1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a

Analysis

max time kernel
151s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Size

872KB
MD5

b975f849631c3bdee73a78eb9f3c2dd9
SHA1

586ba9d75a0907e1ad3577f48fd8429429ead3d8
SHA256

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a
SHA512

0b48f9c0afd7925dfc889545accc4f6f00ecf48a494939b1ba53d1f2e1ce72480472ecddaad375fcbb3dda2a2a1f4d8dfb1351d136e36c565898515d350e7036
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exey8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\\packages\\gql1mA6Kfy1p461NDfRcDPJ6WXvsF6T2yAcUIn0SOXrdHFUNjMrHVT1YkYkNUChs.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\Acrobat\\jSKyHS05HQqFt0VTLOevpJNLyfivkSKuhaoAWrbeiPAUKx5yXpossf3mbdRa4Z9G.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Ringtones\\Bv4FzAhUkUepRvCaksuoE7gRx.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.MSO\\5BYnls1K6tZlJIgX8Ze.exe\" O"	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd

Executes dropped EXE 1 IoCs

Processes:

y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd

pid process

4800 y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd

pid	process
4800	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exeLogonUI.exey8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmdgpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Network\\Connections\\qxzpNBk2tR10dq6dYvZozcZqRjVaRh.exe\" O 2>NUL"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\0x6mL2lW2yZVvqiTBQGvjkaN.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\yrilf55p.default-release\\fKQ7erMb6xrnRnIlFMAjSN6i.exe\" O"	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\SmsRouter\\aiznfBCYZ5yxgx8LumT6atDjyqrjlIypH.exe\" O 2>NUL"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\dmrccache\\4NPEJJ752HwO3gufdeKULL8jjHibKSnHYiKvRvxsXGMNC1YZIFztpulNKf3OTWHgNM.exe\" O 2>NUL"	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\\AC\\Temp\\wgoRWrGjw1vQBcg8.exe\" O"	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\\RoamingState\\NSEKGR25eBTgJyI80LzKbaYX3FCFHn3AJXMnJ9eTTAPcqPrEmPv7Mi6V.exe\" O 2>NUL"	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000005ee8b660e400d901	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\SmartScreen\\p3Y2qdL7zLwi0sDIroEpnY.exe\" O"	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "240"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\lv-LV\\JCor8u2CSzRUwPmsV61WxedDkI9QL11BiuwaqaSNBntaWSG.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{a3eb0b7d-8046-4816-a7d7-b182a6f9dc20}\\Ches3Z29dAYwUaxYAio.exe\" O"	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\SystemAppData\\P9MGLXd6rQEYi7R98j.exe\" O 2>NUL"	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\4G1XLwQ63aOVupVBGI17a7QFWqta480.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\Avbzs84Pmb7GlohXisvIohpeZ84yvJMFJU65UyGbyJKpUzgayEj63.exe\" O 2>NUL"	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Key created	\REGISTRY\USER\.DEFAULT	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\EdgeUpdate\\XiyjlFm3ZkS5gXd9l0FNcNdxpeqxEfZW4muJCZqV6QLtvhIsZz4v.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 10 IoCs

Processes:

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\\SystemAppData\\OqDeXe3IuMzOFYxpGIvQwGorqJoP6k0btPsnaqbdzgSznG56AlIhUfP25.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Command Processor	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\15\\0HnWaK7ceo9SYwZpgA9FE1g8miVRGJpA4ykk5zcYVgeC.exe\" O 2>NUL"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exey8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd

description	pid	process
Token: SeBackupPrivilege	4356	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Token: SeRestorePrivilege	4356	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Token: SeShutdownPrivilege	4356	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Token: SeDebugPrivilege	4800	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Token: SeRestorePrivilege	4800	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3552 LogonUI.exe

pid	process
3552	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 3760 wrote to memory of 4800	3760	gpscript.exe	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
PID 3760 wrote to memory of 4800	3760	gpscript.exe	y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd

C:\Users\Admin\AppData\Local\Temp\1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
"C:\Users\Admin\AppData\Local\Temp\1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e5855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3552

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3760

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\hu\y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\hu\y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\XiyjlFm3ZkS5gXd9l0FNcNdxpeqxEfZW4muJCZqV6QLtvhIsZz4v.exe
Filesize
1.3MB

MD5
ef1517a26ab46206664d915ca1081702

SHA1
b0a4cd369a74bf5e68be2da9a0e05937347cc2ae

SHA256
8f55bc521eb72362dcf1e04b0273fad280949227cd4a9d18506ec5254ed720af

SHA512
f1945b5905c49378a176650dd2167837224767c241b3bdf1af7dacbfae48155bd32df6868d18b6ca3dd9a97ef2547103eeefbc59119cf707961ee212c570d42a

Download Submit
C:\ProgramData\Microsoft\Network\Connections\qxzpNBk2tR10dq6dYvZozcZqRjVaRh.exe
Filesize
1.7MB

MD5
145612a595d450ad057c14048478706c

SHA1
bc0546bf3e2c4e3af11745106509171608117feb

SHA256
ea4c93566f9d3e369eb410285cba00e57c953ab2f42786bf1c2f178be450d7a1

SHA512
f13ee833cec88ecc10e98bf4bd451491adc4f5ca9d2cddd13b1e2c08b416b8678912ee8a1724199ec1f2603bceaf3dfadf16dcf9e392a6691f1c15f6e38fc086

Download Submit
C:\ProgramData\Microsoft\SmsRouter\aiznfBCYZ5yxgx8LumT6atDjyqrjlIypH.exe
Filesize
1.0MB

MD5
56ef8412dcd8f76281d35360149bcf03

SHA1
fd1641a0d45ffdef736012dea888bbb162b210be

SHA256
a95b8ffe4c815d289728dd84d9703cd47621d0963999ea7d16244061f02baf76

SHA512
6efdbcd22b60a3f360a38df44d14659777e4b71de9931eb6acc306efa0276c00003353d3e71f5375e15bb162dfde8b773db7f456f98b55d3f9cc14115c889dde

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\jSKyHS05HQqFt0VTLOevpJNLyfivkSKuhaoAWrbeiPAUKx5yXpossf3mbdRa4Z9G.exe
Filesize
1.5MB

MD5
6255d16e453f5b32100886d60fe995ee

SHA1
0276137b93ad4a14bb7a3e11c28de35538eea03e

SHA256
55d307f5af0658ee0ec20fd2115d524bf3da05b6e09cb40abc88b9d50467baee

SHA512
79fa15342fca9a576db77cf0af4f3a5d184c160d1a9df3db79da53a0d209a9007a60975853c49bd8432f17c313b87a9e25dce1d81280f71d52d9715f20ffc282

Download Submit
C:\Users\Admin\AppData\Local\4G1XLwQ63aOVupVBGI17a7QFWqta480.exe
Filesize
1.3MB

MD5
96838ccabe7aa2ca62e81546692d68ac

SHA1
091267ef9b852a3e8b8dd55aa8a5b9b3508ebcf9

SHA256
5150a84dfb3563011ba9ac9921e16fb98b960c0d5b2c266d1a69b707c362f710

SHA512
a82f4c33bc53ae7f6b359bb52a971dd279d3bc5bf9a094e1bf483ed5286195a3cc0c0a597b40a6e70c2f9f86f093c276159bba17e9873c0e2d83e507e25d67c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\hu\y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Filesize
927KB

MD5
4d1303618067ec41992fc48313cc1245

SHA1
3f704800b405a6dfb7e483344ffb5ca65b0e33bb

SHA256
c7e787159155403cea32e1d2fd9044fb09a72ee55b4fe4cbbe9bb49d30c8c695

SHA512
2e5930c6902f758b18530bea6e37926724b5b005890d35c58d62de78713a860408d04816aed7edd48c021a28a0298f2376a2bf02f934a2ac3bc955912c65d1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\hu\y8st7IgDQzzWiv0EfXut1tIwnlURfZa0L3O.cmd
Filesize
927KB

MD5
4d1303618067ec41992fc48313cc1245

SHA1
3f704800b405a6dfb7e483344ffb5ca65b0e33bb

SHA256
c7e787159155403cea32e1d2fd9044fb09a72ee55b4fe4cbbe9bb49d30c8c695

SHA512
2e5930c6902f758b18530bea6e37926724b5b005890d35c58d62de78713a860408d04816aed7edd48c021a28a0298f2376a2bf02f934a2ac3bc955912c65d1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\lv-LV\JCor8u2CSzRUwPmsV61WxedDkI9QL11BiuwaqaSNBntaWSG.exe
Filesize
1.3MB

MD5
825d9f4e1bb67e597a50cb8a7d548a55

SHA1
cc73cf43e5eb9eea17641208fa8be13dca800772

SHA256
fcf023f468efd4312e64388b0ca7576258ce1cf48ab84883d01cce29707d24db

SHA512
88d8c7eab1971527f4f4bc19bbfebcd63493bc097640bc0905b0e1ac1efc4d466161585c020013c34d2a2e34cb71a2303bfd1d57df01965f2c59236828fba98c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\AC\INetCache\qNqZEUnddCpgiV3hjJpWHYXNSLlim7V0DiDT5CLusYzd.exe
Filesize
882KB

MD5
47b2fe8f0822d5893787fc82536645b7

SHA1
cd17043c6c3eed9099719935c106b3fbc2b0241d

SHA256
694a22c36a8ed06c5979a3e0afa5167f1fed5e915c8e043222ae07a861e23210

SHA512
2a7f72a27880fb9b02cc842dc4e728cc1bb6c6e471386d52da990804801695324875cbbb7db761789e54f219ae045c8f5a2a936dfef49b8e874e90adc8762901

Download Submit
C:\Users\Admin\Documents\imvj3YmYkqYaGXf.exe
Filesize
1.3MB

MD5
d1d3498374e82b39e8f09e2fbdf9a1d2

SHA1
4838af97892ba4c1093f9821c39de9db08da0a75

SHA256
58a4a85a880ffe16d96aab00922a45459ce31dc42947933e8deee6604fbd20b7

SHA512
cc462948dc5eb38082444983f8121d85f9341c8b3189bff109a1dd21506c435f9c4f50b3ae907d4786420119041995fddfd5c3f343dcf1723693b80fb5a68a21

Download Submit
memory/4356-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4356-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4356-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4800-138-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4800-135-0x0000000000000000-mapping.dmp

Download
memory/4800-147-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download