c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67

Analysis

max time kernel
88s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Size

1.1MB
MD5

e8d0d6c10ba86c6a7f3416f892f3bf0e
SHA1

72a90ff66cd7d691e4ac15e203ef5328b1b8cedc
SHA256

c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67
SHA512

6e4918a63c7ada10bba603e1964f4a666cae269cd221cf631430a0139327914da31e37c26603eb8bc8654a68da38e79486b6aeb2864836a142f215e8d7b39629
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

description pid process target process

PID 5108 created 672 5108 sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat lsass.exe

description	pid	process	target process
PID 5108 created 672	5108	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exesRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\hToK10QlN0TJVQ.exe\" O"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\woYIL3urGbG0ZScDERnx76G7IIf2A2YKGfM3biNCtHZy.exe\" O"	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\\SystemAppData\\6aM23nIWr91Ypmtf5RnhnGlEswqklHbFjMv0GdALiw26HJGqsLc9y3n.exe\" O"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData\\K3WJoqRVpDWmdjcy2M1Y57zKaaVJ.exe\" O"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe

Executes dropped EXE 2 IoCs

Processes:

sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.batsRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

pid process

5108 sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
3648 sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

pid	process
5108	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
3648	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.batsRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

LogonUI.exec0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exegpscript.exesRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\quz-PE\\K0iEokCi6XQkqWvrRbb.exe\" O"	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\lv-LV\\ZHMCeIdpVhY7ucx5RUUq2eD6Tz9B6OXXZ0LLbKV9.exe\" O 2>NUL"	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\9AbUMl8l2qr01.exe\" O 2>NUL"	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\88000163\\XaLWi9tYuXwwCF3TKJD81psJuv3M8psnDHmnhH188bLcx6pC6Y.exe\" O"	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\USER\S-1-5-20	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\USER\.DEFAULT	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState\\ovNvPczw3co8HleQjOKPAuiEy756kR04nlTz0l8bIcgXGDH0x.exe\" O"	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\vybwayxr.default-release\\storage\\permanent\\chrome\\idb\\1451318868ntouromlalnodry--epcr.files\\hBV9uSoY3UaNKddPwpCdnQ9vJK6BCKqKhZj8iIhnTU1R3tt0F.exe\" O"	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\xf0A8CYjBlBXDWIsp10glks5sQmgFu3EbBoJ035C5ft7AhK8BsvZEZBHb.exe\" O 2>NUL"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\TempState\\OQNRUSjz2u8OipectooFniyLGlwLh0crNzw3Ptjq5ZEP6igFAQeJBdSH1uP0o0saKOT4T8.exe\" O 2>NUL"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-19	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\\AC\\VaEAMe2OFgAtYm9vZl01Bn2FtJljnUPkwxNsWZsPXzoSHuXFmyx0l5gyqgmaJpiy6j4X.exe\" O"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData\\i6cMaXoxeCJGOo3e67B9oLzEpp5uax.exe\" O"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\gTnEspwZfIALjaR1QOV64fNHNg.exe\" O"	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\ZP6BPm0fW8TuvGpEK9q1kr14aYn5Wet1XKvvNYyVxKdoyaiho5wYU.exe\" O 2>NUL"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\HLzUUgxBQWqYcf6sakEilddHmvl00lc7qaiOMpKaiIRreLERh8XyV79rlTBW9lL.exe\" O"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.CredDialogHost_cw5n1h2txyewy\\AC\\INetCookies\\mXkI7xGn5fOaGlBW8GhrFYHIoCwuNr.exe\" O 2>NUL"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\AWnXQJ7D3fR1.exe\" O 2>NUL"	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe

Modifies registry class 10 IoCs

Processes:

c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\UEV\\RA0X0i0gK90zlLoo98UEdCuxiV4oaYpk3o4zMydLpHW0pLEaItNaZz.exe\" O 2>NUL"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\m9SO2vGP0pwXeJ.exe\" O"	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

pid process

3648 sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
3648 sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

pid	process
3648	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
3648	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exesRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.batsRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

description	pid	process
Token: SeBackupPrivilege	4848	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Token: SeRestorePrivilege	4848	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Token: SeShutdownPrivilege	4848	c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
Token: SeDebugPrivilege	5108	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Token: SeRestorePrivilege	5108	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Token: SeDebugPrivilege	3648	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Token: SeRestorePrivilege	3648	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1748 LogonUI.exe

pid	process
1748	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exesRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

