521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81

Analysis

max time kernel
154s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Size

271KB
MD5

e8d3f1d4567b2f01eb55a21b68396219
SHA1

a7189a5028ca89b0d6ddaba49c777a3f39af47ee
SHA256

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81
SHA512

9bff54120573e779efa2a4d0d6c146ff0becd7e579a9733c01bfa1c0bcb4d5f0e00e4a87efd0f7a5b6ee038c4e21aa19daf0a22a7a214eaaf33e6a4956168b13
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exer9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\hQ8EyyguF2b7nIfFLrE.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\gl\\CVCEipDxIwa5ov3lcpQa.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Jl7hHlKziJEW10APcr2gtCPf0jWb4xXDLhXY8gx79F3XjgncSxckBrw.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\\pXqq3AbvsaVpnqB0F8s0nuZ7Ah3Ci.exe\" O"	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat

Executes dropped EXE 1 IoCs

Processes:

r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat

pid process

4896 r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat

pid	process
4896	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Windows directory 1 IoCs

Processes:

LogonUI.exe

description ioc process

File created C:\Windows\rescache\_merged\2229298842\4066884077.pri LogonUI.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\2229298842\4066884077.pri	LogonUI.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exeLogonUI.exer9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.batgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\mYmb4kXJqjf70BfEEZS02jziXUtExSQzwLQArlMXlnBJkd0dzUqupr2NaV0uAwiA6N.exe\" O"	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\arm64\\i3Spbly0yxBMABT3WZYORjDGoI3GatmYYDAD5Cj5UqZb5siVb0wU7.exe\" O"	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\HSElqWGNYT.exe\" O 2>NUL"	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateRevocation\\FU9nTxFp6ioIInsbsJAk5WxFDUmiG2RN7djbtSLJdZ3fOV68bnZvnZ8Pd8nA2wIGIuLZ.exe\" O"	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\Jy1LIiJjKOvBWD91wod9c3JCymsPd68DJYSAinCfu91bQt6kvH7pmz.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\AppV\\tRXpaOMuFnT3SHsT1W2gk4t7FZtFk4dRxAv51yO91UshuS1kSwTJEcpCaJkaAsNz66W.exe\" O 2>NUL"	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\jkYDOTsmiF8TyYnq.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\ar-LB\\RPmNq4cOKJY7hwoIpo7PAEepq5kFtqt4s7qp2g.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\en-JM\\iHNvTz3aOjvpk3rYiD9.exe\" O 2>NUL"	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\tr\\VTehAtvePVAMgriOF3R95bIz5QRngpasWetRWSWPLanRUwmnngKIDsuVEvPQIVhG7m3.exe\" O 2>NUL"	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Parental Controls\\settings\\QQPdd29lZ5mYquof5rYhXYMDJ4C2v3vb4yGU6wSXmTL.exe\" O"	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\49\\xtmwiyUjNJTv3RR7bY1VzcKlPr03NWBCAcm4tWLyRO.exe\" O 2>NUL"	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\LocalCache\\uJV6ZCPism1mDIMyfLO.exe\" O 2>NUL"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\nI9lBoNoVh.exe\" O 2>NUL"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.CredDialogHost_cw5n1h2txyewy\\TempState\\bLQDasvt1WIKxybjMcSqrDUbp9XEE6kR8.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\LogoImages\\f0rcBfe89OVt9dH47xLUOYn9kV5ouJQZOGb6i7TtnPxvsK09O1IB1U3zpWsDUe.exe\" O 2>NUL"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\280811\\KV61YkW4QQ7MzSz9e45302bSqZAzeSF.exe\" O 2>NUL"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe

Modifies registry class 10 IoCs

Processes:

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.ECApp_8wekyb3d8bbwe\\SystemAppData\\M6fJSnruLG5MOKEx9PO33QkK9egwJxOhZSuXVkOOYOL3U.exe\" O 2>NUL"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\V4oy8gSECBxRF7bnhn.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exer9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat

description	pid	process
Token: SeBackupPrivilege	4100	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Token: SeRestorePrivilege	4100	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Token: SeShutdownPrivilege	4100	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Token: SeDebugPrivilege	4896	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Token: SeRestorePrivilege	4896	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

3100 LogonUI.exe
3100 LogonUI.exe

pid	process
3100	LogonUI.exe
3100	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 4084 wrote to memory of 4896	4084	gpscript.exe	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
PID 4084 wrote to memory of 4896	4084	gpscript.exe	r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat

C:\Users\Admin\AppData\Local\Temp\521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
"C:\Users\Admin\AppData\Local\Temp\521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c8055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3100

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
"C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gl\CVCEipDxIwa5ov3lcpQa.exe
Filesize
286KB

MD5
84b7e45de0e94fd4bb2e8fe0a47bfb88

SHA1
c517040efa59f50e5937306bdc3bea06d0291b2a

SHA256
10e75c0960db66a29a3d069ea5f879e83377c91e22e79fc73e848a182d3742d4

SHA512
e44422ab3c15afb9cfcc8c415877427ada6564b545c3fa19544f16dfee555b6e420409508573804f190ed1f0c15d582f6f5c12e53ff553957cddb6b326af206e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\f0rcBfe89OVt9dH47xLUOYn9kV5ouJQZOGb6i7TtnPxvsK09O1IB1U3zpWsDUe.exe
Filesize
379KB

MD5
97a3f65ebd3a57eb49da25e4ae5ba1fa

SHA1
4c19b87ab9c799b46715dc2ded135adc2d76a6d1

SHA256
83aac1c6eba931ee96aff5801c42984412cd41fcefbdfa53756b85104efd2a5f

SHA512
f7f2c8a63f1d622088ae128aa50593d7f77264c42debbdc966d09e80140b4ab09aa231eeeaaf7bd4ae2062e3ded00b402bdba66d19a656058190f3e806e25242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Internet Explorer\Desktop\jkYDOTsmiF8TyYnq.exe
Filesize
534KB

MD5
240c7ed70989b449dda37ec2b9725714

SHA1
671bfe13dfd0c90dba06033d31a63f77d37a5b36

SHA256
a301faba86dbea016087edf4cd0c09ce444c51a8d187f0931710e9fae94bba35

SHA512
47a72811c2f340ad894078a6cebd0e40f943a4ecb51a3526b8f8eaa5354bf0439b1fed0b52e934aab1ea98590fb8cb39ec5a2f9ea3735f199655004d11fdd771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-LB\RPmNq4cOKJY7hwoIpo7PAEepq5kFtqt4s7qp2g.exe
Filesize
502KB

MD5
48b507be68fd5f3feb1779a1be1de7aa

SHA1
a8d8a039314dfec3a61d6b2cc534897919b81339

SHA256
010f7494843d264d29421ebceb875122e59ceaedf1c5f2a4089501727c3e1883

SHA512
ba999dd153583d5d9435231ca3be0292aa5b50b135a3974c2a982671f7aaa809edfb06b58e8bc10cf32f47873a5ca891c42c493f7f6d22f2bb973f489300068e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\TempState\bLQDasvt1WIKxybjMcSqrDUbp9XEE6kR8.exe
Filesize
455KB

MD5
17d7067e7ae9568e2019b64f80e14848

SHA1
13c418c62531eeb9ad50c5f9bbb6fe8cba1dba73

SHA256
3dd9a4d918b6603999de196f5a02ddeebe2975ca75b49817bca2a9c790dfa5aa

SHA512
84d9dc94a3c4c1c2c8899ed1e8da594f61f0bba3eccbd1d845449d08aad0378258d558457a698a10ad34781f349c02ba830b432d5c4c35a0f9b663d54f34c600

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\RoamingState\cLdTlrrJKqs3UIr7HOIhJUZZVX3j6W.exe
Filesize
483KB

MD5
da96d6572595b57748d73976fdb4b8ea

SHA1
b2cbd792fb6cd06b0271b6eea0aa45395891a410

SHA256
130d471753bd530693895e68036f7eef6dd1d445701b1f2780486bcb92f7b573

SHA512
3433e11c59b89b70b499fc4e2b1d87300cc80775af826511b8bd57ffd78e7ee0955ae1522e66d3063439ea9e9c206a0c61ff9969e8e1a019cc8a4b3df3535d92

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280811\KV61YkW4QQ7MzSz9e45302bSqZAzeSF.exe
Filesize
305KB

MD5
9d3a5daea474426aceda26a36d0261e4

SHA1
dc79af65fcdbbbc3cbbb41577c85ad331bd33f92

SHA256
918989eb1480f40ab0a5b7fa7bd8db3ed4c849ea58ba61927142543f8e7ade94

SHA512
4aa2696cb6410ef4c617ddcf79b7d2603f42d7a6ca1527b586effca80f57d28d1c47290cae97f469a9c76b7187011f2b5e8787bb4e7b0b0e9a4a3a4e86de856b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\uJV6ZCPism1mDIMyfLO.exe
Filesize
390KB

MD5
ba505b2eb78818b31af3fcfb643fe4ba

SHA1
22f013de1a3c477e037810acb690d35352dd752b

SHA256
9011ef47507d7d621f81246c1050eb370dc6842918cd4a3cf2e86e20171e6ec8

SHA512
d578e3de03a814d5c06c69c5b6b61f4cbd9d616ae477364ffe669afaa2554145d4e4697461929bb7f075169a1a1774ac5c46c018c3cf1007ac43237feee18a63

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Filesize
466KB

MD5
2a6b5c24d13307285889cc6f03c8c998

SHA1
0e1e9f2016c69ff01f104b698fea326b5f8627f3

SHA256
a24f9b6f2cef87545c870fa463530ef115dd4f93fa241de1116756f315dd008a

SHA512
5cc0f47dc9c3ed7db364f59d950927d2979fdc1bd3a504254e7a92cd222e560e92d2cf3b6ce52ddf8471ad0e82c5e5491757e9dee73301dd00705ac794c20819

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\r9A3OEHBj5UI7uc2AEnDTZ4bziTZbrmyXgL8iZWSqTmYxsmbAG5y.bat
Filesize
466KB

MD5
2a6b5c24d13307285889cc6f03c8c998

SHA1
0e1e9f2016c69ff01f104b698fea326b5f8627f3

SHA256
a24f9b6f2cef87545c870fa463530ef115dd4f93fa241de1116756f315dd008a

SHA512
5cc0f47dc9c3ed7db364f59d950927d2979fdc1bd3a504254e7a92cd222e560e92d2cf3b6ce52ddf8471ad0e82c5e5491757e9dee73301dd00705ac794c20819

Download Submit
memory/4100-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4100-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4896-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4896-134-0x0000000000000000-mapping.dmp

Download
memory/4896-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download