834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2

Analysis

max time kernel
155s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Size

1.7MB
MD5

7ba4cbd920088fa5a9bf5a144c9834bb
SHA1

caa83f4ec6286d58ecc56fc9dfaa650f765b6868
SHA256

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2
SHA512

0311af7730177fdfa09c0faf41abe73c2a3ef800edfce78cb999912449cafabd006ca15d1f2e231b06372c240ab97f9cc203f01b5e2ed2d04afefb98d0a66d87
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

description pid process target process

PID 4604 created 656 4604 kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe lsass.exe

description	pid	process	target process
PID 4604 created 656	4604	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exekXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\338389\\w5o6dd8dLyV9wuEShRQ3IHPECJ36vNSki3brIoltTtG6KXtIOmkWxf.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\5sFk0iZJiIM9qazYt8VzgBhtO3OvMIzB1DXJNYtgrsfxAD.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\nO43WRgdrSGhwu16RnWVLwajhTXFkGjZWo4Te5.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\SettingSync\\7UpZy8OdHn6I6QFezPKP1hfaOCGH9Xhr7Z.exe\" O"	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

Executes dropped EXE 2 IoCs

Processes:

kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exekXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

pid	process
4604	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
4376	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exekXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exegpscript.exekXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exeLogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d8d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\SmartScreen\\2NLovigd7WPTgPIv9aoIj91ID8xuwXz8wstdZhWYxGtaxW.exe\" O 2>NUL"	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\H4RMDeaJhkC3X.exe\" O"	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\de\\sBho8yjW3sQox7MbT63dU1SA2xK0RQ0.exe\" O"	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Win32WebViewHost_cw5n1h2txyewy\\TempState\\Ust7siUtQYWSaGKnSFojww6hJnxBC.exe\" O 2>NUL"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\es-PR\\8p9CkBjpWm3DAl4FuQzn9b42m.exe\" O"	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\5fDBnKj9XQxufn18WA.exe\" O 2>NUL"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\P2JkGrAaADIUfn5R3zSRjfnxSEsoAhlFYyjXRSKzY80HdUZRVMuTtnHw.exe\" O 2>NUL"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\\AC\\INetCache\\fMHp6qVzXalP2ncR3AQu56KkMRMmSz9qjsSD7zEifAfq8lYtv20ddSfrmWs4EgO2ETFDNQ.exe\" O 2>NUL"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\WinX\\Group2\\9KC6ZNPcTJh8V9LsljOHg2sYfo2iR3UrTPIMLuLMuvENHguHDRUYDV81ZtZZa.exe\" O"	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\et\\yy4KOlKDe6pZD184f1ewrHs1h.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\eixn1gSp0YsPu4yC25ZboP.exe\" O 2>NUL"	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\DiagnosticLogCSP\\Collectors\\oDOVwN3eHDd56PaXrLimOQrRsfHioAiu7Ka7mMRpGPPfb7BJ9XJxW2wwiz.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\ar-SA\\LnYMdlcvQzmUo3mPsUKPCRJt0LlfHDPm8yaI5fDnsmvH.exe\" O 2>NUL"	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\a7z3MbF88imGfOPa9OTfQU1XWZGgh.exe\" O"	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\HXQs4z4KGxvFyp9hveu4IE11KfbEaPhXk0SUeCjsDcn5RSGR.exe\" O 2>NUL"	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Oracle\\Java\\javapath\\5At1ov8ozTG.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 10 IoCs

Processes:

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache\\XfuStmQc0QLgPnoL.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\jdqssm5\\x9Dxer4bjlCo3Tuszcjv.exe\" O 2>NUL"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

pid	process
4376	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
4376	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exekXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exekXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

description	pid	process
Token: SeBackupPrivilege	3836	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Token: SeRestorePrivilege	3836	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Token: SeShutdownPrivilege	3836	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Token: SeDebugPrivilege	4604	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Token: SeRestorePrivilege	4604	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Token: SeDebugPrivilege	4376	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Token: SeRestorePrivilege	4376	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

5004 LogonUI.exe

pid	process
5004	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exekXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

description	pid	process	target process
PID 4580 wrote to memory of 4604	4580	gpscript.exe	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
PID 4580 wrote to memory of 4604	4580	gpscript.exe	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
PID 4604 wrote to memory of 4376	4604	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
PID 4604 wrote to memory of 4376	4604	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe	kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:656

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Users\Admin\AppData\Local\Temp\834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
"C:\Users\Admin\AppData\Local\Temp\834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ef855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\oDOVwN3eHDd56PaXrLimOQrRsfHioAiu7Ka7mMRpGPPfb7BJ9XJxW2wwiz.exe
Filesize
2.8MB

MD5
e8c3541f71d412822838b96071961b26

SHA1
1b39faee66fe863eb85f94553e23725d3b6530df

SHA256
e4a9b9a7a59b95a8be1b399173bf9567f43fa2abd92b5c6ace23ad402b145a86

SHA512
5daa9239b5b5434b8286597e6aee0b89b3fb55d93891dce84f3ee0c60a7528633e066a3790c049ab268e8ff72a00f116d1906b7912b1278d339375d20e80e8a9

Download Submit
C:\ProgramData\Microsoft\Search\P2JkGrAaADIUfn5R3zSRjfnxSEsoAhlFYyjXRSKzY80HdUZRVMuTtnHw.exe
Filesize
2.0MB

MD5
3c8d2e8c02e05b39e896b5c5dcfdc30d

SHA1
a3bff4c150fb870785449600d8fb7ad9eb6a9c63

SHA256
def3a3fb26340969974786e5d1833a0ae32428029061b235c2eea5e3b058c89a

SHA512
18c45a0136651da44d84903fb63bd99af1c9224011670fe2f6730a93bf2f12cde54004842f636b0197f5478f39aa0237fa52cb3fc5057ce2c52dade2b8bd097a

Download Submit
C:\ProgramData\Oracle\Java\javapath\5At1ov8ozTG.exe
Filesize
3.1MB

MD5
9259d78c265cb8a6ae496c4144db88e1

SHA1
65f152febd5b927caf4d88c88fe2b8474ba7e5f7

SHA256
f4cd1bafd0125b0d891bf427360bbc253b84ddfca5529406f2e24b38ee50f4cd

SHA512
36c8c7758687b179fd1cf9cecc804cab172906b139d5e8e92f28e5f5890507abbf6b5dba9c47ee30cd440998f7d8a5f8d1c95cd060078e7ec4300fec07b35d68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\xkU0KvlxxWSiTcTAA8dFBkgEAUyyTILSuX5OXBwpDBE5OzidKm8nI3CKhnJy.exe
Filesize
1.9MB

MD5
f202492c1f6502bf3a8a799e58ae6216

SHA1
e5af7481f9834f9fa43b771820018cbc9a26ccfb

SHA256
1013f1089cd61f732d856626b0f0104584a813248dbbfe939a3efcbdd8a1266d

SHA512
e18fc8ff57754dd53ded299e741d70aaee6c903977519198c57117a9d352cfe08584974b475740c8d5003738abf740cac7720372b9ba84df47697077d7431122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Filesize
2.8MB

MD5
205222d9567cac992317b578567292ae

SHA1
83689a90e8ce27acc0bbdf8eda9fcff377c8023f

SHA256
cd30250857990193d8b6aa393ee6280c5b0a943d08e8b11226b21de89945e822

SHA512
01e73a2adcff33fcc237bf44f323b646d9f41ee89ac62000523232a9bc34830c661ba98843c6ae1e4617447c57c9ca4aa60525a7c14d9ba9f97ba241d7aad7aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Filesize
2.8MB

MD5
205222d9567cac992317b578567292ae

SHA1
83689a90e8ce27acc0bbdf8eda9fcff377c8023f

SHA256
cd30250857990193d8b6aa393ee6280c5b0a943d08e8b11226b21de89945e822

SHA512
01e73a2adcff33fcc237bf44f323b646d9f41ee89ac62000523232a9bc34830c661ba98843c6ae1e4617447c57c9ca4aa60525a7c14d9ba9f97ba241d7aad7aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\kXC4NtHKTaCeCBz4bczNhoIkLShzCOzyM3aylSgVnq8NJf0D65wS2CGzF7zbQnu.exe
Filesize
2.8MB

MD5
205222d9567cac992317b578567292ae

SHA1
83689a90e8ce27acc0bbdf8eda9fcff377c8023f

SHA256
cd30250857990193d8b6aa393ee6280c5b0a943d08e8b11226b21de89945e822

SHA512
01e73a2adcff33fcc237bf44f323b646d9f41ee89ac62000523232a9bc34830c661ba98843c6ae1e4617447c57c9ca4aa60525a7c14d9ba9f97ba241d7aad7aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bn-BD\0KC5i6LV4GBrNZ9bNRZ6VSPNhlNcNod9hl3G62cPIQVdFMT86MJuRB7w.exe
Filesize
3.7MB

MD5
88f5908d7ccfeda3e669888dddea6ffc

SHA1
9d52fadfeac656731758c5a3a404017c470fb546

SHA256
b840247a846e7ef51054d9f7c889702bc4f773a5e60d57cbb252d3ec4b744611

SHA512
28d117e066e392e323db4f097b06912898497338151ab2373edceaac9cb13f30ca04855c7320096febbc751a261815b946ae7e4a9ddd3c088720c7dba6d3e635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\et\yy4KOlKDe6pZD184f1ewrHs1h.exe
Filesize
1.9MB

MD5
1e7c5883ce34473d62b29e5c25ff390c

SHA1
f0f8d65b959191aff010ba909bf3d19d572ccedd

SHA256
694627edc48312ab9a07ea76ba82f3e6860dc10d90183ebad1ed29008f6c9e67

SHA512
0e97323a3c2641a7a36dcc01dcd5a50e5a62ddad9a12bff3782ac2a03f3bcfc96954442faba83ea6c1abca8585594272bb6b1e4a2a008971f7335f70c29458c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\5sFk0iZJiIM9qazYt8VzgBhtO3OvMIzB1DXJNYtgrsfxAD.exe
Filesize
2.3MB

MD5
ab041040acb2179a9e7acc03474b1a2b

SHA1
3e6e095685aa1203f982a73e819b075375a7428e

SHA256
44906da93eb6e841109a14776dd5d6eb2fafc0979fc00e94b1a1cfe52c7679a2

SHA512
01728d20fd1ffb67bdcaab8d6ba40b7fb9c6ece051ef2978639d48374766196b3211d66c57453b01058359c1d6beb5e2935012b085c255e926a38ade68de7fde

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\TempState\Ust7siUtQYWSaGKnSFojww6hJnxBC.exe
Filesize
2.0MB

MD5
25fcf227a4d44a8e2217c4c7071fd645

SHA1
ec2e149ad4502906ecb74ff65a9bb230c60bc3a0

SHA256
72f8be57eb0ad6d013e263f3223428fc46aa561245301247ff54fd7df8bf033e

SHA512
3d0b633339c8b849fbe090f8756ba39c1995850a0418f991869ebe1bf6c48b6f59777ce689d68de723108b761b0a2f5d19d8838f5c68614da4fb9c0f34ec1e3f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\INetCache\fMHp6qVzXalP2ncR3AQu56KkMRMmSz9qjsSD7zEifAfq8lYtv20ddSfrmWs4EgO2ETFDNQ.exe
Filesize
2.1MB

MD5
ca6b587f7d503529e8ecbc915af6443b

SHA1
9e6ec3f8b0b8fe4e2dbc9a0ab6a239adb546dd80

SHA256
3fadcfd32b65dbcfbb35df7fef8b7dc497eb0da49d586c45dc19d25b63595abb

SHA512
8ab0580f3373cc3bcd6453e88f147a1ad7c238301e8bcb83e370f07283757fb748dcb1073de73f144e3d1d1ada51bb92a84609a706b8b948c3d3df7b3f70350d

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\2IDr6fvXYLvhZFLe3E2nPAy4r3uY3Ss5h78mM1Yh4qG.exe
Filesize
4.5MB

MD5
ebc7ff3a8fce338f44fcbcc3f0094ecd

SHA1
bcd3eddd5696d2ad7a89c7e40ef999325da52d46

SHA256
2919be014bffc22fb9e3a756c09709b6f8dea2c8872acc3ef987b9c5806e32ee

SHA512
1ecf353996fb0d739822f65f1043ada4b5201da240078dbcd79573b16afdeaf632d955b47475accbdd6d8ecaca338954723e470fc216b6aedd7576566dcc3d01

Download Submit
memory/3836-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3836-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4376-147-0x0000000000000000-mapping.dmp

Download
memory/4376-150-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4604-135-0x0000000000000000-mapping.dmp

Download
memory/4604-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4604-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4604-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads