a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59

Analysis

max time kernel
31s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 10:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Size

759KB
MD5

d9ea4f8848c1349ce785e76c04f9c603
SHA1

31933f0a34d0bdac3007b0248adfbe16916a9a7d
SHA256

a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59
SHA512

ab257a38c41d4b1e32828ce418b238bbdba2ca969c5f66354a39958751ba2c9d72935a595901c890bcddb109de797042f7279e12b314967edcfd4db463d668ef
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2836 created 676	2836	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat	2

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\bBcP7SmUNe9F1yAZDOlVbFbr1Rj8x5tRAohVArvxZMiyVSqTVjZxTmxutL5c.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\adm\\XY0SCovDC0GraDMrH5KK5.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\53\\1bxFHL6FvK4GnDwNVgViCVKj0xW5UTSqkXJTsQ8r4AglcdFRMlg0ysIBfvaAd1EZ.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\ldycB81QnB.exe\" O"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat

Executes dropped EXE 2 IoCs

pid	Process
2836	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
3916	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\si-LK\\LlWIDqO2kLgUDouUyGmTgd8dK0Vv2NX1EdY4YQ48.exe\" O"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\te\\jd0BRVu2x53l4ZHaPy18shhUFP0RcUhxmAJvQXB2WGZwY.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\15\\pZoM4FgDZGIREHBRxYgbkshOzX7tLzMEWm.exe\" O"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp\\ArlOlAE4YQtjzrCdrsDI.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\OYjMtOu619RUNqZjyuPOiCDhbXa2bTYPGwnTUjqUX3fgOgexBJjbyA5ZqjDCf9v8.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\fzhvJzi00h04HWDuwXq13XhEb1gpN.exe\" O 2>NUL"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f5667c6be700d901	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\S-1-5-20	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\jWZZ1Kpu15mEjlarB9HkzyQ4FHiPCv.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\Ka7rFx81uU2lMq.exe\" O"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\hBnDn396xwxe5AowWA5Jd.exe\" O"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\S-1-5-19	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\\TempState\\A6u6hy75VZvEadJO6jeSWxbj44k0lrMv5knWnUyfd2ojHNM36WDjOvg0V28X3.exe\" O"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\.DEFAULT	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Downloads\\MbwmJs5Tta0RgpzncUEKcH7aHoX3Ox.exe\" O 2>NUL"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\INetCookies\\DqTynQ2PmM0wiY5INTJVsfHy1mRD.exe\" O 2>NUL"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\zuQFxQFdruZgx6Mc7yt9QtnTrXT9CPlpJGNEPP.exe\" O 2>NUL"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\hi\\qVlsuWE3Q4pYW5VZe.exe\" O 2>NUL"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\AC\\MtpYDgTAK21vX.exe\" O 2>NUL"	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\\LocalCache\\mBx3iSgwxTFZtkMF4rldn.exe\" O 2>NUL"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ycivfgho.default-release\\storage\\default\\moz-extension+++c1c51a97-85be-4681-8297-029d8363d1be^userContextId=4294967295\\idb\\Q0Ck9iIGi4ZzXbCjh3V8W5QBRCEZqcVRSuRQIculZ4IZEMZFPo6.exe\" O 2>NUL"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\CG5otdtHG3pcACdBe5qwIp0yo9orIk2JTAc5dgMGvGMFx.exe\" O 2>NUL"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\PinnedTiles\\26310719480\\A3oFeB7yjO4BApACdVXParzhUsdnmp2c5mSJiIQscMUVOEj6K1DMuBzf8.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3916	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
3916	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	4996	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Token: SeRestorePrivilege	4996	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Token: SeShutdownPrivilege	4996	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Token: SeDebugPrivilege	2836	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Token: SeRestorePrivilege	2836	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Token: SeDebugPrivilege	3916	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
Token: SeRestorePrivilege	3916	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4800	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2836	624	gpscript.exe	84
PID 624 wrote to memory of 2836	624	gpscript.exe	84
PID 2836 wrote to memory of 3916	2836	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat	91
PID 2836 wrote to memory of 3916	2836	MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat	91

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676
- C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
  "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat" 2
  2⤵
  - Executes dropped EXE
  - Sets file execution options in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3916

C:\Users\Admin\AppData\Local\Temp\a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
"C:\Users\Admin\AppData\Local\Temp\a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ee855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4800

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat
  "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat" 1
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Sets file execution options in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\XY0SCovDC0GraDMrH5KK5.exe

Filesize
1.3MB

MD5
57f1176e1987952d38d889f0cb06c73e

SHA1
25fddf1041824c53bf8fec81961ae7e5d541a1a2

SHA256
62848cf55567204e1a2339ce506ae33e16c5818786e50b1a7d0fa94534afe5a5

SHA512
63ce55fb5d76c8c8b3426db270b2b71ad88ef64b966f12c7a00117f76cdc24337103c8a21588819176c055d3d12926f42a9048066f2be83f6a875af162657efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nso-ZA\1cG1nadY5fhvvwbkkxkKvj3tDgwyOScIlxUIKC0rCqwOp.exe

Filesize
1.2MB

MD5
6defe5e4e73ba4e26e2a04f1d178c76c

SHA1
84f7c2a785d2b8b7129413c88fc9c09ec325ae0d

SHA256
d94717ecab4ccce0f90e6ad903457c25be7f88274fb59d23a4e1ac483b4006b6

SHA512
553c7723dc95024d153e5e9019d09fa902aacd63271d1cc254fc519b310ff1a966abd13fc8146554a57fe084c5820d63f37d3bd962e20046c40e7bfffbcad6ae

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\jWZZ1Kpu15mEjlarB9HkzyQ4FHiPCv.exe

Filesize
1.1MB

MD5
dcf7ba6c621d31230715086545699ff8

SHA1
f03f5c33be24eaa88693a9869020f27940254468

SHA256
bc37963e0dc4a591bd6dc589a1726decb3b5ad2f58fda88c2e4c196cb1a86d4b

SHA512
65376d79dade430f4caaba9cc314a4949d3bb8cd731e4767342afa76a2bef39aede1eafdca18b5a45ff5f9dd00f89b0b662e7ef86d7e20950786da12ced18b8b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\Temp\ArlOlAE4YQtjzrCdrsDI.exe

Filesize
837KB

MD5
ef14310de38340a26bbce841965df1b4

SHA1
17e90c4d3e833c6735d2b20762862f97070a9e61

SHA256
5139c9dca745b7d4fc4a99398d2a89685535e6a757b4ed781f0c5c9443325aaf

SHA512
5ea278faa9d86ad6d9adc9dd3fe5340dd6ffe7a7b07665fc85417cef2e5fed856277535e88c967d684b26277f66a68baedb9cf7a76a1125151f50aef47c4fb61

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\AC\INetCookies\ugKmEpUHOOjObzGOQC1ney7Cr14ZlR4Ts0o4kFM7J.exe

Filesize
1.7MB

MD5
a07913fdbc48129e6325ef20d9ef9736

SHA1
4a92f239b4ab3c293e00c8d89a859309bee56fed

SHA256
14234b386ae04e5771a8c190c201ba97883a4fcd21be38b62ddaed5cc8f4a229

SHA512
6101f466f54e0139ad847056325e59189e8e4bb100f07acaaedfc96f9f35909c946d8ab1561dcff59ffcba6cd7dc943280f2236aecc28400bafc307cb6af5b7e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat

Filesize
1.2MB

MD5
928aacce3405b37ecc660359a232327b

SHA1
98f083ce9578dd31df4a236a9140051e324e70d7

SHA256
bb06c19cdee4b8bf7d8fbbae5cb8065d6d7f7ff66213bd376da5368b88a733bb

SHA512
66487f880213e0f44d0627012a1f6c2ffcad0915c2d7cc58aedfa73b59ec234fd5da141628c8c61470e7d502929a403e14b0cbc52a45ef300b5b00d192ddf619

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat

Filesize
1.2MB

MD5
928aacce3405b37ecc660359a232327b

SHA1
98f083ce9578dd31df4a236a9140051e324e70d7

SHA256
bb06c19cdee4b8bf7d8fbbae5cb8065d6d7f7ff66213bd376da5368b88a733bb

SHA512
66487f880213e0f44d0627012a1f6c2ffcad0915c2d7cc58aedfa73b59ec234fd5da141628c8c61470e7d502929a403e14b0cbc52a45ef300b5b00d192ddf619

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\MAysTrP3ZmmjKdTdL286yfU4uPlQwXRplZH6HGecuTAGCD1ESynBCtU.bat

Filesize
1.2MB

MD5
928aacce3405b37ecc660359a232327b

SHA1
98f083ce9578dd31df4a236a9140051e324e70d7

SHA256
bb06c19cdee4b8bf7d8fbbae5cb8065d6d7f7ff66213bd376da5368b88a733bb

SHA512
66487f880213e0f44d0627012a1f6c2ffcad0915c2d7cc58aedfa73b59ec234fd5da141628c8c61470e7d502929a403e14b0cbc52a45ef300b5b00d192ddf619

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\tK0ShchgzMJuNsGhAcaBppPgwwqW.exe

Filesize
787KB

MD5
0c115a21a51494f8462e7220f79f2581

SHA1
1667bcabe2c2e201263f0bacb636be7ea90094f6

SHA256
63172549bb2adaf0ee5433ad7be5f87055772a35ea7bcede665dd04c2d5441c1

SHA512
136b62f37efe194891fcf01fd749844f1f0db91e38d7b74b4d7da6de5c7af358a75965c2e4b92390dd612dec6f6f971734f760f1f7cd19655e7535ef766bea42

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\1rGo7Rp25X3Pwuih.cmd

Filesize
1.7MB

MD5
d5e5e71bd1ba444cf1a39a79776825f9

SHA1
bdc3a15ba290d7006a022ab9548b82cd202c1146

SHA256
d0fa870776fbaa7d59b2ef59e03ee76569e7b7fbd3b79386aa2f99f4c1455acd

SHA512
140ae66c6c8a1bc8f847881eba9c3a4eb8fff14fffe9d63ae4435241107c0931e1e9b84ddd9150dffedbe1003321558bc75f87e2f3bd6cbc51ba0029e545d92e

Download Submit
C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\LocalCache\mBx3iSgwxTFZtkMF4rldn.exe

Filesize
838KB

MD5
8ff97befcd0978185aa783ec69249326

SHA1
2e9465ae6c8f23ba5c7590f4332fd1f6a97daf56

SHA256
bc8dccf426371f4f7b0760232a88b74c96b906a2b215e42fb7ae05e5929601f8

SHA512
34ea573ad14ceec1aca764a5c804a62b54d8ccfdee685fe781a1efab1e608fd354c37092f4351437adb3a1bdf568745599a234f578931d394bb2de023064aad8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\OYjMtOu619RUNqZjyuPOiCDhbXa2bTYPGwnTUjqUX3fgOgexBJjbyA5ZqjDCf9v8.exe

Filesize
1.2MB

MD5
a4cca4655bc0160b26acd201d7951d26

SHA1
dcf2c0f0d081481e519642dc41f6d120ae872a8f

SHA256
8acbbaad37838c98305d94bd95d9082b095611305b7fbbb46e02f2f02145b86d

SHA512
c4a0135d6558a5514714d44ea0592e9051929683f236fd534ec3b09cded3f4090043792f53d9bfa5ed36e854793afc12aa9b0b2697678f81cd451b0ac5af143b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\storage\default\moz-extension+++c1c51a97-85be-4681-8297-029d8363d1be^userContextId=4294967295\idb\Q0Ck9iIGi4ZzXbCjh3V8W5QBRCEZqcVRSuRQIculZ4IZEMZFPo6.exe

Filesize
1.2MB

MD5
0dde6913e3b465c54439bc4155e2ee4c

SHA1
1c1d29730e9aeeaf9ae6a454e6663b0844be4f5a

SHA256
7877cb01d0b10a8e9af438e9b5b8495f8955f312b1f1f81bf2331fe50929c37e

SHA512
2f3e7abf33fbd6095ab95658ada525e10b34b6d5b0d283f74a57e1cec0ee042568de9f718b097f4247753d1fdc14f6853facb5428b6138e93185e8a022bb09ea

Download Submit
memory/2836-139-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2836-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2836-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3916-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4996-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4996-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads