b192ae6403671309e50c0b1f7bbe0eb232890debe7db2227c1d9b942c0a4c4b2

General

Target

7ab153dd8625a17d72a2a064ae4ae0d7.exe
Size

444KB
MD5

7ab153dd8625a17d72a2a064ae4ae0d7
SHA1

266d264def8bacc8650dc786aa33e1badf2a5a7c
SHA256

b192ae6403671309e50c0b1f7bbe0eb232890debe7db2227c1d9b942c0a4c4b2
SHA512

11691795e76a4eb4d939420ca33cd25031a24abce299bc7c32d0a5909163233874ea7fce551843e115a6dd73e65162a843c24ae7e61006ba27453aa3e343022a
SSDEEP

12288:pcI0dNtbBZAHlEcNz+tltwqyE0kxrF48Ds7dGiiTLdtYRYDxwN7g+9JpuLCz:sbB+z+1wnE/sgiiVtzxy7g4fuWz

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4928	SeYkwMgk.exe
4484	dUoYMkUk.exe
3212	BmMwkAok.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dUoYMkUk.exe = "C:\\ProgramData\\Maoowsco\\dUoYMkUk.exe"	BmMwkAok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeYkwMgk.exe = "C:\\Users\\Admin\\jGgEoQoM\\SeYkwMgk.exe"	7ab153dd8625a17d72a2a064ae4ae0d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dUoYMkUk.exe = "C:\\ProgramData\\Maoowsco\\dUoYMkUk.exe"	7ab153dd8625a17d72a2a064ae4ae0d7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeYkwMgk.exe = "C:\\Users\\Admin\\jGgEoQoM\\SeYkwMgk.exe"	SeYkwMgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dUoYMkUk.exe = "C:\\ProgramData\\Maoowsco\\dUoYMkUk.exe"	dUoYMkUk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\jGgEoQoM	BmMwkAok.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\jGgEoQoM\SeYkwMgk	BmMwkAok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
3176	reg.exe
3600	reg.exe
432	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
768	7ab153dd8625a17d72a2a064ae4ae0d7.exe
768	7ab153dd8625a17d72a2a064ae4ae0d7.exe
768	7ab153dd8625a17d72a2a064ae4ae0d7.exe
768	7ab153dd8625a17d72a2a064ae4ae0d7.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4928	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	91
PID 768 wrote to memory of 4928	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	91
PID 768 wrote to memory of 4928	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	91
PID 768 wrote to memory of 4484	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	92
PID 768 wrote to memory of 4484	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	92
PID 768 wrote to memory of 4484	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	92
PID 768 wrote to memory of 2636	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	95
PID 768 wrote to memory of 2636	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	95
PID 768 wrote to memory of 2636	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	95
PID 768 wrote to memory of 432	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	96
PID 768 wrote to memory of 432	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	96
PID 768 wrote to memory of 432	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	96
PID 768 wrote to memory of 3600	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	102
PID 768 wrote to memory of 3600	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	102
PID 768 wrote to memory of 3600	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	102
PID 768 wrote to memory of 3176	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	99
PID 768 wrote to memory of 3176	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	99
PID 768 wrote to memory of 3176	768	7ab153dd8625a17d72a2a064ae4ae0d7.exe	99

C:\Users\Admin\AppData\Local\Temp\7ab153dd8625a17d72a2a064ae4ae0d7.exe
"C:\Users\Admin\AppData\Local\Temp\7ab153dd8625a17d72a2a064ae4ae0d7.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\jGgEoQoM\SeYkwMgk.exe
  "C:\Users\Admin\jGgEoQoM\SeYkwMgk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4928
- C:\ProgramData\Maoowsco\dUoYMkUk.exe
  "C:\ProgramData\Maoowsco\dUoYMkUk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\executer.zip
  2⤵
  - Modifies registry class
  PID:2636
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:432
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3176
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3600

C:\ProgramData\kIkwAscA\BmMwkAok.exe
C:\ProgramData\kIkwAscA\BmMwkAok.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Maoowsco\dUoYMkUk.exe

Filesize
432KB

MD5
ad05db50f2722f0f6d481a98d69269cd

SHA1
d9786d1e9fde6caf100924a3a981679ef8a973a7

SHA256
22ac2f13c3b3c21911a6679a74c10da1ed6bc9fde4aa3bade7609d45dd2084cd

SHA512
916f87917b8443a3448ff675550f2e5531804b99c7a5bd48485bc81f247d2420ed7e01e3fdaabec8760b864412e9170775cab292e291b086c576e75d522041fe

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
561KB

MD5
e6e3461725a3d802d40ae3501ac712d4

SHA1
57a5c9993f6ab0762fe4948ea6080439c3e5450d

SHA256
06658df14c395bb649ed80d2916607b53a82f01e9509f92cec805277d31a6202

SHA512
c97fac4540dacd29f4f37442f57e95560307c723d2117c81f3840fe683762a59303d835378dd7087c1169a143550c584e9a86ac35de20af8f166ff42c721016f

Download Submit
C:\ProgramData\kIkwAscA\BmMwkAok.exe

Filesize
434KB

MD5
a53603cea31401095629b975039780b7

SHA1
0d3d29364e47277dd1560df9823b67a6f6f357e5

SHA256
e59a72c351afa4b82260cec4ea9d168175b11fd13bf64b876b81f9f7b61678cb

SHA512
d63df55f41033fb551d6799c031b006561ceb3ba3d14283e231429be5193b592620bf706df30adbe1e18e4824229c945ba1124822805f6c86602a499b111928c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAIe.exe

Filesize
883KB

MD5
75036470b461b2b7622f5e8de520837f

SHA1
cab8555348a428ab6c106855df5f7ff28f9ad522

SHA256
d69a681266bd35879d6a322d47f45a5397634c8d4a1f1cbdd8e4018d15536ec5

SHA512
5b9eb073012ebcfb91db0d4cd1bb213c1f8e3219ea7eb789ea138eaba402095c038d5768ff6380df1dfc9f4e50019a36799cc9c809bcad88e359268ecb4826e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIsm.exe

Filesize
472KB

MD5
1ea11d36e4a39c0b3eccc1124b83baa6

SHA1
f762e23758c71bdd1db88ab57c54efbfd13d2de1

SHA256
2a07e57e2573692398a2e5b8f4899da32af07509ffa575d31328cba973283131

SHA512
8df1b7e786ecfaa7c3aa20cfedec6a6aa3a8b31cde8528456f0eb0ad13b13949ac2630ec8f83f8f9184c03426bc99d321ac0cb61c486b406a7d9f54d1d6130b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\executer.zip

Filesize
9KB

MD5
26bb5e2d53038815526fa82d25ead540

SHA1
c6d04ebc85597d61a394d95212d1b73b12ef1ad3

SHA256
b16a8104d734138007da720f15cb7e5f50705000d2a66a6d13e897be08a85d26

SHA512
aceb7850ff65520973803066f9777bb02d321d5544e83bfc9212013079004d82f16bc6fb23c9c8c170037fd84263aa4bcfbc86e64d8f61c3a178692698e0adca

Download Submit
C:\Users\Admin\jGgEoQoM\SeYkwMgk.exe

Filesize
433KB

MD5
890cb1495d7f07229c50c02e1b10ea5b

SHA1
9654e39b3a8dcbfa5a41d43b74c27d47fb275772

SHA256
11e350408e2d1020df63f26066a1f08eff3a0b04a2a41c6a0ade1445f0e87b7f

SHA512
09da59ef72059c48a871363dc4edc06b680edbd32ff267d364711fd7bb7581616a91d67eaebf0e6a5cc25a33fd84610fd30691aecf820f5cf77de5b84295d64a

Download Submit
C:\odt\office2016setup.exe

Filesize
5.5MB

MD5
2b9995c12b53c1709184ad0c1de6f132

SHA1
8186a0bd614e4d2313a502493d56bd8e7171004d

SHA256
c8cb9663b300184884ec241bff7b26614d18b2bb95382d88345ecac426c59f14

SHA512
f77b2c59f649bdc634aa78cb250d60fe62ac82c3124cc9bc896ebad0d220e12777bc8e74684691d9674aa48e25d3d97257996abf8fee1f59f994014471358eaa

Download Submit
memory/768-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/768-21-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3212-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3212-45-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4484-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4484-28-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4928-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4928-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads