5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e

Analysis

max time kernel
31s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Size

1.0MB
MD5

a63d517c0e122e367e484cf75edbf34f
SHA1

f8538f5d687c5e36f05da55ea56c2ab8fb355b63
SHA256

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e
SHA512

c7a40453d2053be2b043e0e3359e13f3cbfd6bb357e72d853af040add9f1aaf33f6e7158b82fe8bd926cc94f1736a2be67ba48adae79b12ddc5972f9d634df69
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

description pid process target process

PID 4772 created 664 4772 5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat lsass.exe

description	pid	process	target process
PID 4772 created 664	4772	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\DU8E7NnH6tiTP3Iz6yHZTrlfsIVptDZxxtbRg6eNa6KVh3m5WNo5gQJs8wLJZcaYSGxoFM.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\AC\\TokenBroker\\Cache\\zIoE5277bmK9pmPm2dd6TD6xrv84nx7STLmYjNe2WQ0Zb0BuoPnuON66B9w7Xo.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\fi-FI\\DLzPgMzKfCCTd.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Diagnosis\\Temp\\DiagTrackTraceSlot_diag\\JpuqluhPgZIHn7O8OMg.exe\" O"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe

Executes dropped EXE 2 IoCs

Processes:

5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

pid process

4772 5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
5088 5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

pid	process
4772	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
5088	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exeLogonUI.exe5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.batgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\nJPhWqWRSaTvNHl.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\gLKwfbSkP8GRMLgz4U1FSc4op6AZApTzGK.exe\" O 2>NUL"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\USER\S-1-5-20	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\\AC\\INetCache\\21XoQx126ngwH1R4IPrWFLOYVR.exe\" O"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Win32WebViewHost_cw5n1h2txyewy\\LocalCache\\lF8eTVz4EWanQQFeO4bKYcD.exe\" O 2>NUL"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\Cache\\7JnIgWxyzXUuDfyaWYJHH9Qe2mF50YSwxyXjKQfdxQxFv10jGXKyczvBxNCnjXmwsBO.exe\" O 2>NUL"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\ClipSVC\\Import\\usiNGq3jOeamXeLbLHnVklArekAIsYRMXb2hukHrQTNizTrhmSpUp6l5KnL.exe\" O 2>NUL"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\314559\\wbwakupLxEVcOX5TWO7EGd8KFXkbVGKNZDfLPo5pBWxv9OW9BoPhR.exe\" O"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\\52digpPBWkMauy3kIIVWIqWeRflS2oP3NcsCojeqG.exe\" O 2>NUL"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Favorites\\NFKwuoWSOL3D8VUZ0J7iyZ5X1VVzKqMAjkf0Wa4naTrB.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000098a56f5edf00d901	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Sidebar\\SiwghYMoQhcAt9KdGbJzr8sQM7ao6lJPh83L1xBaoZViZm0vISLr.exe\" O 2>NUL"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\mQTVUnslHR22wXs7toCyYW7Kx34VdZz7G13IXoaiV1ONYt4NFGBSGVxbYLykefDS.exe\" O 2>NUL"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Ys3UjeuV2O4m.exe\" O 2>NUL"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\AU\\UbBySdKtEQojyweN.exe\" O"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\IRMProtectors\\mpaksInZQUQ5poVICnsdT5tLBy9qW20LzKArz9k3rZcUCwUEyXFLEKBa0tRrkKZwSbV.exe\" O 2>NUL"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\lnAKGn6oCLdSuqN0.exe\" O"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Pictures\\UPf6GB1SDJQmiqp2Pxyj3nOy6cZaONcIpXA2slVWAplBTUy5S1E4btBpD8z4hcog.exe\" O"	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\rqbUB7v8Sdl534yjrsfK5usi5CQUps2zsMAdQyHehBMjuzVYYL2Sz7cgJc0As5Ig9ToiwqD.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\zu-ZA\\oQBS7s28Ak2Ft3IRZP8gvzVmw745fFszzScEW21rvuf2wYUfKQJvA7MVi0bT2j0VmkQp.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe

Modifies registry class 10 IoCs

Processes:

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\adm\\nl\\oJ4ra4ePZr70Cpj.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\ZALL3aUukqFGjjA8EQM4NoIopifwuitfbKlzSjQVbi0FN0RHr.exe\" O 2>NUL"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

pid process

5088 5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
5088 5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

pid	process
5088	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
5088	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

description	pid	process
Token: SeBackupPrivilege	3404	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Token: SeRestorePrivilege	3404	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Token: SeShutdownPrivilege	3404	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Token: SeDebugPrivilege	4772	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Token: SeRestorePrivilege	4772	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Token: SeDebugPrivilege	5088	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Token: SeRestorePrivilege	5088	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

5072 LogonUI.exe

pid	process
5072	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exe5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

description	pid	process	target process
PID 1032 wrote to memory of 4772	1032	gpscript.exe	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
PID 1032 wrote to memory of 4772	1032	gpscript.exe	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
PID 4772 wrote to memory of 5088	4772	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
PID 4772 wrote to memory of 5088	4772	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat	5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
"C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\AppData\Local\Temp\5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
"C:\Users\Admin\AppData\Local\Temp\5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f7055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1032

C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
"C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Filesize
1.6MB

MD5
045502279bceb89d593ce8ef5f2d0e21

SHA1
316b3cb3dc84c384c35844338f8f7c9a417a89fb

SHA256
04c6751614b85c06086d84beb512971593e919f72793eb0b3d152c30fd492ef0

SHA512
8cc487c8d6134a59d0a729471d3aa6540f81485707a8f3d6365c4882f90a48d9b8e9dfe43eff19cefca1c913868d5870cd7f68d13e2aa13d6834179b6911fe5c

Download Submit
C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Filesize
1.6MB

MD5
045502279bceb89d593ce8ef5f2d0e21

SHA1
316b3cb3dc84c384c35844338f8f7c9a417a89fb

SHA256
04c6751614b85c06086d84beb512971593e919f72793eb0b3d152c30fd492ef0

SHA512
8cc487c8d6134a59d0a729471d3aa6540f81485707a8f3d6365c4882f90a48d9b8e9dfe43eff19cefca1c913868d5870cd7f68d13e2aa13d6834179b6911fe5c

Download Submit
C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\5WaqY2RPWXvDMIXdahhMvmFOjfOrSR9yrj3sAMcr.bat
Filesize
1.6MB

MD5
045502279bceb89d593ce8ef5f2d0e21

SHA1
316b3cb3dc84c384c35844338f8f7c9a417a89fb

SHA256
04c6751614b85c06086d84beb512971593e919f72793eb0b3d152c30fd492ef0

SHA512
8cc487c8d6134a59d0a729471d3aa6540f81485707a8f3d6365c4882f90a48d9b8e9dfe43eff19cefca1c913868d5870cd7f68d13e2aa13d6834179b6911fe5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Safe Browsing\9or7kSNjHepEI0Y5dsErc8rMD9ijZZD9BJDfbM8aSYF10fXTBx8WkvLmKnGUA.exe
Filesize
1.2MB

MD5
7b8166f57f5622632f63768ca60175c6

SHA1
638459d391777bf1cd1fe74862137cee045c487e

SHA256
0e383c94765d649f8f7351a822af8ec32d300c73227818125912c77605499851

SHA512
9d7bc89472f831857e8e1759cf1da81b7d7dfc9412ad9461f81bc7e8714f147acdee74a5c21a32ade1fb3eef8d50e8b7c4cab30d6e5b56e71cc54a110e3d1612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\rqbUB7v8Sdl534yjrsfK5usi5CQUps2zsMAdQyHehBMjuzVYYL2Sz7cgJc0As5Ig9ToiwqD.exe
Filesize
1.4MB

MD5
5d34d439db6852a93b0becd5a54b9dd7

SHA1
7112003098d007f74ddb57b899faf3182c7c82ea

SHA256
c5a1275789806588661c99760ab8c77c831a5c683299ccca5cba44ada847185e

SHA512
62e48cb405f5dcc58cdbfea1b128027205bb37338151d8e20046737358de1516ed92743999961523cce3ac5c6c6553d8bd0942015c46b2a3940e97e0244c2ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fr\Xm9upY3U18sRvmJ3SrwJ1UjABA2byODTtvUSsz1V4wHG8Hw9cJ.cmd
Filesize
2.2MB

MD5
f00e53874db7f60bee6343c472fe51fe

SHA1
0e7fc99f37ebc11cd0daddcf8263ec31dec11604

SHA256
b8608ff87a3637fdfd6ae1ea382a0fac92fb587eb1810304a495f6d9375742b3

SHA512
cb4e90fe959e415cde5ba60628c46a5e32885b03dfdd1ac92ce5c38dd090944f17d70c923842b07f392d098479b552586e844488da1160209a6fd09839cefeae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\zu-ZA\oQBS7s28Ak2Ft3IRZP8gvzVmw745fFszzScEW21rvuf2wYUfKQJvA7MVi0bT2j0VmkQp.exe
Filesize
1.1MB

MD5
abf4a1e3fa82a3a07a5c9f16eb55d868

SHA1
422ae3829c0c2a83721d3d029a7e73bb96bd9533

SHA256
48feea4012fddc3ba5ce479b3f7e33c1d9fc86dd43876ef64f7ce06126d15344

SHA512
10962106e187fb87e42b3f41267fad2b1ed611ffbc916cc178c3ddff478dd91e9515a8f7de5670a171bcdcf4bdddbde8f957aba1e54566f4cc8a0faf3be1c588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\en-ZW\WhuLUr0on8dcUsUOH.exe
Filesize
2.2MB

MD5
40fbdd67647ff96ffafee6aade12fb03

SHA1
dc58bb796b9814ef8bce5331825da760dd165ae0

SHA256
2c6a4a693e628713e6ff719f5c90bc0f4c510d529a439102dc6c90a19f47f8cb

SHA512
0153a5cc1acb13c5c9ad7761f8a82c3ada15050f5fe944c93f8f3db8107703cd23a1888c9967154f15778bc5eb1d640c800a9f02400ca35e901063d01ff8ee57

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\AC\Ys3UjeuV2O4m.exe
Filesize
1.2MB

MD5
6070eafdd9664b660749ad4805dacea6

SHA1
ff4a5276ae1780c3ea1dfa03edcf4ce2a29dc12b

SHA256
73720479be1a52a44408779d3dd50c44c751592d38c1f1e4ec89d53d29d459b6

SHA512
3b52a759c2623e872be3ef520f9766141ad2d1244abc7ba85064f366ca3816f3d936022d4a1e6567bd26b6e8a2ce0a9bf08c3d35449dd0065d0fcb13bb3e9cdc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\LocalCache\lF8eTVz4EWanQQFeO4bKYcD.exe
Filesize
1.9MB

MD5
82f501f73b7c3f10c1303bdce1f6ad5d

SHA1
c20c8d485086ac233a30493d844028985d71f0a3

SHA256
7e3a459db5bbdee8d37862e0a4c3565de9e7a5bb618063a96ade5b30fcc0c777

SHA512
d845e3197e0c5d087ad2cc108a14a0b96ae952c19b9015dbdc0d451c10930fa8b722ce161fac6686607998f4038c58efbd46809f0ce17fec7da47852d65dba29

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\zIoE5277bmK9pmPm2dd6TD6xrv84nx7STLmYjNe2WQ0Zb0BuoPnuON66B9w7Xo.exe
Filesize
1.4MB

MD5
4db11ef2a84bdf79f28923ea801f59ec

SHA1
54848953f9d0fd893b597b0d5e114d2811dfc057

SHA256
292757a1195fa8383db28cf1bf2851168ebaceb388fccb62f893bf76096a1b6a

SHA512
ba205070f3f64df5f46f0ad7ba145297cd210b8758955369bee6d8a25eb0019679493f59a25b31dbf275b7628759aebab816617eec06c0aa9e66d8f759e0a224

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\mQTVUnslHR22wXs7toCyYW7Kx34VdZz7G13IXoaiV1ONYt4NFGBSGVxbYLykefDS.exe
Filesize
1.4MB

MD5
79bd9f46998028181e6cbe35981c3726

SHA1
d9ea190ef9e13f9702db76f11f82b64a413799dd

SHA256
e22b6369212369d6eeaacd508130e5b880155cd870887e0e109c92c3e90a7485

SHA512
db83048f16e471ac439dd58619dd2cb93d7e375555754faa1e001a771b2b09103eb3432474546b57ccea9d538278158aaea13b382c28a93231667f564045d75d

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\nJPhWqWRSaTvNHl.exe
Filesize
1.3MB

MD5
87b077a0749580084bf06621a4664389

SHA1
537556d55886f1858805ca699f72f347e221f232

SHA256
aa6c0dcd331b1a53dfc5cd3c9b821f6311f44b122260731cc140523103e4628c

SHA512
3d9ee4f754d8e9dda6bdbb8bed2aaf4aea156da0c5c77278442d5f3397bf3cfe085507e17f429f0d6d5b89ceaf62dee93bfd0a9804035b63ffbf8aeb4cfe452a

Download Submit
memory/3404-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3404-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4772-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4772-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4772-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4772-134-0x0000000000000000-mapping.dmp

Download
memory/5088-147-0x0000000000000000-mapping.dmp

Download
memory/5088-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads