44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e

General

Target

44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe
Size

1.3MB
MD5

6f01323ee67517514dd4896c1ca994d0
SHA1

a35465e77ba37f80eac763cbde264ad45b049aa9
SHA256

44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e
SHA512

bb2c552ae49a31087f96d62a3b0de87c3eee367eb6a8aab815c5f7efeebe0c2add5c7be732d95b9d3744cf0ccd4c0f5eee87a3d25a783b5434f6ea5eb32816b1
SSDEEP

24576:nsNECLHleGdLFEWRlfDZNxZxtJqnTstg6JhzoMfPXaN0ewFxVjE0kAxquOEEKgAe:nsJleGdLFHjbvxZLwnTst90xgpKU97he

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\HGocoEgg\\dgEAkwgU.exe,"	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\HGocoEgg\\dgEAkwgU.exe,"	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe

Executes dropped EXE 4 IoCs

pid	Process
1924	NKMUoQYk.exe
396	dgEAkwgU.exe
2008	yWAscAkQ.exe
1492	yWAscAkQ.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NKMUoQYk.exe = "C:\\Users\\Admin\\iAIgYMcg\\NKMUoQYk.exe"	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dgEAkwgU.exe = "C:\\ProgramData\\HGocoEgg\\dgEAkwgU.exe"	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4656	reg.exe
2200	reg.exe
748	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe
2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe
2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe
2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1924	NKMUoQYk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4524	2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe	92
PID 2912 wrote to memory of 4524	2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe	92
PID 2912 wrote to memory of 4524	2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe	92
PID 2912 wrote to memory of 1924	2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe	100
PID 2912 wrote to memory of 1924	2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe	100
PID 2912 wrote to memory of 1924	2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe	100
PID 2912 wrote to memory of 396	2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe	101
PID 2912 wrote to memory of 396	2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe	101
PID 2912 wrote to memory of 396	2912	44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe	101
PID 2008 wrote to memory of 1492	2008	yWAscAkQ.exe	104
PID 2008 wrote to memory of 1492	2008	yWAscAkQ.exe	104
PID 2008 wrote to memory of 1492	2008	yWAscAkQ.exe	104

C:\Users\Admin\AppData\Local\Temp\44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe
"C:\Users\Admin\AppData\Local\Temp\44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe
  DZXW
  2⤵
  PID:4524
- C:\Users\Admin\iAIgYMcg\NKMUoQYk.exe
  "C:\Users\Admin\iAIgYMcg\NKMUoQYk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1924
- C:\ProgramData\HGocoEgg\dgEAkwgU.exe
  "C:\ProgramData\HGocoEgg\dgEAkwgU.exe"
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e"
  2⤵
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e.exe
    C:\Users\Admin\AppData\Local\Temp\44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869e
    3⤵
    PID:4832
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:748

C:\ProgramData\VGgEoogw\yWAscAkQ.exe
C:\ProgramData\VGgEoogw\yWAscAkQ.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008
- C:\ProgramData\VGgEoogw\yWAscAkQ.exe
  LQIE
  2⤵
  - Executes dropped EXE
  PID:1492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HGocoEgg\dgEAkwgU.exe

Filesize
1.3MB

MD5
4fe12962f8b40ef852898b9c6a90fafc

SHA1
b00329a270a8a5a20d788acaff1b7f438b4ce3ac

SHA256
e64d1fad521db315face7c731cd3b771971e1b42351ca6e6de12df14e958970c

SHA512
a8fd025441f0c95362b9b4957464c0e2e2336d2835de52f7d87d057505c4aed0bc10402ae8cb88e7424aa4b0e1a5e8b2897c11cb8116ead6fcddcf5edd0962d1

Download Submit
C:\ProgramData\HGocoEgg\dgEAkwgU.exe

Filesize
1.3MB

MD5
4fe12962f8b40ef852898b9c6a90fafc

SHA1
b00329a270a8a5a20d788acaff1b7f438b4ce3ac

SHA256
e64d1fad521db315face7c731cd3b771971e1b42351ca6e6de12df14e958970c

SHA512
a8fd025441f0c95362b9b4957464c0e2e2336d2835de52f7d87d057505c4aed0bc10402ae8cb88e7424aa4b0e1a5e8b2897c11cb8116ead6fcddcf5edd0962d1

Download Submit
C:\ProgramData\VGgEoogw\yWAscAkQ.exe

Filesize
1.4MB

MD5
82b3da7a6162779e3a2d5f38733cef94

SHA1
16ed78e9c2114bce9ab95f9c953918967bf18af7

SHA256
115eb0ae941485e98d72257d6bfe7cdce162ca0ee601e19ff50b5a9c761e8428

SHA512
32369c699b00dc7637ceb1ec44841e619d98289cf88b1c4d73ba2d696670a5bc9050bdfb88d3a5ba32c296bbc2c9bfb95508848824e59d26f212e3ddb777f23a

Download Submit
C:\ProgramData\VGgEoogw\yWAscAkQ.exe

Filesize
1.4MB

MD5
82b3da7a6162779e3a2d5f38733cef94

SHA1
16ed78e9c2114bce9ab95f9c953918967bf18af7

SHA256
115eb0ae941485e98d72257d6bfe7cdce162ca0ee601e19ff50b5a9c761e8428

SHA512
32369c699b00dc7637ceb1ec44841e619d98289cf88b1c4d73ba2d696670a5bc9050bdfb88d3a5ba32c296bbc2c9bfb95508848824e59d26f212e3ddb777f23a

Download Submit
C:\ProgramData\VGgEoogw\yWAscAkQ.exe

Filesize
1.4MB

MD5
82b3da7a6162779e3a2d5f38733cef94

SHA1
16ed78e9c2114bce9ab95f9c953918967bf18af7

SHA256
115eb0ae941485e98d72257d6bfe7cdce162ca0ee601e19ff50b5a9c761e8428

SHA512
32369c699b00dc7637ceb1ec44841e619d98289cf88b1c4d73ba2d696670a5bc9050bdfb88d3a5ba32c296bbc2c9bfb95508848824e59d26f212e3ddb777f23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\44ae0904140406c27f19f8f08f67a5b5ee71732cbc47be27254f220626f3869eDZXW

Filesize
4B

MD5
e7cf194ccf27c4dd6f0dacb945ed81e1

SHA1
7a25bd886dd933f26418118337aa5633f4bf3502

SHA256
bba6e1fb63c6a07003f44a453ec427e7ea5b799c20ae8589bcfcc30d0181503a

SHA512
4a2f029c9d54261ebdf678d9be26b1d204b6f6cb53b73b4c3acf74864147ca5ffe71f20177aa8ff87a9762d63799b70667942085076431616381b275ef354652

Download Submit
C:\Users\Admin\iAIgYMcg\NKMUoQYk.exe

Filesize
1.3MB

MD5
cc388e2e6d7e28b9104bd8a6d67ade8a

SHA1
c184cda5008f02a85bbbd4afbaa33c7c61d2bde9

SHA256
6ce70b68d76de14b68acd8e191254578191ae9a430f1f0737019f2162a95c934

SHA512
acce2543d3d4349cdf9dde88b1221b4909f1885d1d50e9aa48346ee65ee0935662648c699fb7574be304b053cac2450fcd76c7a015611dd1e2ae0c8de21a5b0b

Download Submit
C:\Users\Admin\iAIgYMcg\NKMUoQYk.exe

Filesize
1.3MB

MD5
cc388e2e6d7e28b9104bd8a6d67ade8a

SHA1
c184cda5008f02a85bbbd4afbaa33c7c61d2bde9

SHA256
6ce70b68d76de14b68acd8e191254578191ae9a430f1f0737019f2162a95c934

SHA512
acce2543d3d4349cdf9dde88b1221b4909f1885d1d50e9aa48346ee65ee0935662648c699fb7574be304b053cac2450fcd76c7a015611dd1e2ae0c8de21a5b0b

Download Submit
memory/396-156-0x0000000000590000-0x000000000059F000-memory.dmp

Filesize
60KB

Download
memory/396-152-0x0000000000590000-0x000000000059F000-memory.dmp

Filesize
60KB

Download
memory/1492-167-0x0000000000CE0000-0x0000000000CF3000-memory.dmp

Filesize
76KB

Download
memory/1924-151-0x0000000000670000-0x000000000068E000-memory.dmp

Filesize
120KB

Download
memory/1924-155-0x0000000000670000-0x000000000068E000-memory.dmp

Filesize
120KB

Download
memory/2008-157-0x0000000000660000-0x0000000000673000-memory.dmp

Filesize
76KB

Download
memory/2008-153-0x0000000000660000-0x0000000000673000-memory.dmp

Filesize
76KB

Download
memory/2008-161-0x0000000000660000-0x0000000000673000-memory.dmp

Filesize
76KB

Download
memory/2912-154-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2912-135-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/2912-142-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2912-136-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/4524-140-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/4524-139-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/4524-138-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/4832-166-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads