1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da

Analysis

max time kernel
56s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2022, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
Size

1.9MB
MD5

92318a59ed03b2d195a8d08befd0efbb
SHA1

33c974d620ceede52581194ef99f3f57a9cd5d11
SHA256

1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da
SHA512

ea57ebd9484ade992b5b7b1b1a43b84b5af37491b063de0718e3ae6897fa84f500194dc251f117d11a1361f3164eea11becddb394e697400b7eb1ea40c568230
SSDEEP

24576:TAlFsCeXap8KGLTg/6PeXTAg6L+Gzt0DkyYz1/oM5i7eXTXbQ5MTjrp2WHa/1jlE:kICe+cmxj4LlWoB/oeDfF

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\mGMsIAMg\\NisswkII.exe,"	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\mGMsIAMg\\NisswkII.exe,"	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
4272	mwwQUggg.exe
4220	NisswkII.exe
4856	FGgEMskU.exe
4764	NisswkII.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	mwwQUggg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NisswkII.exe = "C:\\ProgramData\\mGMsIAMg\\NisswkII.exe"	NisswkII.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwwQUggg.exe = "C:\\Users\\Admin\\kIMYcsQg\\mwwQUggg.exe"	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NisswkII.exe = "C:\\ProgramData\\mGMsIAMg\\NisswkII.exe"	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NisswkII.exe = "C:\\ProgramData\\mGMsIAMg\\NisswkII.exe"	FGgEMskU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwwQUggg.exe = "C:\\Users\\Admin\\kIMYcsQg\\mwwQUggg.exe"	mwwQUggg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NisswkII.exe = "C:\\ProgramData\\mGMsIAMg\\NisswkII.exe"	NisswkII.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\kIMYcsQg\mwwQUggg	FGgEMskU.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	mwwQUggg.exe
File opened for modification	C:\Windows\SysWOW64\sheConnectWatch.png	mwwQUggg.exe
File opened for modification	C:\Windows\SysWOW64\sheDismountEnter.pdf	mwwQUggg.exe
File opened for modification	C:\Windows\SysWOW64\sheSwitchJoin.mp3	mwwQUggg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\kIMYcsQg	FGgEMskU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 15 IoCs

Modify Registry

T1112

pid	Process
2672	reg.exe
540	reg.exe
2968	reg.exe
3924	reg.exe
4080	reg.exe
4312	reg.exe
692	reg.exe
1804	reg.exe
4064	reg.exe
4056	reg.exe
4276	reg.exe
4492	reg.exe
4980	reg.exe
3684	reg.exe
3388	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4336	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
4336	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4272	mwwQUggg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	368	vssvc.exe
Token: SeRestorePrivilege	368	vssvc.exe
Token: SeAuditPrivilege	368	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe
4272	mwwQUggg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 4272	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	79
PID 1816 wrote to memory of 4272	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	79
PID 1816 wrote to memory of 4272	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	79
PID 1816 wrote to memory of 4220	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	80
PID 1816 wrote to memory of 4220	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	80
PID 1816 wrote to memory of 4220	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	80
PID 1816 wrote to memory of 5028	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	82
PID 1816 wrote to memory of 5028	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	82
PID 1816 wrote to memory of 5028	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	82
PID 1816 wrote to memory of 4064	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	84
PID 1816 wrote to memory of 4064	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	84
PID 1816 wrote to memory of 4064	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	84
PID 1816 wrote to memory of 4492	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	86
PID 1816 wrote to memory of 4492	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	86
PID 1816 wrote to memory of 4492	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	86
PID 1816 wrote to memory of 4980	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	88
PID 1816 wrote to memory of 4980	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	88
PID 1816 wrote to memory of 4980	1816	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	88
PID 5028 wrote to memory of 3544	5028	cmd.exe	91
PID 5028 wrote to memory of 3544	5028	cmd.exe	91
PID 5028 wrote to memory of 3544	5028	cmd.exe	91
PID 4272 wrote to memory of 4764	4272	mwwQUggg.exe	94
PID 4272 wrote to memory of 4764	4272	mwwQUggg.exe	94
PID 4272 wrote to memory of 4764	4272	mwwQUggg.exe	94
PID 3544 wrote to memory of 8	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	95
PID 3544 wrote to memory of 8	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	95
PID 3544 wrote to memory of 8	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	95
PID 3544 wrote to memory of 4080	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	97
PID 3544 wrote to memory of 4080	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	97
PID 3544 wrote to memory of 4080	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	97
PID 3544 wrote to memory of 4312	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	99
PID 3544 wrote to memory of 4312	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	99
PID 3544 wrote to memory of 4312	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	99
PID 3544 wrote to memory of 2672	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	100
PID 3544 wrote to memory of 2672	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	100
PID 3544 wrote to memory of 2672	3544	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	100
PID 8 wrote to memory of 1560	8	cmd.exe	103
PID 8 wrote to memory of 1560	8	cmd.exe	103
PID 8 wrote to memory of 1560	8	cmd.exe	103
PID 1560 wrote to memory of 4792	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	106
PID 1560 wrote to memory of 4792	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	106
PID 1560 wrote to memory of 4792	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	106
PID 4792 wrote to memory of 2600	4792	cmd.exe	108
PID 4792 wrote to memory of 2600	4792	cmd.exe	108
PID 4792 wrote to memory of 2600	4792	cmd.exe	108
PID 1560 wrote to memory of 3684	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	109
PID 1560 wrote to memory of 3684	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	109
PID 1560 wrote to memory of 3684	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	109
PID 1560 wrote to memory of 692	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	110
PID 1560 wrote to memory of 692	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	110
PID 1560 wrote to memory of 692	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	110
PID 1560 wrote to memory of 540	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	111
PID 1560 wrote to memory of 540	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	111
PID 1560 wrote to memory of 540	1560	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	111
PID 2600 wrote to memory of 3440	2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	115
PID 2600 wrote to memory of 3440	2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	115
PID 2600 wrote to memory of 3440	2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	115
PID 2600 wrote to memory of 2968	2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	117
PID 2600 wrote to memory of 2968	2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	117
PID 2600 wrote to memory of 2968	2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	117
PID 3440 wrote to memory of 4336	3440	cmd.exe	118
PID 3440 wrote to memory of 4336	3440	cmd.exe	118
PID 3440 wrote to memory of 4336	3440	cmd.exe	118
PID 2600 wrote to memory of 3924	2600	1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe	119

C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
"C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\kIMYcsQg\mwwQUggg.exe
  "C:\Users\Admin\kIMYcsQg\mwwQUggg.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\ProgramData\mGMsIAMg\NisswkII.exe
    "C:\ProgramData\mGMsIAMg\NisswkII.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4764
- C:\ProgramData\mGMsIAMg\NisswkII.exe
  "C:\ProgramData\mGMsIAMg\NisswkII.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
    C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
        
        C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
        
        C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da.exe
        
        C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:3388
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3684
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:692
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:540
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4080
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4312
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2672
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:4064
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4492
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4980

C:\ProgramData\uCMoMcAM\FGgEMskU.exe
C:\ProgramData\uCMoMcAM\FGgEMskU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mGMsIAMg\NisswkII.exe

Filesize
1.9MB

MD5
f85d1174b7e51c8f89db456e488f8488

SHA1
af1ef50297e951f1006a18d37ac09b875a016266

SHA256
fcb013c6cb1ba8a1e75b82089e5961df1cae5539c1b8592af069b1d7bb2a0df3

SHA512
3f9a45e6cd77da8e17f940e18a8a9a49daa75488bcc3b3393559d0b4ef82d2118abdc33d6890cacf2337ea5b42450a68e05110c2bc90b09c3f86ab853adbbe50

Download Submit
C:\ProgramData\mGMsIAMg\NisswkII.exe

Filesize
1.9MB

MD5
f85d1174b7e51c8f89db456e488f8488

SHA1
af1ef50297e951f1006a18d37ac09b875a016266

SHA256
fcb013c6cb1ba8a1e75b82089e5961df1cae5539c1b8592af069b1d7bb2a0df3

SHA512
3f9a45e6cd77da8e17f940e18a8a9a49daa75488bcc3b3393559d0b4ef82d2118abdc33d6890cacf2337ea5b42450a68e05110c2bc90b09c3f86ab853adbbe50

Download Submit
C:\ProgramData\mGMsIAMg\NisswkII.exe

Filesize
1.9MB

MD5
f85d1174b7e51c8f89db456e488f8488

SHA1
af1ef50297e951f1006a18d37ac09b875a016266

SHA256
fcb013c6cb1ba8a1e75b82089e5961df1cae5539c1b8592af069b1d7bb2a0df3

SHA512
3f9a45e6cd77da8e17f940e18a8a9a49daa75488bcc3b3393559d0b4ef82d2118abdc33d6890cacf2337ea5b42450a68e05110c2bc90b09c3f86ab853adbbe50

Download Submit
C:\ProgramData\uCMoMcAM\FGgEMskU.exe

Filesize
1.9MB

MD5
9f373a389be0191c60dcef30f39dcf4b

SHA1
150fac58ebf6696916d80264b3e7759114fda633

SHA256
adab7fbec0e8114b7e4f4c6d09704d139e2539a79b05b75fd8f14bc30cc68b55

SHA512
dfe2cfc364624561693520ff322595efb39f77614e99be797a53c08811b1b6a4b13620dc6299aa114dab3ce2bfdfd2035965e4d0437fd7b9cba2a643612f7af1

Download Submit
C:\ProgramData\uCMoMcAM\FGgEMskU.exe

Filesize
1.9MB

MD5
9f373a389be0191c60dcef30f39dcf4b

SHA1
150fac58ebf6696916d80264b3e7759114fda633

SHA256
adab7fbec0e8114b7e4f4c6d09704d139e2539a79b05b75fd8f14bc30cc68b55

SHA512
dfe2cfc364624561693520ff322595efb39f77614e99be797a53c08811b1b6a4b13620dc6299aa114dab3ce2bfdfd2035965e4d0437fd7b9cba2a643612f7af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\kIMYcsQg\mwwQUggg.exe

Filesize
1.9MB

MD5
ebbeeecb306168c056dff1cd118daeac

SHA1
bad07629e1d793b1a44971eba8b570f22e697425

SHA256
722a7d45e6eb6d44d637245f3ab7b6d68b93836d14ee7ceec78fb1e3ee8b202e

SHA512
b97ee489515f6f899453ab206b5c5d39dfb52580afa03c18d3d89399572d0389a3c3beab623531b173f92e7b17380b70bdeb5b12b65abd680e5ce015ad0d2188

Download Submit
C:\Users\Admin\kIMYcsQg\mwwQUggg.exe

Filesize
1.9MB

MD5
ebbeeecb306168c056dff1cd118daeac

SHA1
bad07629e1d793b1a44971eba8b570f22e697425

SHA256
722a7d45e6eb6d44d637245f3ab7b6d68b93836d14ee7ceec78fb1e3ee8b202e

SHA512
b97ee489515f6f899453ab206b5c5d39dfb52580afa03c18d3d89399572d0389a3c3beab623531b173f92e7b17380b70bdeb5b12b65abd680e5ce015ad0d2188

Download Submit
memory/1560-193-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1560-177-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1560-171-0x0000000000740000-0x0000000000795000-memory.dmp

Filesize
340KB

Download
memory/1816-157-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1816-133-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1816-132-0x0000000002320000-0x0000000002375000-memory.dmp

Filesize
340KB

Download
memory/1816-145-0x0000000002320000-0x0000000002375000-memory.dmp

Filesize
340KB

Download
memory/2600-183-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/2600-199-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/3544-162-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/3544-181-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/3544-152-0x0000000002240000-0x0000000002295000-memory.dmp

Filesize
340KB

Download
memory/4220-161-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4220-141-0x0000000002180000-0x000000000222D000-memory.dmp

Filesize
692KB

Download
memory/4220-180-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4220-159-0x0000000002180000-0x000000000222D000-memory.dmp

Filesize
692KB

Download
memory/4272-191-0x0000000006090000-0x0000000006095000-memory.dmp

Filesize
20KB

Download
memory/4272-169-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/4272-200-0x000000000A6E0000-0x000000000A706000-memory.dmp

Filesize
152KB

Download
memory/4272-158-0x00000000021C0000-0x00000000022C8000-memory.dmp

Filesize
1.0MB

Download
memory/4272-140-0x00000000021C0000-0x00000000022C8000-memory.dmp

Filesize
1.0MB

Download
memory/4272-153-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/4272-192-0x000000000A6E0000-0x000000000A706000-memory.dmp

Filesize
152KB

Download
memory/4336-194-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4336-190-0x00000000020D0000-0x0000000002125000-memory.dmp

Filesize
340KB

Download
memory/4336-198-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4764-156-0x0000000002110000-0x00000000021BD000-memory.dmp

Filesize
692KB

Download
memory/4764-172-0x0000000002110000-0x00000000021BD000-memory.dmp

Filesize
692KB

Download
memory/4764-170-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4764-182-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4856-144-0x0000000000D90000-0x0000000000DD7000-memory.dmp

Filesize
284KB

Download
memory/4856-160-0x0000000000D90000-0x0000000000DD7000-memory.dmp

Filesize
284KB

Download
memory/4856-150-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download