bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f

Analysis

max time kernel
154s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Size

513KB
MD5

31681db687988505003bec3f1455e0d9
SHA1

0e6f1e93b18bd1a1e2391b80e44f4548671c23a9
SHA256

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f
SHA512

bc5e65f1a5542d211a35f60fabdacf46d92dd1b7de27427d3ae8995d3aa86de29c550840965c0f5dc81b358a83adc3cb6105675e2667fefce26e8181f6ddce31
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exeENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\GPUCache\\xo8MNPYaROsfTlQ8TwkvBp7dsNpJOMaQbd1Yl0usfF34aNXt94b8Eeyq.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\OEKT6399EwtdQ110OCVQ8hbJJgVH0G8g6bNYrAwBrqxPq.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\\SystemAppData\\cmAlUWXbDMn3W1cvqVO37i7SNRD4RJ7Twu7M7XE7v3t41PV9.exe\" O"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\\RoamingState\\5fSNvkCT7vkJH61oRuzDvmd42VRY3REFAM7krvamB.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe

Executes dropped EXE 1 IoCs

Processes:

ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat

pid process

4444 ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat

pid	process
4444	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exeLogonUI.exeENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.batgpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\w1w4ZHAg3Et9hv1hRYlgz5FKNKNhqMjU46oXyjFOwNl07zr3eFZBlkGIZSusMY0DmYj5.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\\NNxhRjNzGFs6nC1oa6qHF24TBNNObtFkI6e6Ces9XNw8DZFffo.exe\" O"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Win32WebViewHost_cw5n1h2txyewy\\AC\\INetCache\\1pEz8u7qH77.exe\" O"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\3aHoABEC5O3.exe\" O"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Q7IHAZB1mOxNLW3.exe\" O 2>NUL"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe\\AtPHf6Ql2hv6oFKVg.exe\" O 2>NUL"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache\\DCjUlTZNrP4RkhLpGGSqjuMHqcOhfFleMBEAwwzpj01t084NOWRQUVEaOTIrr.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\H6nRfmN0X3BlSUIwJSoZjgLlkU1DC9nAjzOr85tbrfN9asJHv.exe\" O 2>NUL"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\D4lqRHyLHd7s80fD3j.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\wvpppa2c.Admin\\Hm6sVfs2iFkoghEJ.exe\" O 2>NUL"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Key created	\REGISTRY\USER\S-1-5-19	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\packages\\DV2p0fNcCQRhOitNSkSZ5HKucgroxhG0R2NGEyvdEo2NqpktU5rzkS6ycNOdvmnRj.exe\" O"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\AC\\INetCache\\c9JrsSzaVNOUQPTanKBNaVUjTcreEg3J6GLr5zBjefUc.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\ca-Es-VALENCIA\\yxO0BMnU1ZNhIhV0DIwosS50AUGt8amhqYYNi1okQE4v0EkZe6Vf1JeueKFD4.exe\" O 2>NUL"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\sd-Arab-PK\\st2OD8dQ8WjV.exe\" O 2>NUL"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\q7PjGevM6QMWbSLNAbqtfNvLWk.exe\" O"	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\88000165\\3nb0kFrkSGJFNut8y0kpJVVXH3RnTEd.exe\" O 2>NUL"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000009def9d9beb00d901	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat

Modifies registry class 10 IoCs

Processes:

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\EP4vAqkDiVMQ.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\0fx48ci0.default-release\\datareporting\\3z1XTqG53dVaICIQFN7ovqTkhca9GTyWylzlKlGgaQCPvZP8deSZqzukbHz4.exe\" O 2>NUL"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exeENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat

description	pid	process
Token: SeBackupPrivilege	4340	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Token: SeRestorePrivilege	4340	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Token: SeShutdownPrivilege	4340	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Token: SeDebugPrivilege	4444	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Token: SeRestorePrivilege	4444	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3836 LogonUI.exe

pid	process
3836	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 4496 wrote to memory of 4444	4496	gpscript.exe	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
PID 4496 wrote to memory of 4444	4496	gpscript.exe	ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat

C:\Users\Admin\AppData\Local\Temp\bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
"C:\Users\Admin\AppData\Local\Temp\bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39db055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
"C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\LfSvc\NjF35aZpbzBEek8sx9mY2lbtkcilsa8gR2.exe
Filesize
641KB

MD5
5768426753a6f1bd0d917114392946f9

SHA1
0bd1bf00c6d3ea72eb097c18d723d9157e023527

SHA256
daf71d44c64f19d0fe5aabf2678c49839d47350cf6ff6c9fd73f35701bdbd8ab

SHA512
52e0fe9a43c059d25cf9827b97c0d25fdddf89c41d41899f55708a7f3ac39cc7b2fc4ab7c14a965448fbcea64cf80bb0a44c60b9d8f326ccb533c5c14fefc4ed

Download Submit
C:\ProgramData\Microsoft\Windows\RetailDemo\OfflineContent\Microsoft\Content\5ydQNjJvtVMulkuNZ3axPAuhu1ePRmUyUAXDBCHrIeKoBKqGq.exe
Filesize
970KB

MD5
04fc4f10345db7ecac9a5dbf8ab57a0e

SHA1
096c3e90f48de322865ddc658f01535e6ec105ce

SHA256
1162531eb10949b72398d8b101db4f7416eaeda3c6e328f77095a732768f7ff1

SHA512
e3acc1c458c4a65eedbb794814718a86b7a873ed1629370eefb6ae648aa7f2a2e84bb5c3984f01db26ed18a427a3c28a816adcbdc5cbf22a2079e903e762d3ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\xo8MNPYaROsfTlQ8TwkvBp7dsNpJOMaQbd1Yl0usfF34aNXt94b8Eeyq.exe
Filesize
741KB

MD5
68321e0b56fdc8cfe9485cad1d261086

SHA1
66f43245fbace409c7b9d6299f87f0d638e0207f

SHA256
f03e7642d5fcaf0b0ed09a59298adedd17bda4e9be15ac58f7c12ec989501efe

SHA512
25c87985602227740f9e95fab421b4f5bcc00ee3deb2efc1fd795969879d23db779f1cef00eea262df79d7d4fc6785db189f482834bc75ba0ab9319794889773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Filesize
855KB

MD5
506c4fb5d3b6da6fa3271e1396218c12

SHA1
98174c0cfa9f5d2359c37293c86cd4c57bf948a6

SHA256
89e0a6424c053f4a3653adf06f4a222d1cf3b4212a4bf0b798f807dd91a65845

SHA512
63fa3060f9817e34759fa62cbff3d38a23321a8b3c222a4a304acf4007b756e3cf02e3bfb7cda7e0ef066bde4234395faa8ab1a9edf24509a4b9d5063ab77117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\ENqGckLPw9ktcfKSTX1HF8c0nBGLkjR4QV0jKNwrHRawcW7Sn1qwiJJBRQacY.bat
Filesize
855KB

MD5
506c4fb5d3b6da6fa3271e1396218c12

SHA1
98174c0cfa9f5d2359c37293c86cd4c57bf948a6

SHA256
89e0a6424c053f4a3653adf06f4a222d1cf3b4212a4bf0b798f807dd91a65845

SHA512
63fa3060f9817e34759fa62cbff3d38a23321a8b3c222a4a304acf4007b756e3cf02e3bfb7cda7e0ef066bde4234395faa8ab1a9edf24509a4b9d5063ab77117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\en-GB\ehxTZeyqsDKkBuPRGDU4kYrv.exe
Filesize
901KB

MD5
b8c0511f6efafe222f73eb4b5387a35b

SHA1
29a30a1ebdfdf9ad625e2ca422efe565f46fa95b

SHA256
f2aa6849829975828f1b170ae250d83a585c773ff95428cea89efe1ab2b0d9d7

SHA512
1263ada0f638295c674505482ade7cedf48920895be5938cd19a09bddbd4ebc91f255801db1b6e88166e2270b320b519706d495a629ff099e09c20bdfd871bd3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalCache\DCjUlTZNrP4RkhLpGGSqjuMHqcOhfFleMBEAwwzpj01t084NOWRQUVEaOTIrr.exe
Filesize
647KB

MD5
f8a164bd939c5ea7729aae51da80f8a7

SHA1
491eff4183d9b356c77a4623bd7a332be1b5abd7

SHA256
9c8768d6b08a4accc3ee0985dd2d9a45945a2b336647e2196fddb9677382724e

SHA512
ca8c283307fd033a32bf8695fdb6ea4add6a48b29afa63b42207ec55e6968b0fa92e70966ccb1705f7d0630143efe9d0095e6889f4724f73e0a857a7db60a7d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AppData\D4lqRHyLHd7s80fD3j.exe
Filesize
1001KB

MD5
a8827d7d47cb7928142dc5019938d412

SHA1
883db28d6b5df6b184542a171877915b213cb0e3

SHA256
47d75344a5aab0519ef36cbaf0b401bfa8738e5ffe14f13f71c90b863b440aca

SHA512
76aa7acb6650d2bca7de4a926668e1533e909c68b95077ba0031bb41504ae6023f85e12207c58cd67576a816c9116b22450ac2e0efedd9ffad79c25d5fda41fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\INetCache\w1w4ZHAg3Et9hv1hRYlgz5FKNKNhqMjU46oXyjFOwNl07zr3eFZBlkGIZSusMY0DmYj5.exe
Filesize
729KB

MD5
ffd802e0efc899a2d96c186651e57903

SHA1
bbf76d5addb1003e2c4984043b13295de65f91de

SHA256
87cc9468e34d7058c20da710439f0e720007e4aaeddc10c45ab03890ef0d8f4e

SHA512
2895c8a9ac759ce6593a4657932843c32e2a62b5f07b16dc4d1894383e19e140588b20d8aef94dcba5d51bb28e242179034a82356bb8c6e6c1f8733e4302281a

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Q7IHAZB1mOxNLW3.exe
Filesize
892KB

MD5
9ad38e65bdaa464a07abc7a1e34c1660

SHA1
87e1e2af31bfe1cd7c052cfa752b767059175b20

SHA256
b559109f7a6b9df87733cddea965443d0f61ecfbc0442626ca4cb1d717cfe650

SHA512
b25f8b291ef89ca998a5a4b2ac9bcb300b5bd191024b06a05823ce72f2f2cc7b37e68057f5082f2ed7f0e69485f2e66c5ae84e702a71a4b25402627f7f2fea30

Download Submit
memory/4340-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4340-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4340-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4444-135-0x0000000000000000-mapping.dmp

Download
memory/4444-138-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4444-147-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download