description	pid	process	target process
PID 1244 wrote to memory of 5108	1244	gpscript.exe	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
PID 1244 wrote to memory of 5108	1244	gpscript.exe	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
PID 5108 wrote to memory of 3648	5108	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
PID 5108 wrote to memory of 3648	5108	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat	sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Users\Admin\AppData\Local\Temp\c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe
"C:\Users\Admin\AppData\Local\Temp\c0ab076bd790e520cbbfc543bc24c486577021b6cce0f35cf7e9a11a11f46a67.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ea855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\4uPs3udRFWmMXGBsZYDqFW8OUmCJq3MMrZUvwCib5w9gXV.exe
Filesize
1.3MB

MD5
b7d1cc92eeeecb6e6fef95be43a5c5b9

SHA1
a3670a58802f5c01b7cb750003be43cb8de5ecb3

SHA256
4781e2f421794f83715def3c966879e0314e1cde31a3b16df65d47e1cc55cc78

SHA512
a98d49ed54d9e634bbc027eef61fb2d529ee7122fe985b89a15a164cb16775cc4fdc82f10c30095174f47e215672b58530c2cc6325f3ec10338cd5b042c721df

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\6jpMeNefmoJUdcq03zIyZxPJjQ8UenQCiCXW8YRb0K5MyiT7Ql84cPmWQcDpV.cmd
Filesize
1.3MB

MD5
d4d3804bcb35ad728df3cfcfd12d532d

SHA1
6fdbe219c92e69979ee7b7c2e6da5ff72fdea5f5

SHA256
1cb992c218a01303b0d3f24ed2ad767b93ded6c6f03473d54012fe4bc8cbc9bb

SHA512
2367186e8ea354492af07d521beb9afd123b9f0213280134bf07f10927adbeb400364b7f3342288775ec25f2dc9780de7f6914a97cdf5f95896c180aa705529b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\txU9JAIRX9lsExWkYX4f3KZ0EHE8.bat
Filesize
1.9MB

MD5
0dc3718c9e68b88ca19495b181e32823

SHA1
54e69e4aa106833ca99558df47418da9905b741c

SHA256
12d207169125c1063f42414dae7b00049383e9d490ef4540d21057449d364a73

SHA512
802ed593f891646bd6255c68e1b3be80fb64004aedfd97ede7c587708dca85735465344269b5716ea5278afca909658bda4ea121097612ee032ea8a99d3bf4a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Filesize
1.2MB

MD5
75ef43e4e3f69e01be6e5cf2c684d75d

SHA1
0631d4143ee3a1fd2702ccfd98de182fbd9c7691

SHA256
2c1ce49d1a4cb22f3f1d6a20eb39c9809374b86bf3dc377a8014f385910deda2

SHA512
ff21fa28f6e5a4cbdb98cf733b5e3f13539438e0903933808a12f80c74b6f090442c77b8315c4a6a0331e06668039aafa909c27f028feac80a0f624a704d631e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Filesize
1.2MB

MD5
75ef43e4e3f69e01be6e5cf2c684d75d

SHA1
0631d4143ee3a1fd2702ccfd98de182fbd9c7691

SHA256
2c1ce49d1a4cb22f3f1d6a20eb39c9809374b86bf3dc377a8014f385910deda2

SHA512
ff21fa28f6e5a4cbdb98cf733b5e3f13539438e0903933808a12f80c74b6f090442c77b8315c4a6a0331e06668039aafa909c27f028feac80a0f624a704d631e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\sRP8012mkpccnkxPXqcFgz0WEwlHqTSYLB5zqBw5I27D.bat
Filesize
1.2MB

MD5
75ef43e4e3f69e01be6e5cf2c684d75d

SHA1
0631d4143ee3a1fd2702ccfd98de182fbd9c7691

SHA256
2c1ce49d1a4cb22f3f1d6a20eb39c9809374b86bf3dc377a8014f385910deda2

SHA512
ff21fa28f6e5a4cbdb98cf733b5e3f13539438e0903933808a12f80c74b6f090442c77b8315c4a6a0331e06668039aafa909c27f028feac80a0f624a704d631e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\xf0A8CYjBlBXDWIsp10glks5sQmgFu3EbBoJ035C5ft7AhK8BsvZEZBHb.exe
Filesize
1.5MB

MD5
bed6a01a070c862966c94ce73429431d

SHA1
14993140e6388031c7cf9b62c04ff730b2bfbcf1

SHA256
bc5a83874aeb8e2fb410f4fef8d19c9976275fc7f73e6d919f7625defaaa4d2f

SHA512
8ee21d57e66859ec021cdce03fbdaef1c79b7645491043ae3679b91294a89dbd0ea9eec2347b4d32aba3e890369bce2be00457b8db200b6f9d7e999b0c8ccdfc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\RoamingState\IlwPaS3rtzmx.exe
Filesize
2.3MB

MD5
6c8ad1bf903b9a36aadc73cf3f047ad4

SHA1
25b9dd0b27e457e1d10422e1c84504c5536be152

SHA256
9af72bf60e842524371700c0604c60f8fbfb15789fcb5654e21241391967c215

SHA512
5796bf844d86cb7aef9e12ae2495af40dc078c11de77b16a64049c280139ab66dd3dee8e69c3fdc1d056c615b1426b1f44830fa73e6797921a456e30e86f53ac

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\SystemAppData\K3WJoqRVpDWmdjcy2M1Y57zKaaVJ.exe
Filesize
1.4MB

MD5
73756ea673214f968d98f00269c6ba70

SHA1
1ce6df83000b4e578ad0540c6202b6bd3c066aa6

SHA256
eaba6a1e218ce5fbb8c0acd9c5e2f758ab48fed723d1ac811d47efadf2835bf7

SHA512
8da73cf8cfafab0d543a46a69f6aa8a662eb985bfe0fb5bfb0b5f582bb6b90139c36201ff3b7a1814b7b90a37be6a378f9e8aeb8cac776d972ecd099ee7290d7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\i6cMaXoxeCJGOo3e67B9oLzEpp5uax.exe
Filesize
1.2MB

MD5
e91d62fa52c9f87fcaaf33f718ba466e

SHA1
db0d5f97e623a12de01cd37a18ab9472172cab20

SHA256
b724e2fbda48327d3508fdb242be5262fd682befdf6c7986c59ffa66045e1679

SHA512
73025fdd83fa2a466c3c3e9169a2f4d539f8a39033ebc0e28ee1f62e077a23d8988f7972bf4db97b023d3185816f845d0fce7f6700443ccf11b07c648c6072d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\OQNRUSjz2u8OipectooFniyLGlwLh0crNzw3Ptjq5ZEP6igFAQeJBdSH1uP0o0saKOT4T8.exe
Filesize
1.5MB

MD5
f12cc531016622ecb100411f70ea9d03

SHA1
9bf887efee9c706a604583691d6343b7bff7df2d

SHA256
e51ef21d0ea1768bdc6dce45917d77a66956a3d05b1c442d9fc5f28094bb2d43

SHA512
b572832b7b14297e36c2d885ab5ce1a0d8e80dfba2d8bd7bc2484b97feaf31cb8c6e33accfa6bd6bc177a79f7477da19fc002f5362ecb8af0636a8bc1261d147

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\VaEAMe2OFgAtYm9vZl01Bn2FtJljnUPkwxNsWZsPXzoSHuXFmyx0l5gyqgmaJpiy6j4X.exe
Filesize
1.3MB

MD5
f6d362d0b48e92b6b3b34504b7a01c26

SHA1
31560e1b2209541ab46676aaba63130ba8a6eda4

SHA256
1a7f998cabff24ccc2674efaf7b80c63c478e1bb930d43e90697f8e9c4e2cfb8

SHA512
d99a3f008d6a17941e2a8faa1c1f5a5d2b2689ba65125157e4edc20ac90367e866b0d90808cda554f9f21568a76df34cff5b918faa78db65b33e719ebbeb1ab8

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\ZP6BPm0fW8TuvGpEK9q1kr14aYn5Wet1XKvvNYyVxKdoyaiho5wYU.exe
Filesize
2.2MB

MD5
6e576dc67049c4adf60503c1265b6021

SHA1
64519af1066d990db013772697b122854d9896c8

SHA256
8907456298de33d189d62f0305fce5ffb6559b4e05e40b35712debc782c80a4d

SHA512
14e73800c8e9ec150618388b95c14ded593ddc759f8918a9e27055802658f69b55c043c28745bc12bf361a5e690c45b84850ef2de04a4f74f4033cc20bd72961

Download Submit
memory/3648-147-0x0000000000000000-mapping.dmp

Download
memory/3648-150-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4848-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4848-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5108-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5108-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5108-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5108-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads