d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150

General

Target

d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe
Size

751KB
MD5

fccc8b790688733655648d094067c973
SHA1

d1ad3d12450727afe24777ca23dcb27b7292978a
SHA256

d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150
SHA512

21b782e50caae4dee02e70f64651adc788bfdf9dedc12468b45d4509597da53e05c6be660bcd41ea10f135c3967cc58b733c84b8592d8e445184b920bb92fddb

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\HiwwgEgQ\\UGEAQMoI.exe,"	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\HiwwgEgQ\\UGEAQMoI.exe,"	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

JwcUUYQg.exeUGEAQMoI.exeUkEkIQQQ.exechocolatey.exe

pid process

988 JwcUUYQg.exe
4088 UGEAQMoI.exe
796 UkEkIQQQ.exe
3544 chocolatey.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JwcUUYQg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	JwcUUYQg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exeJwcUUYQg.exeUGEAQMoI.exeUkEkIQQQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\JwcUUYQg.exe = "C:\\Users\\Admin\\VyQssggo\\JwcUUYQg.exe"	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UGEAQMoI.exe = "C:\\ProgramData\\HiwwgEgQ\\UGEAQMoI.exe"	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\JwcUUYQg.exe = "C:\\Users\\Admin\\VyQssggo\\JwcUUYQg.exe"	JwcUUYQg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UGEAQMoI.exe = "C:\\ProgramData\\HiwwgEgQ\\UGEAQMoI.exe"	UGEAQMoI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UGEAQMoI.exe = "C:\\ProgramData\\HiwwgEgQ\\UGEAQMoI.exe"	UkEkIQQQ.exe

Drops file in System32 directory 5 IoCs

Processes:

JwcUUYQg.exeUkEkIQQQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	JwcUUYQg.exe
File opened for modification	C:\Windows\SysWOW64\sheRestoreShow.xlsb	JwcUUYQg.exe
File opened for modification	C:\Windows\SysWOW64\sheWatchGrant.gif	JwcUUYQg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\VyQssggo	UkEkIQQQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\VyQssggo\JwcUUYQg	UkEkIQQQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

184 reg.exe
2160 reg.exe
1508 reg.exe

pid	process
184	reg.exe
2160	reg.exe
1508	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exeJwcUUYQg.exe

pid	process
488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe
488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe
488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe
488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

JwcUUYQg.exe

pid process

988 JwcUUYQg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

JwcUUYQg.exe

pid	process
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe
988	JwcUUYQg.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.execmd.exe

description	pid	process	target process
PID 488 wrote to memory of 988	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	JwcUUYQg.exe
PID 488 wrote to memory of 988	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	JwcUUYQg.exe
PID 488 wrote to memory of 988	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	JwcUUYQg.exe
PID 488 wrote to memory of 4088	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	UGEAQMoI.exe
PID 488 wrote to memory of 4088	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	UGEAQMoI.exe
PID 488 wrote to memory of 4088	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	UGEAQMoI.exe
PID 488 wrote to memory of 3748	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	cmd.exe
PID 488 wrote to memory of 3748	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	cmd.exe
PID 488 wrote to memory of 3748	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	cmd.exe
PID 488 wrote to memory of 184	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	reg.exe
PID 488 wrote to memory of 184	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	reg.exe
PID 488 wrote to memory of 184	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	reg.exe
PID 488 wrote to memory of 2160	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	reg.exe
PID 488 wrote to memory of 2160	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	reg.exe
PID 488 wrote to memory of 2160	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	reg.exe
PID 488 wrote to memory of 1508	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	reg.exe
PID 488 wrote to memory of 1508	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	reg.exe
PID 488 wrote to memory of 1508	488	d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe	reg.exe
PID 3748 wrote to memory of 3544	3748	cmd.exe	chocolatey.exe
PID 3748 wrote to memory of 3544	3748	cmd.exe	chocolatey.exe

C:\Users\Admin\AppData\Local\Temp\d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe
"C:\Users\Admin\AppData\Local\Temp\d39259e59a10e184c02d9d68f3c1ccbad570ac018ded8d9aa74a60e8f8bdc150.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:488

C:\Users\Admin\VyQssggo\JwcUUYQg.exe
"C:\Users\Admin\VyQssggo\JwcUUYQg.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:988

C:\ProgramData\HiwwgEgQ\UGEAQMoI.exe
"C:\ProgramData\HiwwgEgQ\UGEAQMoI.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
3⤵
- Executes dropped EXE
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1508

C:\ProgramData\wsIAssok\UkEkIQQQ.exe
C:\ProgramData\wsIAssok\UkEkIQQQ.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HiwwgEgQ\UGEAQMoI.exe
MD5
d11edbc414363c72924a8f47f6f5b02a

SHA1
d8dc6bd8124513555b035408c5770eedfca7ec7c

SHA256
02fc0d438b0389f74977152b647886f53052bd45bbdbe98b45d292d0a44915d3

SHA512
94368ac0fb049a5ba74b2966aadf5a08dc9693aece98610e92376e32a38220b639e474338ae8fae4008a9b11e047d88b8b1742e2976b38251323cc0f7172c79a

Download Submit
C:\ProgramData\HiwwgEgQ\UGEAQMoI.exe
MD5
d11edbc414363c72924a8f47f6f5b02a

SHA1
d8dc6bd8124513555b035408c5770eedfca7ec7c

SHA256
02fc0d438b0389f74977152b647886f53052bd45bbdbe98b45d292d0a44915d3

SHA512
94368ac0fb049a5ba74b2966aadf5a08dc9693aece98610e92376e32a38220b639e474338ae8fae4008a9b11e047d88b8b1742e2976b38251323cc0f7172c79a

Download Submit
C:\ProgramData\wsIAssok\UkEkIQQQ.exe
MD5
8c7fe89e382f0f65c1568b4148b8af79

SHA1
df3fd481614f6288050076d1d29777183a3367d8

SHA256
da7b4a497d2328defcc8ad70306885a0d3381c5417f37b612a91e5c04994845a

SHA512
b1516bb1da09b96204f8a58f3e5edc5e5e710590798318bc621633825f4982be368870eab55df4506784121247b3759a4882952ead4ee46d5a9f895e5634266d

Download Submit
C:\ProgramData\wsIAssok\UkEkIQQQ.exe
MD5
8c7fe89e382f0f65c1568b4148b8af79

SHA1
df3fd481614f6288050076d1d29777183a3367d8

SHA256
da7b4a497d2328defcc8ad70306885a0d3381c5417f37b612a91e5c04994845a

SHA512
b1516bb1da09b96204f8a58f3e5edc5e5e710590798318bc621633825f4982be368870eab55df4506784121247b3759a4882952ead4ee46d5a9f895e5634266d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
MD5
d6bc92571edfc2863fff72b240e571a1

SHA1
b4227284cde5d9c00c42a043c1c16766b4c6460c

SHA256
422cfcc02baaff218e47cc6463efc5eaafb33ad4d0a920db3432de1f8963c4f8

SHA512
31cdfef64c809d1c1da3fc5dca2aec2fb03b911f3d2e3d010328606479d414363795d6386cc9426f3d494aeb14fb2b75889cdbbddbbeb8f0d8b09020e8404d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
MD5
d6bc92571edfc2863fff72b240e571a1

SHA1
b4227284cde5d9c00c42a043c1c16766b4c6460c

SHA256
422cfcc02baaff218e47cc6463efc5eaafb33ad4d0a920db3432de1f8963c4f8

SHA512
31cdfef64c809d1c1da3fc5dca2aec2fb03b911f3d2e3d010328606479d414363795d6386cc9426f3d494aeb14fb2b75889cdbbddbbeb8f0d8b09020e8404d1d

Download Submit
C:\Users\Admin\VyQssggo\JwcUUYQg.exe
MD5
362954d33e723a98c135de1f9a9fff87

SHA1
1179617dc0db69459c4cc1092d2186e2441eac1e

SHA256
66442b4fc5f0d3edfd87f12df3fa4f89b292cf1c19f413f389bb1e5e2aaaf4ef

SHA512
979eef571c2b723b7d904cb0fcb557d1cc12a8c459b32bf0c53fa6efa4180cca2980bc71ae581239a212296390a328a6e0d1f1b3cc58bcc3efbf7f7ef3251b33

Download Submit
C:\Users\Admin\VyQssggo\JwcUUYQg.exe
MD5
362954d33e723a98c135de1f9a9fff87

SHA1
1179617dc0db69459c4cc1092d2186e2441eac1e

SHA256
66442b4fc5f0d3edfd87f12df3fa4f89b292cf1c19f413f389bb1e5e2aaaf4ef

SHA512
979eef571c2b723b7d904cb0fcb557d1cc12a8c459b32bf0c53fa6efa4180cca2980bc71ae581239a212296390a328a6e0d1f1b3cc58bcc3efbf7f7ef3251b33

Download Submit
memory/184-123-0x0000000000000000-mapping.dmp

Download
memory/988-114-0x0000000000000000-mapping.dmp

Download
memory/1508-125-0x0000000000000000-mapping.dmp

Download
memory/2160-124-0x0000000000000000-mapping.dmp

Download
memory/3544-126-0x0000000000000000-mapping.dmp

Download
memory/3544-129-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/3544-131-0x000000001AFB0000-0x000000001AFB2000-memory.dmp

Filesize
8KB

Download
memory/3748-122-0x0000000000000000-mapping.dmp

Download
memory/4088-117-0x0000000000000000-mapping.dmp

Download

pid	process
988	JwcUUYQg.exe
4088	UGEAQMoI.exe
796	UkEkIQQQ.exe
3544	chocolatey.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads