38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd

General

Target

38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
Size

1.0MB
MD5

7992f099c86bdfff34cb9db59c6677e0
SHA1

4f63d331cf4f95dc085dbaf95372964086102c08
SHA256

38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd
SHA512

a1518c3a7f1979dd1608307561a0dc69c86f6124707d1e89ddbbad615aaa97b085179986f758d771755174ea1545c41354ce85b932bb21f3beb93d4c9da4ccbc

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\pWIoYYEQ\\LAgEQkEA.exe,"	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\pWIoYYEQ\\LAgEQkEA.exe,"	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

TWkAgMwI.exeLAgEQkEA.exePSMccEEs.exeSetup.exe

pid process

580 TWkAgMwI.exe
1104 LAgEQkEA.exe
1544 PSMccEEs.exe
3908 Setup.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

TWkAgMwI.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation TWkAgMwI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	TWkAgMwI.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TWkAgMwI.exeLAgEQkEA.exePSMccEEs.exe38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\TWkAgMwI.exe = "C:\\Users\\Admin\\AGUUkwIs\\TWkAgMwI.exe"	TWkAgMwI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAgEQkEA.exe = "C:\\ProgramData\\pWIoYYEQ\\LAgEQkEA.exe"	LAgEQkEA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAgEQkEA.exe = "C:\\ProgramData\\pWIoYYEQ\\LAgEQkEA.exe"	PSMccEEs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\TWkAgMwI.exe = "C:\\Users\\Admin\\AGUUkwIs\\TWkAgMwI.exe"	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAgEQkEA.exe = "C:\\ProgramData\\pWIoYYEQ\\LAgEQkEA.exe"	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe

Drops file in System32 directory 7 IoCs

Processes:

TWkAgMwI.exePSMccEEs.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	TWkAgMwI.exe
File opened for modification	C:\Windows\SysWOW64\sheEnablePop.exe	TWkAgMwI.exe
File opened for modification	C:\Windows\SysWOW64\sheResolveConnect.png	TWkAgMwI.exe
File opened for modification	C:\Windows\SysWOW64\sheSwitchSend.docx	TWkAgMwI.exe
File opened for modification	C:\Windows\SysWOW64\sheWatchUnprotect.xls	TWkAgMwI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AGUUkwIs	PSMccEEs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AGUUkwIs\TWkAgMwI	PSMccEEs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2560 reg.exe
2476 reg.exe
2736 reg.exe

pid	process
2560	reg.exe
2476	reg.exe
2736	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exeTWkAgMwI.exe

pid	process
3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TWkAgMwI.exe

pid process

580 TWkAgMwI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

TWkAgMwI.exe

pid	process
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe
580	TWkAgMwI.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Setup.exe

pid process

3908 Setup.exe
3908 Setup.exe
3908 Setup.exe

pid	process
3908	Setup.exe
3908	Setup.exe
3908	Setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.execmd.exe

description	pid	process	target process
PID 3952 wrote to memory of 580	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	TWkAgMwI.exe
PID 3952 wrote to memory of 580	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	TWkAgMwI.exe
PID 3952 wrote to memory of 580	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	TWkAgMwI.exe
PID 3952 wrote to memory of 1104	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	LAgEQkEA.exe
PID 3952 wrote to memory of 1104	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	LAgEQkEA.exe
PID 3952 wrote to memory of 1104	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	LAgEQkEA.exe
PID 3952 wrote to memory of 2136	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	cmd.exe
PID 3952 wrote to memory of 2136	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	cmd.exe
PID 3952 wrote to memory of 2136	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	cmd.exe
PID 3952 wrote to memory of 2476	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	reg.exe
PID 3952 wrote to memory of 2476	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	reg.exe
PID 3952 wrote to memory of 2476	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	reg.exe
PID 3952 wrote to memory of 2560	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	reg.exe
PID 3952 wrote to memory of 2560	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	reg.exe
PID 3952 wrote to memory of 2560	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	reg.exe
PID 3952 wrote to memory of 2736	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	reg.exe
PID 3952 wrote to memory of 2736	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	reg.exe
PID 3952 wrote to memory of 2736	3952	38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe	reg.exe
PID 2136 wrote to memory of 3908	2136	cmd.exe	Setup.exe
PID 2136 wrote to memory of 3908	2136	cmd.exe	Setup.exe
PID 2136 wrote to memory of 3908	2136	cmd.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe
"C:\Users\Admin\AppData\Local\Temp\38dce48f9f469e10e6c15f6ce2fb345339d37b17aa037719754a3c02fee9a8cd.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AGUUkwIs\TWkAgMwI.exe
"C:\Users\Admin\AGUUkwIs\TWkAgMwI.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:580

C:\ProgramData\pWIoYYEQ\LAgEQkEA.exe
"C:\ProgramData\pWIoYYEQ\LAgEQkEA.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2560

C:\ProgramData\hSgcQMcw\PSMccEEs.exe
C:\ProgramData\hSgcQMcw\PSMccEEs.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hSgcQMcw\PSMccEEs.exe
MD5
06107cb301f9bc4fba75222a0af0dd63

SHA1
b154146c9854f5780a5ad62019d25702331948eb

SHA256
690a697e71a02fda1d55865f75988554b44ec9716c037766d06ccd1537c91d4c

SHA512
5a85957f96885ceed359552ba68c9849e56c874cd6de0321a9938e16d9eb8ce1a61862d16eaafff60b99c2c51aa37168dbd436bdc70533ca06bb3adfc242826e

Download Submit
C:\ProgramData\hSgcQMcw\PSMccEEs.exe
MD5
06107cb301f9bc4fba75222a0af0dd63

SHA1
b154146c9854f5780a5ad62019d25702331948eb

SHA256
690a697e71a02fda1d55865f75988554b44ec9716c037766d06ccd1537c91d4c

SHA512
5a85957f96885ceed359552ba68c9849e56c874cd6de0321a9938e16d9eb8ce1a61862d16eaafff60b99c2c51aa37168dbd436bdc70533ca06bb3adfc242826e

Download Submit
C:\ProgramData\pWIoYYEQ\LAgEQkEA.exe
MD5
ba3dc2743b67f0b8946a7ce6a7edb355

SHA1
1e73c0cbdeafd2825d8890b9a34d311ec13df269

SHA256
b4d0030a286f1bce2a66b6723c54923e6c5fc4ac848c8d9e90e3fe84fd278f9d

SHA512
b382ccc7836c29045d8af8f9f9e50a5ea92918adc542c977f06d386c2993ef2b4e02a9593ba321e35a80ce4a8c31791148a2e81c03d66b502d1d4dbe88f574aa

Download Submit
C:\ProgramData\pWIoYYEQ\LAgEQkEA.exe
MD5
ba3dc2743b67f0b8946a7ce6a7edb355

SHA1
1e73c0cbdeafd2825d8890b9a34d311ec13df269

SHA256
b4d0030a286f1bce2a66b6723c54923e6c5fc4ac848c8d9e90e3fe84fd278f9d

SHA512
b382ccc7836c29045d8af8f9f9e50a5ea92918adc542c977f06d386c2993ef2b4e02a9593ba321e35a80ce4a8c31791148a2e81c03d66b502d1d4dbe88f574aa

Download Submit
C:\Users\Admin\AGUUkwIs\TWkAgMwI.exe
MD5
2d1bc58ef0c3076caf12e33271e2e36d

SHA1
c4ff2b4ae7a538fae820792780d9ecc1d824be98

SHA256
03b18ed0ffa83debe7d303b075664edaa5ff502360519a53571c51bdf9b77316

SHA512
de4bb1fa10413399be811378160372ef1e9269e3b67de6f6f7ae59eb673a1f2e2d028b5bdbb72d6548c8c64643231ade4da94340378ee44e1d2672d4a0e6909e

Download Submit
C:\Users\Admin\AGUUkwIs\TWkAgMwI.exe
MD5
2d1bc58ef0c3076caf12e33271e2e36d

SHA1
c4ff2b4ae7a538fae820792780d9ecc1d824be98

SHA256
03b18ed0ffa83debe7d303b075664edaa5ff502360519a53571c51bdf9b77316

SHA512
de4bb1fa10413399be811378160372ef1e9269e3b67de6f6f7ae59eb673a1f2e2d028b5bdbb72d6548c8c64643231ade4da94340378ee44e1d2672d4a0e6909e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
memory/580-114-0x0000000000000000-mapping.dmp

Download
memory/1104-117-0x0000000000000000-mapping.dmp

Download
memory/2136-122-0x0000000000000000-mapping.dmp

Download
memory/2476-123-0x0000000000000000-mapping.dmp

Download
memory/2560-124-0x0000000000000000-mapping.dmp

Download
memory/2736-125-0x0000000000000000-mapping.dmp

Download
memory/3908-126-0x0000000000000000-mapping.dmp

Download

pid	process
580	TWkAgMwI.exe
1104	LAgEQkEA.exe
1544	PSMccEEs.exe
3908	Setup.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads