e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd

Analysis

max time kernel
190s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Size

859KB
MD5

9f29d49aae32c865aa36a4bea4a48820
SHA1

1e061707d14718d7c2a3e8e109a5398f0afc3a19
SHA256

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd
SHA512

8ffae3b8e4f19d10973b5a911a23ce5106f0ffcfc4035a045e17d008e79d3146543320efba46660c7eadbfc0f6174fe159f33f7fdf2913d2f70df88273173777
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exeVBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\\TempState\\nREtAGqut8UWp8SoBxmKwo5bgBikXBjvxOVHbRTRheVlf8hMeDwVnH6hN.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\ar-SA\\XX802h4UJ0FmunRw7o9lAgEn7WVjswEA87Z04zmyRT2jL9tSv8K.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\de-LU\\OdianUair1hdxv69L2duaJjaoZT27A6wkfAp2PHEUkUANOObhJLjV.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.CredDialogHost_cw5n1h2txyewy\\AppData\\etWGTjZCf08bYEg.exe\" O"	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd

Executes dropped EXE 1 IoCs

Processes:

VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd

pid process

956 VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd

pid	process
956	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exeLogonUI.exeVBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmdgpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\de-DE\\bljYMBClW0cdITdbMMffnb7.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "240"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\ZyjuhBRmyxzv9umQCZzJuuKjsA0EZXRz1Uf5r7DFVbuCzH0.exe\" O"	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\uz-Latn-UZ\\tM5IYDvvQ00dAfJ4ga44bQJOntspPjWbYTtjGnA.exe\" O 2>NUL"	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\\AC\\INetCache\\CevtBfUhIHdbn5.exe\" O"	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000036132433eb00d901	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d8d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\adm\\it\\oUEWHik5mZ58vy8fmCb17njtYeiw5a.exe\" O 2>NUL"	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\wYerrIUmAJpSepGr9tqUes74kAEuoF90UNZDy4zuFHHy5KyooOB4.exe\" O 2>NUL"	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\\HkTQXgyPaz41FoipCM.exe\" O 2>NUL"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{a3eb0b7d-8046-4816-a7d7-b182a6f9dc20}\\jYXZj4CSWB71nvWfpRFCphii6PpUu25MKMLidkmSXOC.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\USER\.DEFAULT	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\yrilf55p.default-release\\startupCache\\hXbL85NZoiP.exe\" O 2>NUL"	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\tg\\2Epeuzua7mWm6RyeZOtCeSDXu2wyE6OSsoo3bwb.exe\" O"	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\AppCache\\MWCSTFooJ5KwaDHymZQaCpakBp5jdYtBkmW.exe\" O 2>NUL"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Families\\mdCRlDQsKoJhvMNWrp7MACk9D3WLMSVfnvPE5kXXgItCM4B0eQguDVAXx0mS.exe\" O 2>NUL"	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\1TQVPNOO\\mauCesoT3Lf3B9wV7kPVS4sAuP6essK4b4TWwxR9rQRL.exe\" O"	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\\AC\\Temp\\MI49omQrIUN89CNL2FWC8nbntAxBOQegROkMyjO7.exe\" O 2>NUL"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe

Modifies registry class 10 IoCs

Processes:

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\acrocef_low\\zbknBGoQDGSkvU4Pp52LvTlIFZ5sDSb8wt01qvTTx0DxrEYRXkKeHny2J0b81.exe\" O 2>NUL"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Command Processor	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\fhThrt7r630T.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exeVBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd

description	pid	process
Token: SeBackupPrivilege	4296	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Token: SeRestorePrivilege	4296	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Token: SeShutdownPrivilege	4296	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Token: SeDebugPrivilege	956	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Token: SeRestorePrivilege	956	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4608 LogonUI.exe

pid	process
4608	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 312 wrote to memory of 956	312	gpscript.exe	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
PID 312 wrote to memory of 956	312	gpscript.exe	VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd

C:\Users\Admin\AppData\Local\Temp\e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
"C:\Users\Admin\AppData\Local\Temp\e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f4055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:312

C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
"C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\MzSkaJz6YdqCkBA5yyg6T.exe
Filesize
1.5MB

MD5
d4987dcb3dddb139f2ac2c15015eb8f7

SHA1
bdb36c4463e447903bc6f20448b52a3cc4d612bd

SHA256
c7d324a83c51db8a7669bfb119f224784b9e9af354893f60f8783f713124ec77

SHA512
1e803346c76362397b3d7d49e25a03077467e8f22ff4c875161cac0d6717cc87ead1b53f0edbdb9a5f9cec41b8bc0d742112c6682fbbea25ad1b450b316dbd3b

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Filesize
1.5MB

MD5
78ae651e022d141bf8acf0921dcf4f61

SHA1
28788f2a311e26d6a853212156acf5dbc636fd2e

SHA256
31cae976be857e4f7b3d64c9cc953b4b69e4ce368507d05e28b1cb53c36c36ec

SHA512
cd168fa113b2b2a055761ef167c727f44c748afc4e2f28c62bd90076ce775c32d0891b279a154d0b0c7b2977574c8945058b6ef2783902c359492b51b1ad9159

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\VBGFn923VFWgaKiNtzIayPL21Wr7Zr6UTmf2zear9NEOMJOQ1QJ3uaW7QcopjHKReM.cmd
Filesize
1.5MB

MD5
78ae651e022d141bf8acf0921dcf4f61

SHA1
28788f2a311e26d6a853212156acf5dbc636fd2e

SHA256
31cae976be857e4f7b3d64c9cc953b4b69e4ce368507d05e28b1cb53c36c36ec

SHA512
cd168fa113b2b2a055761ef167c727f44c748afc4e2f28c62bd90076ce775c32d0891b279a154d0b0c7b2977574c8945058b6ef2783902c359492b51b1ad9159

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\rz6AkMZOs2n41zinuxoX7NCXPWTUeuP9cfAmfrjccHo.exe
Filesize
1.4MB

MD5
8b56058cb634a561005cb1e79594e22f

SHA1
7ebf3883195233911e40fec66c6676b1dd29cb1e

SHA256
eb301eaec428435cb038202416b8bebb36cb3caf579f6a89096b5360729e187f

SHA512
9f2115ef8f9133ac46d0a75cd41823738bd9b38b67fb917176919a9f457bb38bfd7a87f77597a561c2cd4c5d9e8cb5bc2879295eaa4f78dfa2e989e4b907f2ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\AppCache\MWCSTFooJ5KwaDHymZQaCpakBp5jdYtBkmW.exe
Filesize
1.5MB

MD5
e10531fbf771dde4565744fc58e24e7d

SHA1
eeab4c54c480eec4e7493ce7cd07b9e36773dbf4

SHA256
971eb4c4635e083a421439594cfcbafd0a5ce9f95ddb9d16e5e3d282c76ac813

SHA512
1726156f73202575bca3e21fe63e2d35ed9eda1527e46a2aae38e0f857d4de9f2682617b1a6d9471b78bcc2ea46fba63368ea8fe5240d981557249699906b87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-SA\XX802h4UJ0FmunRw7o9lAgEn7WVjswEA87Z04zmyRT2jL9tSv8K.exe
Filesize
915KB

MD5
29cefe06863993920f00b8a061ff298f

SHA1
3b6d64f18915a93bc5b3257d98b662d334e576a2

SHA256
cdc7eedf31b77487d3efef6721811612f059af291d7b0abd0b7ddce2b1d078ed

SHA512
e0030ac3de65a33ebb458c34d01edf45dc2c9f0ed4fae2a33cd1e8dc589903638d644c8e9e1c470681bdf153d1663be535d32357ab8d539396ddb1e3ab70c45c

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\HkTQXgyPaz41FoipCM.exe
Filesize
1.6MB

MD5
2e8b391c36ba0608eb9139e37b8f74c8

SHA1
51b10d8b3133553560dc17aa82aae4fe1d01cc58

SHA256
05b28ebfc74bae4bbf815494a60a3e62e1f0ea0a30ea980c2e6d9166615bc4aa

SHA512
5a8936a1a08c9bacc7b4e1ed496ef81be251afd9604c97db3041e42885b48c8e1375ff8bdaad197a00bcafc6f48eda0dd0bcf27d49b819f1e102887678696a48

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\INetHistory\Fq379uhIbD1oQeb0UwuLC3P4iGkwBjq4.exe
Filesize
861KB

MD5
e726af1db3006f551e22a2d841b9dda9

SHA1
f91401c29a07ff85053963730babe406a9dc85e0

SHA256
54c9c2a377513a19a7a985f2146363ecbab6dc97ee1cfab5618a12985819111d

SHA512
d916879ec66bb660ad9d24578fc9e1e1f90e4f1cac11c5217cccd53d8fe41349b51a4cbc5bd0b483dfdbdf847508fedabb3713aa817f31c821b561c83e1e642f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\TempState\mrK4mPFq6Xb9PakWeIST0fld6wvxjEyo1rKyzWVMrxo3mlvuw7gi2.exe
Filesize
1.2MB

MD5
e884321d0a8c918fea411b6cc3d850dd

SHA1
84774f80ad3c5915a5be8d057f5fe59b41afd066

SHA256
e28b87dd458a3d257afc0c14c00901f58f75e5cafcd54a79afc1e2ffada81429

SHA512
c4cef7ad5b6feff860f766187438d20e40bb2b2785f1cd44485061efbea4438d445702746dd47e549aa0ac38e6985d5da294162ca0322bfe055d6541e5bb0329

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a3eb0b7d-8046-4816-a7d7-b182a6f9dc20}\jYXZj4CSWB71nvWfpRFCphii6PpUu25MKMLidkmSXOC.exe
Filesize
1.2MB

MD5
7c8a4878659cece907ea7b07a421f25a

SHA1
0dc91c3b1173417a129e474817165ca82da429d2

SHA256
7b1bd37282944b62703181406e21d21766b6c42eed8d24ce127cf69cd76fa45b

SHA512
9644c8089af658ca1ad093547082adc046f2182ba7cd0c564f12c7651ccbcf6eb08784b20915a9c11655e9ddaa89a1847db7bdde79f56116a01fdff41a02647b

Download Submit
memory/956-134-0x0000000000000000-mapping.dmp

Download
memory/956-142-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/956-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4296-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4296-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download