73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c

Analysis

max time kernel
34s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Size

1.1MB
MD5

839f58325e233294f39cd8a96d28dc80
SHA1

39a28db538a38e8e2ab74e9fd8ea146b3c1ec69b
SHA256

73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c
SHA512

75de04069eabe3faef1c768c5464b59516846f31aff7d60e64eecc2c8181935f6c031bb8a97f8accde4552a2c8223758eb957c3e1933baa768b10edfeee0230e
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

description pid process target process

PID 4740 created 668 4740 ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd lsass.exe

description	pid	process	target process
PID 4740 created 668	4740	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exeZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\es-CL\\IFGz9jqBcrRfltyRykPhVhxs4vMMA7hWCvy7i1H4qK3ND.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\LLIq43BkSUoKdQc1LIytgxQ.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\UOvDGanji.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\RetailDemo\\OfflineContent\\Microsoft\\Content\\Neutral\\KAz9MZjNxHxbEUw7prpKku.exe\" O"	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

Executes dropped EXE 2 IoCs

Processes:

ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmdZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

pid process

4740 ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
4644 ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

pid	process
4740	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
4644	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmdZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exeZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmdLogonUI.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\xM6oI4mJ0LhG6eNTflX31IJ7QiDeb8HIrbnlMspwRE3nEpq2q.exe\" O"	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState\\5GXrwfivGejQAdxSOHpY0pCeUISBZ.exe\" O"	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\te\\nYxYmZCxYQd1vwMOfdIop9ErMo5MpotQ7EhqBcVn.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft OneDrive\\3tFGoJkn5326fUMvavvB1F0QAzXApWx7Mr1BSQNGjCH6Ixqf.exe\" O"	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000096925ad8dc00d901	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ycivfgho.default-release\\storage\\default\\moz-extension+++c1c51a97-85be-4681-8297-029d8363d1be^userContextId=4294967295\\idb\\3647222921wleabcEoxlt-eengsairo.files\\1Br72lHshLwOHUiyTYAAKc4XK32JhMvGMn3wrCHd93.exe\" O 2>NUL"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\\LocalState\\JzwsJFvdNbtMKqI6sTNj4u.exe\" O 2>NUL"	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\USOShared\\I8Ur04R4xwIQ5.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AC\\Temp\\jixPeL5hf6z66a08mcILmYHWRmE08AUtBJMEDTNmIIIbNyumeGP4bXw5trWO.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000069aa4ed8dc00d901	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\\Settings\\WiaNIOp7IM4uKL2qoWHbATgG8gURzqaoeroC7Z5eFs0a1.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\ja\\IpRmZgy2vq3DBDIeaYHJRlgw2dbI2.exe\" O 2>NUL"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000020f95cd8dc00d901	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\he\\2Ll5SUTohaACnrRALFkVZjVICA3YlSZLapnYBDE4yEl.exe\" O 2>NUL"	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000003706fad3dc00d901	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\244PEM4r3rvje8T5o3bnFe5tnGuP4uf2uGDTPmvt.exe\" O 2>NUL"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\4APnUeaiQT1PNHMVRrQ8Upo8hb91gUFeo6IjgLEUhdc3orpl9DALb9i.exe\" O 2>NUL"	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

Modifies registry class 10 IoCs

Processes:

73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\XAVtDrzBb669JkBdCChwRSX5D99nnMqfRsGGXXGYZggnvWIgYTzq6dQvJVW4ESHiKKBJ1.exe\" O 2>NUL"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\\FpvH3Q4XA8tIaNkUXYbxMZYyF.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

pid process

4644 ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
4644 ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

pid	process
4644	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
4644	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exeZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmdZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

description	pid	process
Token: SeBackupPrivilege	1612	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Token: SeRestorePrivilege	1612	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Token: SeShutdownPrivilege	1612	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Token: SeDebugPrivilege	4740	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Token: SeRestorePrivilege	4740	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Token: SeDebugPrivilege	4644	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Token: SeRestorePrivilege	4644	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4720 LogonUI.exe

pid	process
4720	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exeZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

description	pid	process	target process
PID 4296 wrote to memory of 4740	4296	gpscript.exe	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
PID 4296 wrote to memory of 4740	4296	gpscript.exe	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
PID 4740 wrote to memory of 4644	4740	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
PID 4740 wrote to memory of 4644	4740	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd	ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
"C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Users\Admin\AppData\Local\Temp\73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
"C:\Users\Admin\AppData\Local\Temp\73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3984855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
"C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ja\IpRmZgy2vq3DBDIeaYHJRlgw2dbI2.exe
Filesize
1.7MB

MD5
49692418f8b37d8eaf866042baf0fe6a

SHA1
38d2b3dfcde9867d3ae4643de3a664027e0746f3

SHA256
562243f86a0b88723159fcb2394c67c98566aa1254cba5e7e51f73072c5f1316

SHA512
f376111ba466e8c40d8dced8be2e112d117bad01a6ea630999a76acedb5f583dda05c21befa90f34f93756677ff85e8ba7bfe0c9eacb00300b46d140f6a4b231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nl\ZF1hBmKCNMw2CE.exe
Filesize
1.3MB

MD5
6e7b96c57739e755cf1ced93a7e5a36f

SHA1
df96007b0ef500b0e72f92bf74eb271690ac247c

SHA256
8593366d5adfbe380d35e8a733edc892fa33b69b3ba5159739f98cbb524199e4

SHA512
6b13d9e43b6070ad88af66265e0c81e7f4cebd40b9cf840d8085fa60976fd7c6e7b35cdcbf803cc76e918bbebd8e44e9003ace5f5e0a1487295539e39d9a1351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\te\nYxYmZCxYQd1vwMOfdIop9ErMo5MpotQ7EhqBcVn.exe
Filesize
1.4MB

MD5
d2cbde777699735da1a41dc2c42c9b6f

SHA1
02afc74845a74d6c8a8c1adfbcaec81da82ba50d

SHA256
7ac7cc49853c3bf5f183edc8b1d752d5d17b2012c33b861292a9280cb975354a

SHA512
5edb507024f9a4041c94edb7bbcf3030e637e389fc5f9cd3caca23b8909e15677dd4fda33c9d57f46721e632ad17e24090ebf0e5f2a3298bab0bdfa7546f0944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Filesize
1.6MB

MD5
333e6d175d436fcaf8fb48b8865e7b13

SHA1
af51d87e00d08f86622679620a956ca386225a2e

SHA256
3394b3d085e36afa6a018ca9b54a5ac63994c78f1fb198b4cecc84f66892bca0

SHA512
7a821a4fd08a501d97179e3f67af2cc3a1d98681db4f380d9c6325a10836dd291da9af0a2eebdf5762baa4e864e5ca0abc708d54c5823f1560902e1a6e7c6be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Filesize
1.6MB

MD5
333e6d175d436fcaf8fb48b8865e7b13

SHA1
af51d87e00d08f86622679620a956ca386225a2e

SHA256
3394b3d085e36afa6a018ca9b54a5ac63994c78f1fb198b4cecc84f66892bca0

SHA512
7a821a4fd08a501d97179e3f67af2cc3a1d98681db4f380d9c6325a10836dd291da9af0a2eebdf5762baa4e864e5ca0abc708d54c5823f1560902e1a6e7c6be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\ZOlLVY1RPVvYm54LEv9dsZXggBjTleKbCmv6rOa6F1GVJaAeVXj2p.cmd
Filesize
1.6MB

MD5
333e6d175d436fcaf8fb48b8865e7b13

SHA1
af51d87e00d08f86622679620a956ca386225a2e

SHA256
3394b3d085e36afa6a018ca9b54a5ac63994c78f1fb198b4cecc84f66892bca0

SHA512
7a821a4fd08a501d97179e3f67af2cc3a1d98681db4f380d9c6325a10836dd291da9af0a2eebdf5762baa4e864e5ca0abc708d54c5823f1560902e1a6e7c6be4

Download Submit
C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\LocalState\3831rAeNbCP8SW.cmd
Filesize
2.7MB

MD5
8e4e821f55ac7c8fa04a5e008bbe09e3

SHA1
9f369049a4c2531fe47019c867aaa07ef8db6866

SHA256
8ddf16265b5724632228643b6884c13c32b7ccafd53cd38dc95931c750b4ef83

SHA512
b4d663efd606d2c9f99eaa735b1680fa51f87e3bc0a87387fe46510db32002f6a5f2d2440477c1bec5afa28a5774c2514835f6a3a0ac688459cab5d4461bd8e3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\Settings\WiaNIOp7IM4uKL2qoWHbATgG8gURzqaoeroC7Z5eFs0a1.exe
Filesize
1.5MB

MD5
7ace29e2b5d6a399d827b02da7053ed8

SHA1
99087233a9e5b014d22c46d9ee52509fd3e70b2e

SHA256
6940a563cb0b3326ac7733ff48b1712086585beb9f91272d74cfdcce8607b503

SHA512
03361c9adf4e8dab4ac13817fac7f545a345bddcdce88cf88341244daf2af05b7dd13b5e1dff267d3482598e60081cd29543ba1c5c35d1bc3683ce0582f45306

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AppData\fMA10TcOQGez.bat
Filesize
2.5MB

MD5
d5158eab648f1f142f4b17a161bbe68a

SHA1
a676969f1e6ad8a802e46bc5a475a81a89cbec68

SHA256
8e3e94315e2c4d4404c3d53629e8b77aa49a1049e01a29da7a58907a6b1d9e45

SHA512
ff8bb11d9349b558ecd1ee2f05c85c334e1dd52a415193695d0cc69860fc73b1b74047ea962bfff775e03c0b0c3ebe674f1e3015d21632726f9c06e5fd5eb17b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\jixPeL5hf6z66a08mcILmYHWRmE08AUtBJMEDTNmIIIbNyumeGP4bXw5trWO.exe
Filesize
1.7MB

MD5
99839aab9e8be9edc9adf869391f085e

SHA1
a4da3bb5081827efab0f1e2397460893a8d69a1e

SHA256
8d32ed74c52a44c5d27774fb9a54bf35200debff005cfc7ca237d3117864a354

SHA512
725cb602fa207c250c1c64d85a3b7d8cbd4dd2d95ecd0e6721fd9c3e4107d2662c339cc47abdea3cd7abf964e5038d1428aaa0826897d1c6664bd3c424ef9572

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\1siaAsVLFLlkWNzXeQJwDG04ryOl6i4z9zlsKAl5sRE.exe
Filesize
1.8MB

MD5
d35bbbc875a3422688a691d413abb30a

SHA1
f71449fc3ac326902c466903e17156372c4a5a9f

SHA256
96215c6b17a157ca4d40f6857cbc79a46334e35aa709a5c972094638dc644588

SHA512
3f964ac923f179855617d8b675807e160ab16772939dfa1125b923fbd4c3f102aa68093ebaaa84bb78d27c656a3cb5d72d658c217a371b22423f2f055ac6eee7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\LLIq43BkSUoKdQc1LIytgxQ.exe
Filesize
1.3MB

MD5
df2dd59c576690369ba9a27ab6543454

SHA1
15b3440082663478d5b14993e997511429d44183

SHA256
efcf9b148a80d19719ce263226ccd0e774df1b5bba3f59d4698ecf733c1de205

SHA512
49742c6ebfc88b179a810a9e4c74ad2a3b75a3d076ec586fb02ae3f07fb9637ab31e549e23e837bbd82ccf69a54a151365780fe34e56e7d028fda1a8d628ebef

Download Submit
memory/1612-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1612-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4644-146-0x0000000000000000-mapping.dmp

Download
memory/4644-151-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4740-145-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4740-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4740-148-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4740-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads