83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9

Analysis

max time kernel
87s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Size

629KB
MD5

ed35b6362831abcd33026777908996b2
SHA1

70405234f81633891502c52d954643996373d3da
SHA256

83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9
SHA512

6dd26c8b2b9335cc80a7d6b71e435376908e1da89f602458927025792f2b24dc3035ca07896534271aa7c4f818c6555ade1320de58d27985b88653db6d92903a
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

description pid process target process

PID 4240 created 648 4240 Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe lsass.exe

description	pid	process	target process
PID 4240 created 648	4240	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exeMauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\oZOYyokJ6sEY6j3e7IT3QW3m0VBYohIXDbfkaN.exe\" O"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\yNMgOBe2ngpOwo3rsFuj7caMfikJ5AAid3vprfbtqlIPI3W6glWJVacZbtuwdm.exe\" O"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\vybwayxr.default-release\\datareporting\\thIfhAH6hQSB1OxT6muk9ZXfmDixTt9GwMFeRAnzaedectrvfn3YLGPga.exe\" O"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\5ie9lncxu7avZU4AnF5JY.exe\" O"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe

Executes dropped EXE 2 IoCs

Processes:

Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exeMauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

pid process

4240 Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
3788 Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

pid	process
4240	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
3788	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exeMauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exeMauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exeLogonUI.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\muffin\\ej2e3DSs6wcM8H5IRV15a2Fj9ix5Pq993Z.exe\" O 2>NUL"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\es-ES\\WuvuTnBxpE3RjI9DdsJ7p6axvoxKB3pcwDJGg109VrgtQWs.exe\" O"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\\LocalCache\\0kTg90tWjQ.exe\" O"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Settings\\T146JmJjkG1qZnG9HIVFHnt1N8NzLA0KxB53E.exe\" O 2>NUL"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\YXa8crWRW1JbFJtuDsAaSK3Ky8SKMybljpbSHOieIom6LBJJXE20.exe\" O 2>NUL"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vMdV8yRY.exe\" O 2>NUL"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\C6sfQKd3B.exe\" O 2>NUL"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\si-LK\\XE9mFFTGNcMW1r5M4Y8gk20y.exe\" O 2>NUL"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\RetailDemo\\OfflineContent\\Packages\\C92ROlCpV.exe\" O"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\\WTgMZf91TJ.exe\" O 2>NUL"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-19	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\orMQPcS0C6.exe\" O"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\\AC\\INetHistory\\SbuIv9jGFrLbu93rNVzxHQL6.exe\" O"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\moNNLcSXpdeOs6nsyNGW787s0uxHQWMnQByHl0IaGM9hrC43ZOaMHLd.exe\" O"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\GCM Store\\Encryption\\K3HVn2t3xvcDbDoEGhUnKX8FDT2WGwETG6wxNXKTKWmmHRFQR7Lfl.exe\" O"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\bPhplrU4gUXvamZJtAOUcBApN7JZ8ecgz6beqzkfY2.exe\" O 2>NUL"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-20	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\gd\\z4tyPgwX.exe\" O 2>NUL"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\DRM\\Server\\sDvFNd1NFfzHnGgVJ1JQrxJP7CLukvWnwLUooT8tqt5GHkCBpHyP8iyAF43ezNz0p9d.exe\" O"	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

Modifies registry class 10 IoCs

Processes:

83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\On1ptjvROGTHB3GJeV9mLVodwb3HS6qtRgcTi2J27azZUWYw.exe\" O 2>NUL"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\11\\XD7ubIoFy55blNuTza9nmrySMenoH6M5fVlll81apwZRf7.exe\" O"	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

pid process

3788 Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
3788 Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

pid	process
3788	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
3788	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exeMauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exeMauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

description	pid	process
Token: SeBackupPrivilege	1456	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Token: SeRestorePrivilege	1456	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Token: SeShutdownPrivilege	1456	83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
Token: SeDebugPrivilege	4240	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Token: SeRestorePrivilege	4240	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Token: SeDebugPrivilege	3788	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Token: SeRestorePrivilege	3788	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1796 LogonUI.exe

pid	process
1796	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exeMauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

description	pid	process	target process
PID 1676 wrote to memory of 4240	1676	gpscript.exe	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
PID 1676 wrote to memory of 4240	1676	gpscript.exe	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
PID 4240 wrote to memory of 3788	4240	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
PID 4240 wrote to memory of 3788	4240	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe	Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:648

C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
"C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Users\Admin\AppData\Local\Temp\83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe
"C:\Users\Admin\AppData\Local\Temp\83b841a629cdba822e25bfad3fd1d48e8e183f1d788c8eb4c9d3cc5e49c549b9.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39eb855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
"C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\SmsRouter\MessageStore\orMQPcS0C6.exe
Filesize
1.1MB

MD5
e9d2884545f5a85ca1d905d1e090ac90

SHA1
95250fc6e43897b03ed81f6423d8abfee8472c0a

SHA256
85d6008460fff24c827beb7cd54eedda880869d7c825fdade373b31b242061c3

SHA512
355746a7d6867d612004215a14613bcf6250ef22b35e737cfa73f959448e59877e00863d75cef5996c6fc5947438f65394262ae2cc3c00ce94a9555f05d02efa

Download Submit
C:\ProgramData\Microsoft\UEV\InboxTemplates\q74kbDwxET7W2TJgnlNuDCaMnIRFqo0fPL8LKmHrKKVsLosThRfrs6VrX4rSb1d2fWuGZ.exe
Filesize
692KB

MD5
d9c75f417582ed2b13157ae83221bf16

SHA1
eb5253308d0250ae256c0badb195b554cab5331e

SHA256
98d8c3b442b49f67e555a6d0d61c808a4c0a79fd350f84a79a40c3ce3a01ce55

SHA512
86e4e6d0b20b90b47352cffda0e36c32639473315764115669de10c378e15791319a8302ac371962a3a36f9d6a8387a22f7dc2aa19a6c5b27da038e95beaf4f1

Download Submit
C:\ProgramData\Microsoft\Windows\RetailDemo\OfflineContent\Packages\C92ROlCpV.exe
Filesize
1.2MB

MD5
dfbef5f98eca04313d81bdb14d6be12c

SHA1
cec2a4cf224e4ba0d2c304e75ba2e399004c3529

SHA256
b08506c093a2ec9bed032a9a816fa61582f89e7ea11ff50507144b074d4c9678

SHA512
85cb0cd24cfa84a750381fe9136fab7abd3d865974a2480328bf20d06731bd9cd1ddcd9216472f570305d8fe11d6ebe0fdd91d51f9b979e40329a096bd9c22ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FileTypePolicies\oZOYyokJ6sEY6j3e7IT3QW3m0VBYohIXDbfkaN.exe
Filesize
1.0MB

MD5
85a1a9136afb9961fff2b39a290325ed

SHA1
ccc47fccd368eb84469372979678ab56a1c10235

SHA256
8ae399ef04f4cf563a9408f1b705a5705211c26e4604d31672e2d185aa0a58b9

SHA512
0b4d85f0fb8a3669bd4a5f3ad5eb1cff4d34e831a639b5be10d3970486e50b7bbefda707c11bd3780ce678d8512603e75d08be065ea98b1e8490c308cf979c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\aDYMZ0mFRmgMdgOnZocigO8MPgITThOTHKkH4o.exe
Filesize
833KB

MD5
60bacb408dcc18f8f4d0fb4e32098e53

SHA1
d71e959196a28832ceb63296616d18511ac0eee4

SHA256
cb1c25d2f25f9805dca0664d0ad5bdd55f51c392be66d5bab6eb64a6d19fd0a4

SHA512
57171a516712b507b823981c68ceb1315adb1a280d38461b83c2ea1241ff7c336245d145ac1c2d9210f64ed8aa60e1e0c6db7b060128d4f75ee8dced042e5a6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gd\z4tyPgwX.exe
Filesize
635KB

MD5
0bf91b335adadd69545bf38e31053422

SHA1
234d347648e88eb94031f8c8376efaae785f722f

SHA256
07f001eaa8a11d7cc8b2c320c231095a0ad70ec97a5cf50062af44c87c97a2ad

SHA512
3d3db5cffb8254d3f12dda4862b295ccec785e93ffc38959dfb2065cb9e92ad44abf39dbcfa3dccf27256320260758c914c77e14903b923c2b6f91dca34fe0f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sv\cLSkvOGaNqTMzE4ed7h9joUfRPvSOEfs4Twu9b5Oh8DXzEky.cmd
Filesize
1.6MB

MD5
a4c9be79e6f1e1adeaae66bf94355bf4

SHA1
54ecbb3a3694bf312b535387108563f1568ab063

SHA256
e73524339f7092e9f1adb09c5aebb46a55d437066acf6af8bad18383316555ef

SHA512
0113783689bafad87143b9fd862d9db788ec1841c6b71cf57fad553cd56f1013383819bdd281d26a0a88ac1bf7e12c783630d4afddb964261b6dfc8912b8a567

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SystemAppData\bPhplrU4gUXvamZJtAOUcBApN7JZ8ecgz6beqzkfY2.exe
Filesize
838KB

MD5
a61af2be8187476e2e6e63d8af77cecf

SHA1
deb91882d3e17912c3b5181f29cfed46fa0598d0

SHA256
b3e4323d5616ea95ceaffb62dbaac28c29d97e13e8d94f5b165c4917c674cdc5

SHA512
4009135d0ec1590c1adf05235168ad1ccfc5207cadd60e62ee5990b1228bc33f21277e8039d593c937d2b5d996d62f047f5624a4212090696dfdf1126b89a5dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\T146JmJjkG1qZnG9HIVFHnt1N8NzLA0KxB53E.exe
Filesize
1.1MB

MD5
86b1e2555f39a3e603d61a4eb5de1ff6

SHA1
ad0221d82ff3f2e292474387cea3a8a58678c8c9

SHA256
820bebe894dcef7d496c53a5e20c9d673fe59fa8070ab7f34729a35693ddc0ce

SHA512
550c5c26cbd9e529f2014c30c4cb8c59a540339a770de538011538c0d32141884bc998528425d892988859a7a9d9f41ba7ca4b633294c4b71e97e84ed1a3c0dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\eiVlOc1lrjtJS6xr91Ro.cmd
Filesize
1.6MB

MD5
1d0873138c225922a388c81681a0ea12

SHA1
99267f0a7373880208a0974b9eb5ba0e3cd60090

SHA256
5c3d44caa476bb7c9ec158912176c890d11f257ee3012506ef56ab2a332e1fe2

SHA512
50e905007fcbadd0daaab7b8b957afb5416c3ba6ba00a1a1a98facdf4abdb4acb4d1dc09255da8664cdc158b842400caf02520f55d672e044f035f6c344f1e8f

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Filesize
876KB

MD5
802f0925d7ce228248374407713bfa35

SHA1
a36518e5478fca8ba2ff5b4ea7363ad97b88f2c1

SHA256
aaf5da5510cb89d87f6711c9d10072bc31b49e470e71bfe9f209f2451d3f1f79

SHA512
fc650a00411053262b87d772ccc2c99a159f2d51cca45fd86119c8ad861ad0bdb17a2bb94d31cc5820e22d717a017a69710e152eb42a293e90418b9a25b7caf8

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Filesize
876KB

MD5
802f0925d7ce228248374407713bfa35

SHA1
a36518e5478fca8ba2ff5b4ea7363ad97b88f2c1

SHA256
aaf5da5510cb89d87f6711c9d10072bc31b49e470e71bfe9f209f2451d3f1f79

SHA512
fc650a00411053262b87d772ccc2c99a159f2d51cca45fd86119c8ad861ad0bdb17a2bb94d31cc5820e22d717a017a69710e152eb42a293e90418b9a25b7caf8

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\Mauj4Rw3xEQPJLawHarnzeY1zz5pTvgtBoRuvEr3d3Nt0FedfzLmgov.exe
Filesize
876KB

MD5
802f0925d7ce228248374407713bfa35

SHA1
a36518e5478fca8ba2ff5b4ea7363ad97b88f2c1

SHA256
aaf5da5510cb89d87f6711c9d10072bc31b49e470e71bfe9f209f2451d3f1f79

SHA512
fc650a00411053262b87d772ccc2c99a159f2d51cca45fd86119c8ad861ad0bdb17a2bb94d31cc5820e22d717a017a69710e152eb42a293e90418b9a25b7caf8

Download Submit
memory/1456-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1456-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3788-147-0x0000000000000000-mapping.dmp

Download
memory/3788-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4240-143-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4240-135-0x0000000000000000-mapping.dmp

Download
memory/4240-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4240-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads