932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8

Analysis

max time kernel
21s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Size

392KB
MD5

e147c8db84bae5cee75b28b69ab5f2da
SHA1

118d1a98f8cccdcc1e942dc75f5fe8b2053cfb61
SHA256

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8
SHA512

b68c83eba50224d947524bd3ddffcc7f29d5570b01aa184bd8d3111f26a7d8bbb756db6c7d0e4f9c6df7684d148cb34bbbaa080c3064cf5c1a40bc68adb699a8
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

iTau9SPNmaeY.bat

description pid process target process

PID 4412 created 668 4412 iTau9SPNmaeY.bat lsass.exe

description	pid	process	target process
PID 4412 created 668	4412	iTau9SPNmaeY.bat	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exeiTau9SPNmaeY.bat

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\40vkABFUmEH1eZjOTQqlmMhNGCeZT0eDgP3.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iTau9SPNmaeY.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState\\HPD7EXNXUOKaILvEik7M08B0Vlqqxdh2lavgkhI40dI7SIRJEkVkPGjXe5z80jUwqnaH.exe\" O"	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\TempState\\QP3VDCJiHRCaHUJ6V9JlpNjnItEL6YiSAz8XqkrjFJsIixQ56F5wTvf5cEoF4pzg5.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\cy-GB\\dSDHN46DkSWC4ZDZweX51n5tkw7wv9IZBECCMRBtxyxP.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe

Executes dropped EXE 2 IoCs

Processes:

iTau9SPNmaeY.batiTau9SPNmaeY.bat

pid process

4412 iTau9SPNmaeY.bat
4960 iTau9SPNmaeY.bat

pid	process
4412	iTau9SPNmaeY.bat
4960	iTau9SPNmaeY.bat

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iTau9SPNmaeY.batiTau9SPNmaeY.bat

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	iTau9SPNmaeY.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	iTau9SPNmaeY.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	iTau9SPNmaeY.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	iTau9SPNmaeY.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	iTau9SPNmaeY.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	iTau9SPNmaeY.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	iTau9SPNmaeY.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	iTau9SPNmaeY.bat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exeLogonUI.exeiTau9SPNmaeY.batgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ycivfgho.default-release\\bookmarkbackups\\uvvEPECqYOnuCkg6kvCAfqYbBd1caNHkVKZdnDq82rCNI7GR76MRoyVZim.exe\" O 2>NUL"	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\\Settings\\eMyR92NL8I26B5KjrmbpRwMXKthMjwPBPj7svthb596hqWs4.exe\" O"	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e11c7e9bdc00d901	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\MBR7CLLA\\HBXiE2TaQW1U03LpfwlwUQ0HPdM4MxSEUX.exe\" O 2>NUL"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.PeopleExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\\5pJitCyG6PhbAueNSkRd2S6Ps4xOGU8kUn2xhxmIjF9FuQ.exe\" O"	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp\\XdpBs2S9KMirMEbyXK0C5bfWOdCgAeySf5DdiKZWfDQgMt8dBhwe5ltmLt57tm.exe\" O 2>NUL"	iTau9SPNmaeY.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\kf0TdkXBqtqANR7OFAMkDn8gnLj5RK1vd2DBCfujM7c3Y8ST4VR.exe\" O 2>NUL"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\\AC\\Temp\\XK7gYRqDySifHTBWkawIGUSQhwtea.exe\" O 2>NUL"	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	iTau9SPNmaeY.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.CBSPreview_cw5n1h2txyewy\\AppData\\H2rgDGgty32kPoRA.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\4JB2KKVrBXgTkQBQ4yC5NdfDqbd18ewTdXZ.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\\RoamingState\\ee8E7TCvaKlG0QLy.exe\" O 2>NUL"	iTau9SPNmaeY.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.CBSPreview_cw5n1h2txyewy\\LocalState\\6XQlYCuDSgfxJykc72xIqbeJyGg0FPZN8GoKK00ccIOfVYAl6W3.exe\" O"	iTau9SPNmaeY.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\\LocalCache\\A4CzTndYwKnOnwDnBlne14H0yLKK3NAlTvs2Oy5NsU9A.exe\" O 2>NUL"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iTau9SPNmaeY.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\J7EHiQxAHO7hGrkaJHGSv.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Code Cache\\wasm\\THsm6EuVZHIQ4OMG9WOz8wUT6IpnwsPpHrGTtvZuDRywFRNPOXRTrXX4msSypbLAhbJrZuV.exe\" O"	iTau9SPNmaeY.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iTau9SPNmaeY.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\AC\\Microsoft\\DcE6QxAGmP8lqO9bgMLyEbYX5SlDExk.exe\" O 2>NUL"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Modifies registry class 10 IoCs

Processes:

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Searches\\xizTSIQKpfpTbVmPdmfJu2XdIhxYwGXI2Ui6WVCrPM7EBlBO3QbcKVfQux.exe\" O 2>NUL"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\\AC\\Temp\\CGR0rjXJnXiX.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

iTau9SPNmaeY.bat

pid process

4960 iTau9SPNmaeY.bat
4960 iTau9SPNmaeY.bat

pid	process
4960	iTau9SPNmaeY.bat
4960	iTau9SPNmaeY.bat

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exeiTau9SPNmaeY.batiTau9SPNmaeY.bat

description	pid	process
Token: SeBackupPrivilege	400	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Token: SeRestorePrivilege	400	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Token: SeShutdownPrivilege	400	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Token: SeDebugPrivilege	4412	iTau9SPNmaeY.bat
Token: SeRestorePrivilege	4412	iTau9SPNmaeY.bat
Token: SeDebugPrivilege	4960	iTau9SPNmaeY.bat
Token: SeRestorePrivilege	4960	iTau9SPNmaeY.bat

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

804 LogonUI.exe

pid	process
804	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exeiTau9SPNmaeY.bat

description	pid	process	target process
PID 4640 wrote to memory of 4412	4640	gpscript.exe	iTau9SPNmaeY.bat
PID 4640 wrote to memory of 4412	4640	gpscript.exe	iTau9SPNmaeY.bat
PID 4412 wrote to memory of 4960	4412	iTau9SPNmaeY.bat	iTau9SPNmaeY.bat
PID 4412 wrote to memory of 4960	4412	iTau9SPNmaeY.bat	iTau9SPNmaeY.bat

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetHistory\iTau9SPNmaeY.bat
"C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetHistory\iTau9SPNmaeY.bat" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Users\Admin\AppData\Local\Temp\932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
"C:\Users\Admin\AppData\Local\Temp\932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3984855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:804

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetHistory\iTau9SPNmaeY.bat
"C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetHistory\iTau9SPNmaeY.bat" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\J7EHiQxAHO7hGrkaJHGSv.exe
Filesize
519KB

MD5
136932d54d41b0ed56a2577f5593bab3

SHA1
75e544d7635e698fd5097ad4bd7e839b7e5ac101

SHA256
aa8e09256d96cdd5eade6119666d3fa79736dd1ef1de16dd9202f2cccc58fec8

SHA512
09d02ebc5a85f9f0239c39340ccf86038ec000c7b79a7e76f302ded3f5ba9c1620c316abc437a84e6bec1bd4dce9f604ad83d926daa0a69b05d85310189245f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FileTypePolicies\4JB2KKVrBXgTkQBQ4yC5NdfDqbd18ewTdXZ.exe
Filesize
530KB

MD5
bf97eba07e6b486271ae4dd04b864189

SHA1
fe58ca27835ac70d8e7cc543c75926aaa543048b

SHA256
556e5bdb405260319b0d9dac6f1e49c669de78884b6b6f1a8ae959be110b3303

SHA512
de8df8fbfbc82333f5dee6b4aed664e7323bfd24b6235e3e574b9c9dee55c129845231fa173dde40064f7e083003ef1f4ec2906c644c2bca4a0d3c38bfae67c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\kf0TdkXBqtqANR7OFAMkDn8gnLj5RK1vd2DBCfujM7c3Y8ST4VR.exe
Filesize
502KB

MD5
66179a99687c24ca0d3311ab6954e5ff

SHA1
d44b0624ef2b59ad52360627bd4a070af5de24d3

SHA256
519e52edb04cde90ec913eecdd0771347b7b0c048fd222edcfda511d187dd3af

SHA512
14e9bff835695b54fd6d552c3ed01fe04972ebff157ea40d2c56238780b64e9b96e01db9894fcc56ce2ea94b1e754fb26f2954c26a48f3d5f7f96a642defba91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\pnacl\R91ajW8pohuRQodjFMphhnzZcO4XPuCw0ZESoKXMh84tt2MW7B3azGZEOwfjeMU9QjcDyv.exe
Filesize
867KB

MD5
4a7bb9ea5c675b778a62ca17d944cdf0

SHA1
8e941eabe81e8a130a7a950636c4391b7b3ea545

SHA256
776dad789b3a9acbeaa60fa6550dcbd8c1d017bda6b87b954d333af3eefc33a0

SHA512
4b1e6a7ddda9eb76c340811bbde5a529c61f4138a4d560211ea750e7430d685f3e91ed84708bd247da25582b7ecea8fa23e5e0073069ee7e1addd7ea866220e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cy-GB\dSDHN46DkSWC4ZDZweX51n5tkw7wv9IZBECCMRBtxyxP.exe
Filesize
734KB

MD5
8bfd776662c56496e859cca9d95b240c

SHA1
8f5739f5a208fb2fbd4050914ca1349b7177d392

SHA256
94c74c322083b29f0ee88a57ead0d39f3d5548ccda7beb5839f537bbb7daf805

SHA512
7ea2f41ad8ce87cf0ad695bc48e76d08b8a715510dd4897554da52ac32afb1a814db5f5ebfce41a5ceff92026ad111be85bca03422e2c21b21637780715ed2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\it-IT\UE63lQAQA5JAjSABX92OvBOgll2VUZrHtDPBOFSzElYhB3OKlhzebrsQcNm.cmd
Filesize
766KB

MD5
052416d6b992f2080260333e1825051f

SHA1
f96b7d37ed62cc26bf0a2c97c30f68146662909a

SHA256
6695b656a43dd1378302faae3e39fb984ef2194c50009caee3adb7648ee9dd55

SHA512
9c8ec3560d29ca0fd3d45199311c206b0e76d79053be2273e3a32f2a975417029be8c87dd9072d5f7793cadab458a887d2d42acf655acbb079db436c6be15159

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\LocalCache\A4CzTndYwKnOnwDnBlne14H0yLKK3NAlTvs2Oy5NsU9A.exe
Filesize
668KB

MD5
15303f746a0f81a1d4d1e2d548487d83

SHA1
e4fb84d04dad80deaaba80791b11e91c67cfb1d6

SHA256
35bb1c3a75528d51a847e93899e23bf39a9e83dcaae22a06802e779e06ff4b89

SHA512
6ba7e7537d1616547b380f87806abf009ad6aafb55bd0e3895481804398eb8d94e356a478928781a9e8cc918e828351be6cd301531aeaa40c7aa2ce2170483b6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\DcE6QxAGmP8lqO9bgMLyEbYX5SlDExk.exe
Filesize
738KB

MD5
509023763e897f9d33c7a1a636c23ad1

SHA1
4d6f9540c04c8f4a3d55082dd2b2b4a15eed04f0

SHA256
ea24386744ef600c1e78b3ebcf287ddaf472b4210260fbba542dd00b7fa12b86

SHA512
00e781232c1145ad796d3e1c8ac243adeaa21a7a5f5e9b19be86240421c9b77119e0b0b1291e17493be061549cd8b50ccc73f7015430135b18191eccec7a5c56

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetHistory\iTau9SPNmaeY.bat
Filesize
539KB

MD5
9813a845b68152a8f6e5ed3a606167c9

SHA1
a857419172d8b80f812359f259bea22d32b71ebf

SHA256
63a5bb1381e0e76be422c3c70822779e1d45be0c2b3323ed3bd83ae0a415a0a2

SHA512
f86e86d276b4d3dcbf59be2dae797a4a3b11c78bae87f1d5b39854d3b802517851ec0b8cbb2e4a18b14f7af38e907e08b802f94a24574ad54c84e683a045b7bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetHistory\iTau9SPNmaeY.bat
Filesize
539KB

MD5
9813a845b68152a8f6e5ed3a606167c9

SHA1
a857419172d8b80f812359f259bea22d32b71ebf

SHA256
63a5bb1381e0e76be422c3c70822779e1d45be0c2b3323ed3bd83ae0a415a0a2

SHA512
f86e86d276b4d3dcbf59be2dae797a4a3b11c78bae87f1d5b39854d3b802517851ec0b8cbb2e4a18b14f7af38e907e08b802f94a24574ad54c84e683a045b7bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetHistory\iTau9SPNmaeY.bat
Filesize
539KB

MD5
9813a845b68152a8f6e5ed3a606167c9

SHA1
a857419172d8b80f812359f259bea22d32b71ebf

SHA256
63a5bb1381e0e76be422c3c70822779e1d45be0c2b3323ed3bd83ae0a415a0a2

SHA512
f86e86d276b4d3dcbf59be2dae797a4a3b11c78bae87f1d5b39854d3b802517851ec0b8cbb2e4a18b14f7af38e907e08b802f94a24574ad54c84e683a045b7bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\FpUNvhhw4csnwCUh.exe
Filesize
612KB

MD5
fae0ba4816f35fb47a941b7b40643c2e

SHA1
431ac6640f4aeda71a78c1348f9add56a60f74ce

SHA256
5fb2998298bd475142edb7ca4099be65795b30fb8bbc574dda4fdedad3defdcf

SHA512
0e6affc270f894fd02bc078efe59dc90196489b2d2bcfacd8bfc77c58d3d5c9ec069e80ae5a995da26103f82b779289fe04965df42d7b46f33172bbb22ee6427

Download Submit
C:\Users\Admin\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\H2rgDGgty32kPoRA.exe
Filesize
685KB

MD5
0706b064c3d4bfd4a0eb8a8b10e8043c

SHA1
35fa24c13b146bf7390cb5821d9e23e6041396cc

SHA256
9ac7240c687e269ca659e27e07b735e15ebeef1b8531a4ff66c2379f6a049fe9

SHA512
21f055de425f27da565eaf03354577ff4f76554b741e9dddd6eb8c96850b2262ff36d6011cfd8842b1b7a94f99ef40220aaf73c25fefc6348cd7b6400464dc06

Download Submit
memory/400-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/400-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4412-145-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4412-134-0x0000000000000000-mapping.dmp

Download
memory/4412-148-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4960-146-0x0000000000000000-mapping.dmp

Download
memory/4960-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads