72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc

Analysis

max time kernel
110s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:28

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Size

1.9MB
MD5

f18495573f599858c6c53bd364bebec6
SHA1

6c1ecc079074f39e7691a05db79c15465270d426
SHA256

72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc
SHA512

4f98ad5895306ace1dd1df20bc9f9c5cce7a719eb1aae6972d90b45b326829f168de8096b7d5002f376c1524917b9fc13a736973636a6634c10f38a70c39ecec
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

lk4hNgqHtvT3wbWceINo.exe

description pid process target process

PID 3748 created 672 3748 lk4hNgqHtvT3wbWceINo.exe lsass.exe

description	pid	process	target process
PID 3748 created 672	3748	lk4hNgqHtvT3wbWceINo.exe	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lk4hNgqHtvT3wbWceINo.exe72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lk4hNgqHtvT3wbWceINo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\iVPlg38e.exe\" O"	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\SX7TPv5xrczUEvwpH71ZFd9cR3us.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Local Storage\\leveldb\\ayAzGAIFh5H1XbSGCFldpqwQA5YiQcBiRd.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\\AppData\\nanW5CcrXArI5edYSPSW7tEsNh7luLFmHpwxsGtxP9A0xaEn80Dy3bZqwzS9UWA.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe

Executes dropped EXE 2 IoCs

Processes:

lk4hNgqHtvT3wbWceINo.exelk4hNgqHtvT3wbWceINo.exe

pid process

3748 lk4hNgqHtvT3wbWceINo.exe
4652 lk4hNgqHtvT3wbWceINo.exe

pid	process
3748	lk4hNgqHtvT3wbWceINo.exe
4652	lk4hNgqHtvT3wbWceINo.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lk4hNgqHtvT3wbWceINo.exelk4hNgqHtvT3wbWceINo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	lk4hNgqHtvT3wbWceINo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	lk4hNgqHtvT3wbWceINo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	lk4hNgqHtvT3wbWceINo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	lk4hNgqHtvT3wbWceINo.exe

Drops startup file 2 IoCs

Processes:

lk4hNgqHtvT3wbWceINo.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XUD7caTYmldil9hpmq.cmd	lk4hNgqHtvT3wbWceINo.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RU9vz1vGbTMGAyVduW.exe	lk4hNgqHtvT3wbWceINo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exeLogonUI.exelk4hNgqHtvT3wbWceINo.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\DPxEOqEWCdOpU48IycuKNazd4ZMeXjIH8XCkCl.exe\" O"	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\sFR3zBxfUITVgpEGJ98xsLzPohxSPFoKLPFSkijVPmPqsqd2cNliT.exe\" O 2>NUL"	lk4hNgqHtvT3wbWceINo.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\ar\\FAZLNwXM37uPko.exe\" O 2>NUL"	lk4hNgqHtvT3wbWceINo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000ba984960ec00d901	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lk4hNgqHtvT3wbWceINo.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\CloudStore\\BIRrDkZ1LVH2oyA6beBulVOkemKaGWaxNRfttIjNMojNzlDtrIP9tjaZbwoLL.exe\" O 2>NUL"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\fi-FI\\wfqs0NQu.exe\" O"	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\packages\\vcRuntimeAdditional_amd64\\SXS8Xo5666wteSSwJ2aolujz91udZws2mWUcs.exe\" O"	lk4hNgqHtvT3wbWceINo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hsperfdata_Admin\\RuWalcnorbONUlrtGktFnLYx9cISmNxaa7d2Tyem.exe\" O 2>NUL"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\NcsiUwpApp_8wekyb3d8bbwe\\AC\\INetCache\\IpbY9Yd0wt59YTDqKdnFhPl5tY3EvksfA48siJxCL7yHBmF09x.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\qraE39j5Ov0Zhz6BCY7bGiGiQFKuxW64n6I1nozAt6P8u.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\LogoImages\\xf4yrdqhpH2Gzb84iGUhYBwFHF2b3PzaD0eg8hHbuUyxNGiDmp3CKg3lt4kGIY9is35bMxk.exe\" O"	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\sr-Cyrl-ME\\28fmBlFdJFLM5OVMFdwyOkgAbTDiCx5nPy.exe\" O 2>NUL"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	lk4hNgqHtvT3wbWceINo.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\UxSWFyiAkg6N3GaZtCdbZYbPUGY3cCAlZ0MFcIpVYwRTryLOA6TPtbQOhirfHb5h2UBajn.exe\" O 2>NUL"	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\\TempState\\ICNkK2XqGQRpwrOEpO4ipAqLqaZoKUUoA8Ztka.exe\" O"	lk4hNgqHtvT3wbWceINo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000fad84460ec00d901	lk4hNgqHtvT3wbWceINo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	lk4hNgqHtvT3wbWceINo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\adm\\ja\\dMzMPAothEXU1di90CkSx0Im49aAFjwpq8SCiub0a1hJF.exe\" O 2>NUL"	lk4hNgqHtvT3wbWceINo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000004e253460ec00d901	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\sAEatw2MtcIUWcg20SzqlQsW2HiUzaefWMXFug0D9gLPAb7zVxeGNo5RwdyaXt5Re.exe\" O 2>NUL"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\AC\\AppCache\\hAm6MdIXMKASzeREIMYC6CEEW2sjqLBS0AUplCQupLoVdK5d.exe\" O 2>NUL"	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	lk4hNgqHtvT3wbWceINo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000016e6c51ec00d901	lk4hNgqHtvT3wbWceINo.exe
Key created	\REGISTRY\USER\.DEFAULT	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe

Modifies registry class 10 IoCs

Processes:

72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\RetailDemo\\OfflineContent\\Microsoft\\Content\\OlRCgSGGJE.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\kwcdKvddCVmHbcrsDaONuTSCfWEl8cfSNoRfiKYTm0X21831lGyRNM2ktZ1r.exe\" O 2>NUL"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

lk4hNgqHtvT3wbWceINo.exe

pid process

4652 lk4hNgqHtvT3wbWceINo.exe
4652 lk4hNgqHtvT3wbWceINo.exe

pid	process
4652	lk4hNgqHtvT3wbWceINo.exe
4652	lk4hNgqHtvT3wbWceINo.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exelk4hNgqHtvT3wbWceINo.exelk4hNgqHtvT3wbWceINo.exe

description	pid	process
Token: SeBackupPrivilege	4324	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Token: SeRestorePrivilege	4324	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Token: SeShutdownPrivilege	4324	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Token: SeDebugPrivilege	3748	lk4hNgqHtvT3wbWceINo.exe
Token: SeRestorePrivilege	3748	lk4hNgqHtvT3wbWceINo.exe
Token: SeDebugPrivilege	4652	lk4hNgqHtvT3wbWceINo.exe
Token: SeRestorePrivilege	4652	lk4hNgqHtvT3wbWceINo.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

404 LogonUI.exe

pid	process
404	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exelk4hNgqHtvT3wbWceINo.exe

description	pid	process	target process
PID 2180 wrote to memory of 3748	2180	gpscript.exe	lk4hNgqHtvT3wbWceINo.exe
PID 2180 wrote to memory of 3748	2180	gpscript.exe	lk4hNgqHtvT3wbWceINo.exe
PID 3748 wrote to memory of 4652	3748	lk4hNgqHtvT3wbWceINo.exe	lk4hNgqHtvT3wbWceINo.exe
PID 3748 wrote to memory of 4652	3748	lk4hNgqHtvT3wbWceINo.exe	lk4hNgqHtvT3wbWceINo.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Users\Admin\AppData\Local\Microsoft\input\es-BO\lk4hNgqHtvT3wbWceINo.exe
"C:\Users\Admin\AppData\Local\Microsoft\input\es-BO\lk4hNgqHtvT3wbWceINo.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Users\Admin\AppData\Local\Temp\72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
"C:\Users\Admin\AppData\Local\Temp\72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ca055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:404

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Microsoft\input\es-BO\lk4hNgqHtvT3wbWceINo.exe
"C:\Users\Admin\AppData\Local\Microsoft\input\es-BO\lk4hNgqHtvT3wbWceINo.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\ayAzGAIFh5H1XbSGCFldpqwQA5YiQcBiRd.exe
Filesize
2.8MB

MD5
e509d220bae52b7c23add40731506134

SHA1
2eb614bd3fd6c7a34eb821ee0dd4eb093bab0141

SHA256
677e96e31e935d98c0c8864b2ca84f7c824ae58870832541e42395d07f283f01

SHA512
c4702c72342890640d473ee79bc7c587ac59da2020d495664744c3457e7a95612cc567e74d51f7ab227b25026a56a49f87185f017d81310bcf122fef65bfba64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\zh-CN\jLf8WxkVeSKxO2rtPTrWQ7xp.bat
Filesize
2.8MB

MD5
a015474722105560b9d7aa47a319c029

SHA1
65b01b973914042326726ed47f2ed6dac3f2ccde

SHA256
a3258b21845caf2f396c7cd4ee485b25a27d5ac8f8e61d873faceadc3ce7c298

SHA512
f384d6251fc4a41ca605b275c33cdbde9da1c679f5ca7a993154dc5501bd555f4e5048e5d8cc0b44840c9cc449642313aca3dd0a8ceec2da0d62ff2d259e8802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\AppCache\F6P53DJB\HoN4864lf.exe
Filesize
2.2MB

MD5
fc633732454bc3e48e17de8f4ac42fcf

SHA1
28aceae1f9af13a3332eef0cfa498e6bf7065b3d

SHA256
6ef6124ff6b3821098d06bf9b0ac93dfac18b87244886987878f2d5032c165ea

SHA512
2b3b237beb94110c4c14d9bc97626024fe29956cc76dd4ba3b6914773e029e67eb8edef7be5f41b673ec4d0a5d7e2242efe6255a452730ed168b4dfc4bc0dc88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\es-BO\lk4hNgqHtvT3wbWceINo.exe
Filesize
2.0MB

MD5
c07d74643a53ca3ba16dc9d4dbcc476e

SHA1
074026ef468fd924277181115126d9926b88cfc0

SHA256
4de120549d087b1fc99ec0ca88d8e83054482103862a2726851e8360b9f68e25

SHA512
2eeefa58f37f4205bab1388eccb71d5c7e651a827f8e4c409599e457dd066bc92091404e3727e9da1683f5298f4dd8193247d694e116013ced1276bb09abc48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\es-BO\lk4hNgqHtvT3wbWceINo.exe
Filesize
2.0MB

MD5
c07d74643a53ca3ba16dc9d4dbcc476e

SHA1
074026ef468fd924277181115126d9926b88cfc0

SHA256
4de120549d087b1fc99ec0ca88d8e83054482103862a2726851e8360b9f68e25

SHA512
2eeefa58f37f4205bab1388eccb71d5c7e651a827f8e4c409599e457dd066bc92091404e3727e9da1683f5298f4dd8193247d694e116013ced1276bb09abc48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\es-BO\lk4hNgqHtvT3wbWceINo.exe
Filesize
2.0MB

MD5
c07d74643a53ca3ba16dc9d4dbcc476e

SHA1
074026ef468fd924277181115126d9926b88cfc0

SHA256
4de120549d087b1fc99ec0ca88d8e83054482103862a2726851e8360b9f68e25

SHA512
2eeefa58f37f4205bab1388eccb71d5c7e651a827f8e4c409599e457dd066bc92091404e3727e9da1683f5298f4dd8193247d694e116013ced1276bb09abc48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\es-PR\HcGtSaFdYtiV.exe
Filesize
2.2MB

MD5
626c56317f2e6c4c8840e4a022ed734e

SHA1
e4b7e7ac78f92197aeadc123b80c783c7388ae31

SHA256
78a617e89dae62a00927b655fe1584003074f8f432db664baf449875fdc7e18c

SHA512
c3d3fa42e30335408fbd7d9e4569901fb13cd25dc4dbdf57e74d6b5db5e7bc82d0c5bd4167f611c8f38ce763277d5658ccaaabcc0af38df2e99ad16a036f674d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\sr-Cyrl-ME\28fmBlFdJFLM5OVMFdwyOkgAbTDiCx5nPy.exe
Filesize
2.4MB

MD5
97da25a9108bf230479cf52edf0efef7

SHA1
411f26b52105553056912bfc9b34f07a26320ad6

SHA256
54e7df042bb75be292c3c53ab4675489249ae9e70aecd5f60208e52b34b63ee3

SHA512
afc108484170eec7f6a203fa97ada190f32945d62d6b08b17a92218ae385c9019ea881e5a0a0c4b21b4685c2e716bc8734f60f16154a5beeba8e257d60213f32

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\93BmKogK5I0VsCijqm2PnF5yg4XeK5CtqTSRL5ufwxbmAGlUFkORs0ZaxNwL5MltrnBujn.bat
Filesize
2.2MB

MD5
eebc297234287d5b899622faf2568e41

SHA1
1be5ba9eb6a81b8e45d8e2725137da3765fdbbbb

SHA256
f38af28eacf5a35c75d421df131f104a586e790fef970e7567933940c093936b

SHA512
be1b66fb2211a097c92d1dc560278fd8db000779ea650fd7c7cbb46204b51d88225605a5554bb9f86c83698aad222061289a665fa96bf77765784dfca83d50c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetCache\IpbY9Yd0wt59YTDqKdnFhPl5tY3EvksfA48siJxCL7yHBmF09x.exe
Filesize
3.6MB

MD5
a1eeb8d223ee29bcecbdd30fbd5739a1

SHA1
83d65acb066080cb429c855af898d89c189ef9a9

SHA256
9c9aa570fc4577603578464f00afb952fc7b952da13507c1e9a3231177356283

SHA512
add554c81c091dada53610316a6c346bb06f9c2c90c118835e78f2b5a1b3cecd4a50631adee7cfd95b77c3c0d5d49be90fdeb2ce49494a28c3d4af3c3045f5b7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\sAEatw2MtcIUWcg20SzqlQsW2HiUzaefWMXFug0D9gLPAb7zVxeGNo5RwdyaXt5Re.exe
Filesize
2.7MB

MD5
0053191ff02cc0812be6c7b54891cf3b

SHA1
280ef93c7a0e323c979f968d375608e79aaafcc1

SHA256
c8e74bf049a4db15b58ba5bbc2577451b902944990256e4c066c51476f395efa

SHA512
f1e0a1f536e6372040fe83db6bf308814dcda5c39a3af6ebe0788fde47704ad9bf5f35ccc0f7f518b32c9075a0e72c482c902564fd09f66cd9045643d3a9b90c

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\AC\INetHistory\qraE39j5Ov0Zhz6BCY7bGiGiQFKuxW64n6I1nozAt6P8u.exe
Filesize
3.4MB

MD5
714fb7fdb63ef2a2d76b54ce8534e217

SHA1
016eab7d6bb66bace5885679d1ad2190ff4cd20f

SHA256
0d30d68caee48f535bd4963b4267d0f6503711b9808723b570214a418ee1d138

SHA512
bfdb84bc17db857173f2734c5c263466d75927f578ea7a950b752c18c7a2c7ffe7cf121e5669f646d366ddcc58febaf120429a71b2a828348d8238e80e497b4a

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\CloudStore\BIRrDkZ1LVH2oyA6beBulVOkemKaGWaxNRfttIjNMojNzlDtrIP9tjaZbwoLL.exe
Filesize
2.7MB

MD5
13ec3a674ce94539844b02f59630afd7

SHA1
10874262bb664ff7ee8627ed378af37367ed34fa

SHA256
4522c62c8af023a50e02d8f02dfd721725f69aebdad024d6146da6e17d1a54fd

SHA512
40a6eb89bca0c98bcb5294ebc2db3fc3d6c46f624b236537d17bc28f1b0f38dbafafbac7c987c7ba4d36e1de15f5862b896ae6bba309171ca178a4d40d13775a

Download Submit
memory/3748-136-0x0000000000000000-mapping.dmp

Download
memory/3748-138-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3748-147-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3748-150-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4324-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4324-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4324-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4652-148-0x0000000000000000-mapping.dmp

Download
memory/4652-151-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4652-154-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads