4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23

General

Target

4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe
Size

623KB
MD5

6cfb969b2b61fab4bcb4c3b33c987014
SHA1

79e74d1e8fae81b2b1c37769627ac46947f0bc76
SHA256

4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23
SHA512

50af7576b9f6237794dcb0ea1b8c6fcddfc405c7423b9829801cdb9f6ec82b1bff3e4282c0204c96be379bff6007ecfc262c6fd38431ab3f5a9a83197b1644c6

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\fUEoQQYA\\ukcksYks.exe,"	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\fUEoQQYA\\ukcksYks.exe,"	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

amMwQgQA.exeukcksYks.exeMsAgUMEU.exechoco.exe

pid process

584 amMwQgQA.exe
1192 ukcksYks.exe
1640 MsAgUMEU.exe
2576 choco.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ukcksYks.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation ukcksYks.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
584	amMwQgQA.exe
1192	ukcksYks.exe
1640	MsAgUMEU.exe
2576	choco.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	ukcksYks.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ukcksYks.exeMsAgUMEU.exe4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exeamMwQgQA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukcksYks.exe = "C:\\ProgramData\\fUEoQQYA\\ukcksYks.exe"	ukcksYks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukcksYks.exe = "C:\\ProgramData\\fUEoQQYA\\ukcksYks.exe"	MsAgUMEU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\amMwQgQA.exe = "C:\\Users\\Admin\\ucUUgIsY\\amMwQgQA.exe"	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukcksYks.exe = "C:\\ProgramData\\fUEoQQYA\\ukcksYks.exe"	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\amMwQgQA.exe = "C:\\Users\\Admin\\ucUUgIsY\\amMwQgQA.exe"	amMwQgQA.exe

Drops file in System32 directory 6 IoCs

Processes:

MsAgUMEU.exeukcksYks.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ucUUgIsY	MsAgUMEU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ucUUgIsY\amMwQgQA	MsAgUMEU.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	ukcksYks.exe
File opened for modification	C:\Windows\SysWOW64\sheBlockUninstall.bmp	ukcksYks.exe
File opened for modification	C:\Windows\SysWOW64\sheJoinEnter.jpg	ukcksYks.exe
File opened for modification	C:\Windows\SysWOW64\sheUnlockRedo.pdf	ukcksYks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2532 reg.exe
3584 reg.exe
2824 reg.exe

pid	process
2532	reg.exe
3584	reg.exe
2824	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exeukcksYks.exe

pid	process
3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe
3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe
3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe
3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ukcksYks.exe

pid process

1192 ukcksYks.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ukcksYks.exe

pid	process
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe
1192	ukcksYks.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.execmd.exe

description	pid	process	target process
PID 3152 wrote to memory of 584	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	amMwQgQA.exe
PID 3152 wrote to memory of 584	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	amMwQgQA.exe
PID 3152 wrote to memory of 584	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	amMwQgQA.exe
PID 3152 wrote to memory of 1192	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	ukcksYks.exe
PID 3152 wrote to memory of 1192	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	ukcksYks.exe
PID 3152 wrote to memory of 1192	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	ukcksYks.exe
PID 3152 wrote to memory of 2196	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	cmd.exe
PID 3152 wrote to memory of 2196	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	cmd.exe
PID 3152 wrote to memory of 2196	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	cmd.exe
PID 3152 wrote to memory of 2532	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	reg.exe
PID 3152 wrote to memory of 2532	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	reg.exe
PID 3152 wrote to memory of 2532	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	reg.exe
PID 2196 wrote to memory of 2576	2196	cmd.exe	choco.exe
PID 2196 wrote to memory of 2576	2196	cmd.exe	choco.exe
PID 3152 wrote to memory of 2824	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	reg.exe
PID 3152 wrote to memory of 2824	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	reg.exe
PID 3152 wrote to memory of 2824	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	reg.exe
PID 3152 wrote to memory of 3584	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	reg.exe
PID 3152 wrote to memory of 3584	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	reg.exe
PID 3152 wrote to memory of 3584	3152	4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe
"C:\Users\Admin\AppData\Local\Temp\4a394a5f68be6704adc8bac0ac9c3ef89e3295b9fd26c92363ae95ff2a8f8d23.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\ucUUgIsY\amMwQgQA.exe
"C:\Users\Admin\ucUUgIsY\amMwQgQA.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:584

C:\ProgramData\fUEoQQYA\ukcksYks.exe
"C:\ProgramData\fUEoQQYA\ukcksYks.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\choco.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\choco.exe
C:\Users\Admin\AppData\Local\Temp\choco.exe
3⤵
- Executes dropped EXE
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2824

C:\ProgramData\OEIEcwAM\MsAgUMEU.exe
C:\ProgramData\OEIEcwAM\MsAgUMEU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OEIEcwAM\MsAgUMEU.exe
MD5
0608348c21afd005dc50c9c90ebfc896

SHA1
fc449d5dca4311062f18133a238344aede10de63

SHA256
d8b1f9de1e409513beb9cc684c054a139439d1a7190658c9dbcf74f14eb92a2b

SHA512
1d44470d5ae6b9dae18fa3e84e82ec1668f19ca2a575ccbffc10ac2a55be50a3bc67758e60bd4bb6a3b11abdd322545b3fbf7a5068585e4d44f26385f78d15fe

Download Submit
C:\ProgramData\OEIEcwAM\MsAgUMEU.exe
MD5
0608348c21afd005dc50c9c90ebfc896

SHA1
fc449d5dca4311062f18133a238344aede10de63

SHA256
d8b1f9de1e409513beb9cc684c054a139439d1a7190658c9dbcf74f14eb92a2b

SHA512
1d44470d5ae6b9dae18fa3e84e82ec1668f19ca2a575ccbffc10ac2a55be50a3bc67758e60bd4bb6a3b11abdd322545b3fbf7a5068585e4d44f26385f78d15fe

Download Submit
C:\ProgramData\fUEoQQYA\ukcksYks.exe
MD5
c64aea81544ca5e9a1a143b21932b6d1

SHA1
393bf58bf444c1d3dba5d4ffd9969223cde1ca0a

SHA256
a021621e007468773555510cc943a18c9a5053be88b8947ac2a1c807ee2d2087

SHA512
dc7cc10e0ca6b746735401c06d55085107b039aeee2f9708e7a6f2bf6be956c2fe5318f71c1fb64e63070a195eeaf06615b2617b6385a10088fec86a28f8c7c0

Download Submit
C:\ProgramData\fUEoQQYA\ukcksYks.exe
MD5
c64aea81544ca5e9a1a143b21932b6d1

SHA1
393bf58bf444c1d3dba5d4ffd9969223cde1ca0a

SHA256
a021621e007468773555510cc943a18c9a5053be88b8947ac2a1c807ee2d2087

SHA512
dc7cc10e0ca6b746735401c06d55085107b039aeee2f9708e7a6f2bf6be956c2fe5318f71c1fb64e63070a195eeaf06615b2617b6385a10088fec86a28f8c7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\choco.exe
MD5
c258b25b6ec8f09230e272033ad4b2fa

SHA1
c4e862d33fe8915818d9e58d428c7324a436f97f

SHA256
29f612bb3cc7a9712baaae62b49b0c03a661280b8bf0177b2713a13c016d0b32

SHA512
21f7da9bf267f4cb897d9475f8a6f32e6f7e777c3f761b739da4038d44c2786030bc46ab54a8832205d1fb1fe944d7005eb34ddad3700c4c79bcdb932191b90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\choco.exe
MD5
c258b25b6ec8f09230e272033ad4b2fa

SHA1
c4e862d33fe8915818d9e58d428c7324a436f97f

SHA256
29f612bb3cc7a9712baaae62b49b0c03a661280b8bf0177b2713a13c016d0b32

SHA512
21f7da9bf267f4cb897d9475f8a6f32e6f7e777c3f761b739da4038d44c2786030bc46ab54a8832205d1fb1fe944d7005eb34ddad3700c4c79bcdb932191b90c

Download Submit
C:\Users\Admin\ucUUgIsY\amMwQgQA.exe
MD5
a9e12201232171a2299f73192c9f6771

SHA1
359d34908da3e15d7a4ef175ebcbdfd955d86e01

SHA256
31a4bb8d6e0bb0822f48e99bdb9e4ce3b9df30a0bd0d781633816e949b0741e1

SHA512
4720d1deca638ff49e487399d1c94912a8bf75dfc6082bf7952e90184f313ff25e4c8b3ea030f3aacaf6b15ad86d843bc6424e0c28337291a35ef4d29da9598e

Download Submit
C:\Users\Admin\ucUUgIsY\amMwQgQA.exe
MD5
a9e12201232171a2299f73192c9f6771

SHA1
359d34908da3e15d7a4ef175ebcbdfd955d86e01

SHA256
31a4bb8d6e0bb0822f48e99bdb9e4ce3b9df30a0bd0d781633816e949b0741e1

SHA512
4720d1deca638ff49e487399d1c94912a8bf75dfc6082bf7952e90184f313ff25e4c8b3ea030f3aacaf6b15ad86d843bc6424e0c28337291a35ef4d29da9598e

Download Submit
memory/584-114-0x0000000000000000-mapping.dmp

Download
memory/1192-117-0x0000000000000000-mapping.dmp

Download
memory/2196-122-0x0000000000000000-mapping.dmp

Download
memory/2532-123-0x0000000000000000-mapping.dmp

Download
memory/2576-124-0x0000000000000000-mapping.dmp

Download
memory/2576-129-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2576-131-0x000000001B620000-0x000000001B622000-memory.dmp

Filesize
8KB

Download
memory/2824-126-0x0000000000000000-mapping.dmp

Download
memory/3584-127-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads