Analysis
-
max time kernel
184s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:11
Static task
static1
Behavioral task
behavioral1
Sample
25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe
Resource
win10v2004-20220812-en
General
-
Target
25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe
-
Size
6.2MB
-
MD5
f65a72d90a92954a5268384e21f8480d
-
SHA1
2afeed5ab78b05c44b1a683b4e2b6baab2b44a3b
-
SHA256
25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad
-
SHA512
13f852af9d637fc0fb770a6e796da753e9e383ea83df6faf757a6727ba3e3d0b7434603f18ec8d88d9796d8118524b16f467829ee1f6b46d9c357a355bdc79ad
-
SSDEEP
98304:ylrZ4WJx/oW4JZJzMHgDTceWglJ/HDlRdsrK4PI9+C8qlXwX6Msa8QLBe23yB5L:m5Jx34TJwHgDA4J/BRtC7jqBYHLiV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exepid process 2700 Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\OALX\ImagePath = "C:\\Program Files\\Qigx\\Iccsy.exe" 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe -
Processes:
Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe -
Drops file in Program Files directory 15 IoCs
Processes:
25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exedescription ioc process File created C:\Program Files\Qigx\jy.ini 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File opened for modification C:\Program Files\Qigx\mexos.exe 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File opened for modification C:\Program Files\Qigx\noxos\pat.xml 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File opened for modification C:\Program Files\Qigx\cotesa.exe 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File created C:\Program Files\Qigx\noxos\sasoce.dll 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\MSPat.xml 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File opened for modification C:\Program Files\Qigx\jy.ini 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File created C:\Program Files\Qigx\noxos\pat.xml 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File opened for modification C:\Program Files\Qigx\noxos\sasoce.dll 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File created C:\Program Files\Qigx\cotesa.exe 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File created C:\Program Files\Qigx\mexos.exe 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File created C:\Program Files\Common Files\System\Ole DB\MSPat.xml 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File opened for modification C:\Program Files\Qigx\Bmhe.exe 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File opened for modification C:\Program Files\Qigx\Iccsy.exe 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe File opened for modification C:\Program Files\Qigx\Ztwug\Agabq.dll 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0130e4ee000d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1171732951" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1171732951" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00f99447e000d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998752" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0b332d616739e44ac1a24dbd0f848b60000000002000000000010660000000100002000000023f008ecfb90e8c4114445a1013a9cb73054dc2571d8f073fe9a7b2bf9f91459000000000e8000000002000020000000fe8e0057036556764f58d570f425cced24fe47978b4eaded3f5f93648c96f7de20000000917db43a172237661bfb61d5fccbd0c7b26d2b9aa904db06dd1d11bf22c487de400000007382a1ed7b391a984c7fc043a623068df0c68570fbb6b403eabd3a876fecd86e18eaf3eb64948c69e49f91a52457dd182a379f499bda7cbf2d2e33d5bf99a336 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998752" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{703C82EE-6CD3-11ED-B696-5ECC372795C7} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0b332d616739e44ac1a24dbd0f848b600000000020000000000106600000001000020000000e4f12cf7ec247f30a8f108aec540b4480cd97b5968e8b2fe12eaccfe5ff9e8e7000000000e80000000020000200000004333bcae5900eee535bf2a0d3411f1622acb4d491f0717375934d4e285c2cc132000000012bae32d4e5d8deaa9897910d06240e33a8180079fd7f648a6fa54d75c428886400000001bf3001dc391f71fffc8fe5de36180d8e0a8a08ecf7266f0c5f5a1d9c538fceab5db32260a99f350bd4dfce74060169e9e5978ce70d648f331fe1717035ed893 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1700 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exeiexplore.exeIEXPLORE.EXEpid process 2700 Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe 2700 Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe 1700 iexplore.exe 1700 iexplore.exe 4444 IEXPLORE.EXE 4444 IEXPLORE.EXE 4444 IEXPLORE.EXE 4444 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exeiexplore.exedescription pid process target process PID 4620 wrote to memory of 2700 4620 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe PID 4620 wrote to memory of 2700 4620 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe PID 4620 wrote to memory of 2700 4620 25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe PID 1700 wrote to memory of 4444 1700 iexplore.exe IEXPLORE.EXE PID 1700 wrote to memory of 4444 1700 iexplore.exe IEXPLORE.EXE PID 1700 wrote to memory of 4444 1700 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe"C:\Users\Admin\AppData\Local\Temp\25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe"1⤵
- Sets service image path in registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\g8F32\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exeC:\Users\Admin\AppData\Local\Temp\g8F32\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:2700
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} -Embedding1⤵PID:720
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4444
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\g8F32\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exeFilesize
4.3MB
MD533007da7cd61792e63acba2a48d373cd
SHA1e33f07778555ddff8138fccaa80629eda9adbd55
SHA2569d07531ac0deb500f122d145f15851dfe7a06007fd5bdb2a22476e6e1c3cd573
SHA51201bb378c7c341797728f50619094f3c059d2a34286815436fbab226b739b24c16208800fb2b51278e6a1857484a95b9d59fa045608be143429d4d556343b6e0f
-
C:\Users\Admin\AppData\Local\Temp\g8F32\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exeFilesize
4.3MB
MD533007da7cd61792e63acba2a48d373cd
SHA1e33f07778555ddff8138fccaa80629eda9adbd55
SHA2569d07531ac0deb500f122d145f15851dfe7a06007fd5bdb2a22476e6e1c3cd573
SHA51201bb378c7c341797728f50619094f3c059d2a34286815436fbab226b739b24c16208800fb2b51278e6a1857484a95b9d59fa045608be143429d4d556343b6e0f
-
memory/2700-132-0x0000000000000000-mapping.dmp