b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4

Analysis

max time kernel
39s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Size

318KB
MD5

c38674135a648df803c2253f03dbc454
SHA1

804fe6541d91f493498b9a464faa58d60011b434
SHA256

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4
SHA512

e44db875a786d239454f099500645fdd1cac22f6ed3333594148843b4d84f7cc87bba5c82b6ab10dd29e9fb513f0c5bcbfe322528358ec0b76e88b53a1a0f265
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

description pid process target process

PID 3652 created 660 3652 rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe lsass.exe

description	pid	process	target process
PID 3652 created 660	3652	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exerpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Documents\\GHcKNHqa0w9wyy20.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ycivfgho.default-release\\datareporting\\archived\\xl3cAcl3dZOtYcxypUeB6gDZR0FGplBMqLo9qtnw1O4Fum.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\97oK47Gz371HePu3bXrMpvyG7.exe\" O"	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\yt7yYKpAZ1WRPjWNCaTEYXNX44UgpGLcnp2sG6RaXnMAIx1pb66ibFFzmcMM.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe

Executes dropped EXE 2 IoCs

Processes:

rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exerpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

pid process

3652 rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
1180 rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

pid	process
3652	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
1180	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exerpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

Drops startup file 1 IoCs

Processes:

rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\LTqVYWKoLLeJSFIlhBZ.exe	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exeLogonUI.exegpscript.exerpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d7d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Storage Health\\vwHDLI6ztoTJ3Zyc678R4ZwFx.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Config\\rXSyKdH5DQZLgG02y3ZELJaX40.exe\" O 2>NUL"	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\LjreJwTu0DFhGQrzjQN1psHGvnYsQTsB.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\ha-Latn-NG\\fileukaas2Bcm.exe\" O"	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\RSA\\xrUR4uClCvugtmHVQp2QLSkieob58SsMIoz0KnbKGCdgh.exe\" O"	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000089701788df00d901	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Desktop\\liLka1yMqzlDNe7tV5sCYLtX6knSNT.exe\" O 2>NUL"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\ewIqN0QgGt3L4umNIF7vDKUDICJJ8Q43Nwobj6xUIBPbJM.exe\" O 2>NUL"	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\USER\.DEFAULT	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\\TempState\\BWhleDRHVxS4gz9a5Bk3o4QxuSeDgYSG9oBtaMkPhRh4.exe\" O 2>NUL"	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\\SystemAppData\\0qr062O5LbrHsIbemIVMOB.exe\" O 2>NUL"	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData\\rPhSW1Prn6qQI0QdbC1DBvnycMI3eQDWqU6f5MucP154c0jOumpVO4iz.exe\" O"	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ycivfgho.default-release\\storage\\permanent\\chrome\\idb\\2823318777ntouromlalnodry--naod.files\\3dSxx2ATaCQPvaAf7zjN0JNU7urtUYn6ofAq0RBml9FY3143.exe\" O 2>NUL"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\53\\PUWExT4VkGPBVIowqGd1W8w1TQ01pbX7l10.exe\" O"	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\TokenBroker\\Cache\\0vFfldG7oEtRPd1S9XyOqb8Wsm.exe\" O"	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState\\3kRxLQDQifxLT1WRT1xP523wHmfJQmtIh5pCqovJtSpX.exe\" O 2>NUL"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000ae994881df00d901	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\32\\7poexQY10N.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\et-EE\\XvbvEWcctXfRrKLEjkCtg7SQeY5xt3ptctGnqNb0y70.exe\" O 2>NUL"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe

Modifies registry class 10 IoCs

Processes:

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\AC\\Temp\\bWcAHRvN.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\lh44jWteUR5LBYllPoWnK684LwVmx57KyIl0.exe\" O 2>NUL"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

pid process

1180 rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
1180 rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

pid	process
1180	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
1180	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exerpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exerpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

description	pid	process
Token: SeBackupPrivilege	5060	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Token: SeRestorePrivilege	5060	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Token: SeShutdownPrivilege	5060	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Token: SeDebugPrivilege	3652	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Token: SeRestorePrivilege	3652	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Token: SeDebugPrivilege	1180	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Token: SeRestorePrivilege	1180	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3124 LogonUI.exe

pid	process
3124	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exerpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

description	pid	process	target process
PID 4316 wrote to memory of 3652	4316	gpscript.exe	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
PID 4316 wrote to memory of 3652	4316	gpscript.exe	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
PID 3652 wrote to memory of 1180	3652	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
PID 3652 wrote to memory of 1180	3652	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe	rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
"C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Users\Admin\AppData\Local\Temp\b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
"C:\Users\Admin\AppData\Local\Temp\b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ea855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4316

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
"C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Storage Health\vwHDLI6ztoTJ3Zyc678R4ZwFx.exe
Filesize
565KB

MD5
98a51df7f715749ae27c79e7784b8a68

SHA1
1e350013711528c3db526b564e1f000cb42ffcd3

SHA256
3ea06775a165cb5022c77a626ad5a08db1c75d86c91c5269ec1e478733e5f06a

SHA512
d6884b7b5e66efcfa838e5ed3a4c6d81e68942f9bf1db72838f89f46c669f8986106771f164cdc8ec3411e921188afe0aa4282ab619d8296660c4c308c65b88b

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Filesize
400KB

MD5
fa118e1e1f48cd69879a762d038a475c

SHA1
c64f3b00d29f27a8fd900c787cd27e17394590ea

SHA256
e7de24dea9560ede2fd1497a68ee2f17c23d0c86ffb67e73208a572a61162987

SHA512
572dfe0d8a4e9f4a31b5e82d5e3c38812b649b9dd5131d949ce1867824a1f1543bdb7ef9f47c9ec609acaa32c06fb5f3492404db232f53722e73a6ee3b7867d5

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Filesize
400KB

MD5
fa118e1e1f48cd69879a762d038a475c

SHA1
c64f3b00d29f27a8fd900c787cd27e17394590ea

SHA256
e7de24dea9560ede2fd1497a68ee2f17c23d0c86ffb67e73208a572a61162987

SHA512
572dfe0d8a4e9f4a31b5e82d5e3c38812b649b9dd5131d949ce1867824a1f1543bdb7ef9f47c9ec609acaa32c06fb5f3492404db232f53722e73a6ee3b7867d5

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\rpGpVRWFyZxzoS5wHI1ukRNB17tOLxICiliL7SusLRvy89p.exe
Filesize
400KB

MD5
fa118e1e1f48cd69879a762d038a475c

SHA1
c64f3b00d29f27a8fd900c787cd27e17394590ea

SHA256
e7de24dea9560ede2fd1497a68ee2f17c23d0c86ffb67e73208a572a61162987

SHA512
572dfe0d8a4e9f4a31b5e82d5e3c38812b649b9dd5131d949ce1867824a1f1543bdb7ef9f47c9ec609acaa32c06fb5f3492404db232f53722e73a6ee3b7867d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\7poexQY10N.exe
Filesize
567KB

MD5
3bbba3dd1b1c907e8dc95235b3561bcf

SHA1
76ee79fd8609d9b73a0817fb9f2be5087b51f699

SHA256
380eee006fcad56f0c55474013d0420e0901ed80445469e6f19a4a97ac63607f

SHA512
f9ab83b13bcbb5fd9e0cc06c5b8b8e30d01e8af605d5ca2b6e8ac72a5519f30e135d5f5cefed449e178adda8184bd2dbaae71ef052357fa83c17e60a892e3705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\4DiFOtQfMB51ThTR6zpStbAQhOkpskn.bat
Filesize
545KB

MD5
b4f76b918568d2261d66cc19da7e5fa6

SHA1
99c847200557e620575c46895303807acb76094f

SHA256
4fc4e32e7bb4acecfd36d3e81d7d34742cf2de4f12ad5cfa9d2c822dce036ecd

SHA512
a21eb9ea2f3b065193a12a815739801fa714dda45bb91bff7b0f85023b6fe27c5f91cca260480062de4379eb521638ede607ff508492fc4c14167455d6a2d617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\et-EE\XvbvEWcctXfRrKLEjkCtg7SQeY5xt3ptctGnqNb0y70.exe
Filesize
460KB

MD5
1757120cb0e8ae1ca66ca6a6b660f0ff

SHA1
90bdb39242d2168405fd4220e460975dfb04e5f7

SHA256
880c60dd79e1e0d3145417d370c5632ab3c8d69e0786a967bc35c903e2fff384

SHA512
09c33275d13c7424dc98f74692386e41d8e2952a54ce79e28846c804ec9f5e8aa6aac6c38e7aaaad408f165e28500d86a5289fbad4edbaf11db6bdf6b4e615a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\fr-FR\a5DdZcmiM2rpyxsSrL0Axvl7UmKCqY6FH01Si0.exe
Filesize
752KB

MD5
1f5de5d8ea7b65a84dcf21701d26cf8d

SHA1
93a53a1cf490be69bf40cd5d1b97477184d26d7f

SHA256
bd1a41360273a642b34d5d6f137b58801619b9962d1cc0b53a904bb38de7b6d1

SHA512
700c1467867d2e2078588df8431c2b5c8d27e9a19c92efc4ca7fdd195815398d2137cafbb23e7fe6bcfcfaa4bbb7284445c537ab8cd23ae06e603384fbbfc126

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState\3kRxLQDQifxLT1WRT1xP523wHmfJQmtIh5pCqovJtSpX.exe
Filesize
377KB

MD5
e0a1ff223ab51b7c972552b410d4d688

SHA1
868010ab9a5884260c63e59359cf88d36ab38652

SHA256
89ef27a4f1b3dabcc2400165fa83819b30d608fc250c8f94993940ebab05e192

SHA512
c260f39c46202320a7afd6d660830a7f10191c03a35dd98797117d85880c13e6ca6bf3c3e23167d6e9b9bc07d255c9424935e6a5929e7f0dfe5a4daa0e611928

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\LjreJwTu0DFhGQrzjQN1psHGvnYsQTsB.exe
Filesize
566KB

MD5
67341c85f8855015bd808c0a18124d37

SHA1
d6ad7760f4db5820b0c033800f568be5862f008a

SHA256
d4e37cebce78c3f07d8dd148ad46f81323b2c7b26cf1a7bc9c5b77cef39ba81d

SHA512
70403a587272d7837cb64357e7f58f722a6790ecd42e2a674a41259b099402805ff5588cadacbc8d1e609aac1b39ef6495a9588275436206b0281f76ce2764b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\5hV8GdH368tWJTWPQGWsF3XpS3jqF7XN3FLo3U54XeyGA4Y.exe
Filesize
431KB

MD5
f1e617913cfbaf47cd59024b07f87a26

SHA1
3240938a1740c37c9e0b2eb107a6737a8413597d

SHA256
557ffb4ede099d94ba336392e001760e5f6a68f2a97f192f249470304b4796cf

SHA512
e3f7b81ef08990b790c7ca542dc8be6f4fd891bc073d4cf9fe7e79f8a364760adbc07d2780d7220be2fa2bfcd0faad5b304dd010dfcc2a9031379a57701fe199

Download Submit
C:\Users\Default\Documents\GHcKNHqa0w9wyy20.exe
Filesize
541KB

MD5
6d7a535937ae074fba018617b334a2fe

SHA1
74099dc8b3d688a6529ee4d175386b53b35b11c2

SHA256
d0eaee39b040b03b45efa972750e78a7626dcf0d4172149c18206529a55824e9

SHA512
2a4bd659c8248f479d812caa137f3e8541ea4b2a38ad6d57985de1e98269b32a99d7dc870f48a7929136a4819a5b16d26c63168f5e0c74659faa9bae1b62b56a

Download Submit
C:\Users\Public\Desktop\liLka1yMqzlDNe7tV5sCYLtX6knSNT.exe
Filesize
331KB

MD5
5f0e22accd6e694bd8821ffa1839d468

SHA1
efac7048fd2d9d9285f8e764c45d9793d7ef9156

SHA256
022b73c33a53459d94d86b7f397bd1c1ea95defe01106744d6b563cea2942e89

SHA512
784a5c251ca539523f725fc090dc9dc5bbed1e97f6ef3eaab2f17b0324715b6d721a9b1a663f7feba7e6c7f3c602947efaadfa09818075fef74f52b0bec17e68

Download Submit
memory/1180-147-0x0000000000000000-mapping.dmp

Download
memory/1180-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1180-153-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3652-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3652-139-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3652-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3652-135-0x0000000000000000-mapping.dmp

Download
memory/5060-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5060-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads