99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d

General

Target

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Size

560KB
MD5

9c040fff2ebbd6e4125be6df9df0423a
SHA1

e08f6aa7c92ba39784de7822cfdb15987a47853a
SHA256

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d
SHA512

139cb384da5cd4500fb243429ecfd59f9bb7d4ba085ce6dc104774a0a7fe519c0d6b167ef109947a0b5963c61ef505ac1c136e8a736b77a2eb4ac8e4e86586f0
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\8MPw0H4DccGH1rRWLHXu.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.3_0\\_locales\\ja\\JB82cp9MrFkXdopjGvn65g83XCHZMkOR5EXScAbvKTWEcAKIUCzWvio4opA.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\sr-Latn-RS\\ClV6SO7KQRGyWxdt87rNmSDMl3IxTn4un64XUgmO3pxMEJwFNFHU9ZZ6b18Qh1WQhyN1Zt.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Modifies data under HKEY_USERS 51 IoCs

Processes:

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exeLogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\DC\\DSLKSdk7CUHiFADlmnBhyKLxZYIptgdZBXiTBq56U4fLifTKDs5bKKRoxc.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\sr-Latn-BA\\00TophrBJsnCbPoYYEY9hjwArGn9pYqsu16HbAdaok9FuujlgZssnL.exe\" O 2>NUL"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.10_0\\_locales\\et\\hXKLqLJ0.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\B214D8B3-D494-4CED-AFE3-3EE6CE0F68C8\\x-none.16\\w6JA44hhorurPWbNoYTKdOHm3jYmrlLlFRjOUashCBym3vYdiiFxvcZ7x8r.exe\" O 2>NUL"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\aRtn36djQAo9lRK2JiZmwarNbp94EWW.exe\" O 2>NUL"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\j5sKMlm54zxKsWmWzeDNdyAirGDMdcusMLD1V7VhpvLGNCP8ziL3JHojLRSFEe.exe\" O 2>NUL"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\\AC\\INetCache\\PcItrZ75dNnMSoY0Ku5cpkFKfQNJ.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.6_0\\Fj7cQhdgiNbLeFmqo22mGsFkFrROdCk.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 10 IoCs

Processes:

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Command Processor	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\n2hMrjl2p6ndMzt1vVFCWzd91HnMd1dYY.exe\" O 2>NUL"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\AC\\INetCookies\\wEtEGXl25mQZhh6lNE.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe

description	pid	process
Token: SeBackupPrivilege	4456	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Token: SeRestorePrivilege	4456	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Token: SeShutdownPrivilege	4456	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4128 LogonUI.exe

pid	process
4128	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
"C:\Users\Admin\AppData\Local\Temp\99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3990855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4456-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4456-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4456-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads