Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 19:56
Static task
static1
Behavioral task
behavioral1
Sample
38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
Resource
win10v20210410
General
-
Target
38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
-
Size
1.0MB
-
MD5
7992f099c86bdfff34cb9db59c6677e0
-
SHA1
4f63d331cf4f95dc085dbaf95372964086102c08
-
SHA256
38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd
-
SHA512
a1518c3a7f1979dd1608307561a0dc69c86f6124707d1e89ddbbad615aaa97b085179986f758d771755174ea1545c41354ce85b932bb21f3beb93d4c9da4ccbc
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\pWIoYYEQ\\LAgEQkEA.exe," 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\pWIoYYEQ\\LAgEQkEA.exe," 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe -
Modifies visibility of file extensions in Explorer 2 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
TWkAgMwI.exeLAgEQkEA.exePSMccEEs.exeSetup.exepid process 580 TWkAgMwI.exe 1104 LAgEQkEA.exe 1544 PSMccEEs.exe 3908 Setup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TWkAgMwI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation TWkAgMwI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
TWkAgMwI.exeLAgEQkEA.exePSMccEEs.exe38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\TWkAgMwI.exe = "C:\\Users\\Admin\\AGUUkwIs\\TWkAgMwI.exe" TWkAgMwI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAgEQkEA.exe = "C:\\ProgramData\\pWIoYYEQ\\LAgEQkEA.exe" LAgEQkEA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAgEQkEA.exe = "C:\\ProgramData\\pWIoYYEQ\\LAgEQkEA.exe" PSMccEEs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\TWkAgMwI.exe = "C:\\Users\\Admin\\AGUUkwIs\\TWkAgMwI.exe" 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAgEQkEA.exe = "C:\\ProgramData\\pWIoYYEQ\\LAgEQkEA.exe" 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe -
Drops file in System32 directory 7 IoCs
Processes:
TWkAgMwI.exePSMccEEs.exedescription ioc process File created C:\Windows\SysWOW64\shell32.dll.exe TWkAgMwI.exe File opened for modification C:\Windows\SysWOW64\sheEnablePop.exe TWkAgMwI.exe File opened for modification C:\Windows\SysWOW64\sheResolveConnect.png TWkAgMwI.exe File opened for modification C:\Windows\SysWOW64\sheSwitchSend.docx TWkAgMwI.exe File opened for modification C:\Windows\SysWOW64\sheWatchUnprotect.xls TWkAgMwI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AGUUkwIs PSMccEEs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AGUUkwIs\TWkAgMwI PSMccEEs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exeTWkAgMwI.exepid process 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
TWkAgMwI.exepid process 580 TWkAgMwI.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
TWkAgMwI.exepid process 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe 580 TWkAgMwI.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Setup.exepid process 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.execmd.exedescription pid process target process PID 3952 wrote to memory of 580 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe TWkAgMwI.exe PID 3952 wrote to memory of 580 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe TWkAgMwI.exe PID 3952 wrote to memory of 580 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe TWkAgMwI.exe PID 3952 wrote to memory of 1104 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe LAgEQkEA.exe PID 3952 wrote to memory of 1104 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe LAgEQkEA.exe PID 3952 wrote to memory of 1104 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe LAgEQkEA.exe PID 3952 wrote to memory of 2136 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe cmd.exe PID 3952 wrote to memory of 2136 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe cmd.exe PID 3952 wrote to memory of 2136 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe cmd.exe PID 3952 wrote to memory of 2476 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe reg.exe PID 3952 wrote to memory of 2476 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe reg.exe PID 3952 wrote to memory of 2476 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe reg.exe PID 3952 wrote to memory of 2560 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe reg.exe PID 3952 wrote to memory of 2560 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe reg.exe PID 3952 wrote to memory of 2560 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe reg.exe PID 3952 wrote to memory of 2736 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe reg.exe PID 3952 wrote to memory of 2736 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe reg.exe PID 3952 wrote to memory of 2736 3952 38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe reg.exe PID 2136 wrote to memory of 3908 2136 cmd.exe Setup.exe PID 2136 wrote to memory of 3908 2136 cmd.exe Setup.exe PID 2136 wrote to memory of 3908 2136 cmd.exe Setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe"C:\Users\Admin\AppData\Local\Temp\38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AGUUkwIs\TWkAgMwI.exe"C:\Users\Admin\AGUUkwIs\TWkAgMwI.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\ProgramData\pWIoYYEQ\LAgEQkEA.exe"C:\ProgramData\pWIoYYEQ\LAgEQkEA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Setup.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
C:\ProgramData\hSgcQMcw\PSMccEEs.exeC:\ProgramData\hSgcQMcw\PSMccEEs.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hSgcQMcw\PSMccEEs.exeMD5
06107cb301f9bc4fba75222a0af0dd63
SHA1b154146c9854f5780a5ad62019d25702331948eb
SHA256690a697e71a02fda1d55865f75988554b44ec9716c037766d06ccd1537c91d4c
SHA5125a85957f96885ceed359552ba68c9849e56c874cd6de0321a9938e16d9eb8ce1a61862d16eaafff60b99c2c51aa37168dbd436bdc70533ca06bb3adfc242826e
-
C:\ProgramData\hSgcQMcw\PSMccEEs.exeMD5
06107cb301f9bc4fba75222a0af0dd63
SHA1b154146c9854f5780a5ad62019d25702331948eb
SHA256690a697e71a02fda1d55865f75988554b44ec9716c037766d06ccd1537c91d4c
SHA5125a85957f96885ceed359552ba68c9849e56c874cd6de0321a9938e16d9eb8ce1a61862d16eaafff60b99c2c51aa37168dbd436bdc70533ca06bb3adfc242826e
-
C:\ProgramData\pWIoYYEQ\LAgEQkEA.exeMD5
ba3dc2743b67f0b8946a7ce6a7edb355
SHA11e73c0cbdeafd2825d8890b9a34d311ec13df269
SHA256b4d0030a286f1bce2a66b6723c54923e6c5fc4ac848c8d9e90e3fe84fd278f9d
SHA512b382ccc7836c29045d8af8f9f9e50a5ea92918adc542c977f06d386c2993ef2b4e02a9593ba321e35a80ce4a8c31791148a2e81c03d66b502d1d4dbe88f574aa
-
C:\ProgramData\pWIoYYEQ\LAgEQkEA.exeMD5
ba3dc2743b67f0b8946a7ce6a7edb355
SHA11e73c0cbdeafd2825d8890b9a34d311ec13df269
SHA256b4d0030a286f1bce2a66b6723c54923e6c5fc4ac848c8d9e90e3fe84fd278f9d
SHA512b382ccc7836c29045d8af8f9f9e50a5ea92918adc542c977f06d386c2993ef2b4e02a9593ba321e35a80ce4a8c31791148a2e81c03d66b502d1d4dbe88f574aa
-
C:\Users\Admin\AGUUkwIs\TWkAgMwI.exeMD5
2d1bc58ef0c3076caf12e33271e2e36d
SHA1c4ff2b4ae7a538fae820792780d9ecc1d824be98
SHA25603b18ed0ffa83debe7d303b075664edaa5ff502360519a53571c51bdf9b77316
SHA512de4bb1fa10413399be811378160372ef1e9269e3b67de6f6f7ae59eb673a1f2e2d028b5bdbb72d6548c8c64643231ade4da94340378ee44e1d2672d4a0e6909e
-
C:\Users\Admin\AGUUkwIs\TWkAgMwI.exeMD5
2d1bc58ef0c3076caf12e33271e2e36d
SHA1c4ff2b4ae7a538fae820792780d9ecc1d824be98
SHA25603b18ed0ffa83debe7d303b075664edaa5ff502360519a53571c51bdf9b77316
SHA512de4bb1fa10413399be811378160372ef1e9269e3b67de6f6f7ae59eb673a1f2e2d028b5bdbb72d6548c8c64643231ade4da94340378ee44e1d2672d4a0e6909e
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeMD5
96f7cb9f7481a279bd4bc0681a3b993e
SHA1deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeMD5
96f7cb9f7481a279bd4bc0681a3b993e
SHA1deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149
-
memory/580-114-0x0000000000000000-mapping.dmp
-
memory/1104-117-0x0000000000000000-mapping.dmp
-
memory/2136-122-0x0000000000000000-mapping.dmp
-
memory/2476-123-0x0000000000000000-mapping.dmp
-
memory/2560-124-0x0000000000000000-mapping.dmp
-
memory/2736-125-0x0000000000000000-mapping.dmp
-
memory/3908-126-0x0000000000000000-mapping.dmp