029e157eb15166b1ee3c6fdec02f7160b04da

SHA512
8186e16c07dc7fc1e585e0bfedb53df8fdfeb09481ee9699d369fb69a794d4c88df09cadacd9f6e7a607d5033ff1af3942eebc7e01954f67e47dbd911d8a10b9

Download Submit
C:\Users\Admin\AppData\Roaming\Atqaaq\exqi.uxo

Filesize
2KB

MD5
cad5737b4550c9d9f14c944dbe6b743c

SHA1
ce12c14f57655023d46cc33fcccbe1359779975e

SHA256
7db0d3fb6c15107bbf5c2ee8c4461bcb13eb4b0c3cbb9e0493272ae21b247814

SHA512
ed46e883467cd40de8cefc86c3af134fc0c4b8b7bad8dcc8648ddc1126aeec3c17b722d513bdea520c6b5aae5e5ebc294421cc3fb6606c11865b68adcb8dce85

Download Submit
C:\Users\Admin\AppData\Roaming\Eroho\qyadk.exe

Filesize
221KB

MD5
d268f2a1048bd68b33e9c924a3296a15

SHA1
ced96924b93699201589b93db37a1c159fbce851

SHA256
341aad61a773bed73e3805f65937313c3102cbd0e6e0d365f01ca234b0c51b41

SHA512
f6df459353385cc9545d969727bb358a7bcca2768376a4e5d81befafaacee7611d6aad4a8bfa5b78efd285ba878e0338b36bfade816d612deefb072f50aee483

Download Submit
C:\Users\Admin\AppData\Roaming\Eroho\qyadk.exe

Filesize
221KB

MD5
d268f2a1048bd68b33e9c924a3296a15

SHA1
ced96924b93699201589b93db37a1c159fbce851

SHA256
341aad61a773bed73e3805f65937313c3102cbd0e6e0d365f01ca234b0c51b41

SHA512
f6df459353385cc9545d969727bb358a7bcca2768376a4e5d81befafaacee7611d6aad4a8bfa5b78efd285ba878e0338b36bfade816d612deefb072f50aee483

Download Submit
memory/2204-132-0x0000000000000000-mapping.dmp

Download
memory/2204-141-0x00000000021A0000-0x00000000021DB000-memory.dmp

Filesize
236KB

Download
memory/2400-140-0x0000000000FA0000-0x0000000000FDB000-memory.dmp

Filesize
236KB

Download
memory/2400-139-0x0000000000000000-mapping.dmp

Download
memory/2400-143-0x0000000000FA0000-0x0000000000FDB000-memory.dmp

Filesize
236KB

Download
memory/4396-142-0x0000000005870000-0x00000000058AB000-memory.dmp

Filesize
236KB

Download
memory/5040-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads