7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29

Analysis

max time kernel
204s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Size

1.3MB
MD5

853888867984a10d241447ffb5b8c27d
SHA1

46638014aba3ae55304fcb29c098500dd8285d51
SHA256

7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29
SHA512

241dc49283514f3980a916a90d80c07d0a3412587164b34aef1c342f54c57627ef0b979c9b73b7e19bc8c97d57c3d9bce6450ab750f1f206d206cad86a4d990d
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

description pid process target process

PID 1260 created 668 1260 jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd lsass.exe

description	pid	process	target process
PID 1260 created 668	1260	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exejRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\16\\e9gZynNOxsPKGHPCUSM6Ep6YVtRYReNHbZ7ThAS56MvYa7yq6kG4na2U.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\pt-BR\\FUkAAzY3Rs91PzibcWQBsjiECI2VdO9trQaUhnH9e98AOD.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi\\s4E8iTsPFU1XDMNvS5dUIT8Ti9ev922HVwj4WYVjJ0QZccNVc24rsNIHRb2FQaS1KYCGf2.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\\AC\\Temp\\uabxr4NX4Id95tQKQVxheYFdvYYMV2qfW42.exe\" O"	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

Executes dropped EXE 2 IoCs

Processes:

jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmdjRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

pid	process
1260	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
1892	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exeLogonUI.exejRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\LocalState\\P46UOkwYVPPvsZvdj8eiGI0pBXq70ejtPxuXp6G6XQfKbPM0.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\aL6lMHwGdCWIleSnTDxQAwO5WafkMUYpDYQz0.exe\" O 2>NUL"	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\es-NI\\XhkFiWNerqhuuwrG2YWwqdqcFbC.exe\" O"	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\InPrivate\\Desktop\\qOK6D8kcQOEcqWGvPrBdXIVmqTp5e4HwhiyunFXl0yltJAJRHBEs6qRqeMaN.exe\" O"	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Pictures\\3cqLfIRNdUxzjkvDWvY1s5MhFf.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\F5rIaFLNHGkKskijtKiinv9TOZoeMprjRHvoeI1p8VoKIsXi8V.exe\" O"	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\AC\\Temp\\21JllgogbNsDZcNzLE97m0cOrW6t2KGmIJiagfqcTFOVdqht.exe\" O 2>NUL"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\sl\\ZVABpao1DxOpr6kxnlCDX0KihompOc9AIwdku5J7EFzZiFLmiNVo.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\AC\\INetHistory\\3CZxoABiUwKxuVFDqvxKz0uzmNM3vE.exe\" O 2>NUL"	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\\hvEz7CZLPQ9sv5nkkyU9vHIs2KzFytNEXIR3uf275S7lU6yZt6NGlzx.exe\" O 2>NUL"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\SJrLq1Y8j4MKsb628abZhrg.exe\" O"	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\12\\CbQd1PzZ6cSWkUv2irrwY9bpYC3mfFC2AzC0OKyagBU5wk3mZ6tc1iXFcYeb29t.exe\" O 2>NUL"	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\l5pMnwGsdBf2VidoFKGlBj3ht1FJlsvbxKR2kLaHfMUjcdz8n8d5PKUz1NrJB6RzX0S.exe\" O 2>NUL"	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\es-GT\\FPrNj9ALWSRZfYCE0YGjdpmW7R0OJXO5tG.exe\" O 2>NUL"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\c0FHbVSzgh8qpDgAciQxYWI7b7w4U52uQOxQOUt9FFi0w0r6mJtw4kVnFoqVE1IX.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Mozilla\\79eJPJMDF1O5Xbken.exe\" O"	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

Modifies registry class 10 IoCs

Processes:

7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Music\\yagNp6gPjwM3JgN1yKI9cEq7fjdHwIfHqxcCRhnojqRZjPlmJt.exe\" O 2>NUL"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\RSA\\5U3YfBoZeaZ9R0afE62G7ymSV0AwW2u0WRi.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exejRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

description	pid	process
Token: SeBackupPrivilege	3364	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Token: SeRestorePrivilege	3364	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Token: SeShutdownPrivilege	3364	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Token: SeDebugPrivilege	1260	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Token: SeRestorePrivilege	1260	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1696 LogonUI.exe

pid	process
1696	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exejRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

description	pid	process	target process
PID 2568 wrote to memory of 1260	2568	gpscript.exe	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
PID 2568 wrote to memory of 1260	2568	gpscript.exe	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
PID 1260 wrote to memory of 1892	1260	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
PID 1260 wrote to memory of 1892	1260	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd	jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCache\UPM8K0XK\jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCache\UPM8K0XK\jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd" 2
2⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Local\Temp\7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
"C:\Users\Admin\AppData\Local\Temp\7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d8855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCache\UPM8K0XK\jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCache\UPM8K0XK\jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\RAYz2fIRqSPQ4nDaj1W13.exe
Filesize
308KB

MD5
47fc23fa2d3ee7762a50859799732804

SHA1
b322de493c7d01ef388e0da4b81c6faa76f0d91f

SHA256
b6d2ce0477516a8dc4c18eb362714d1039405dd9e459d6616644e1311a83d6eb

SHA512
1e789eb36914f0eca96c4c7fe0e414fa050773aa44223fc2c52c4da6d8231860be0955efb5e19fd79f8935f01d7776a50057d4c5c8c3c5485682f0e2fe838575

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\c0FHbVSzgh8qpDgAciQxYWI7b7w4U52uQOxQOUt9FFi0w0r6mJtw4kVnFoqVE1IX.exe
Filesize
2.0MB

MD5
0f8aa3fd48d8d06ce9d7a8078c2bdbbc

SHA1
7ecb7752a6266b64c012eb8d2c3ee482f01da3ac

SHA256
61f0ff6f81768d8bd4eb37a3ef3c41b9cf256bb875d66cac667be9f3b66f9e12

SHA512
20701e42a9fc14e8671feb81328deb628d80a71bdf764609d1d56b28de1b80d1769b1d367f4580df53a36a27e218e575d6bbf5abb7249ad9a8646966542b5651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\hvEz7CZLPQ9sv5nkkyU9vHIs2KzFytNEXIR3uf275S7lU6yZt6NGlzx.exe
Filesize
1.4MB

MD5
14d8c16c6f37109c8690b7ca281f31c0

SHA1
8c96fccaa0acbd0a4cc78f1f09d2837e9e15f1c9

SHA256
2a79d3319da379402dd93ea6152a3c30df59be69a4d5e091f317ee04e99422d9

SHA512
d23de98458b0a3b811bdcd694a9956e6f6d497a0a80bebe541a05e5ebc18fc32fffff230abfef9393662d864b85d463dd1d17976e01fd53b956c4a71e2a9e20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\eu\4SXDhQt7YuvQst5qawc8vn1ZYTAntqo3V6vdEC37y4WP1pible8B.cmd
Filesize
320KB

MD5
1453bf776158706682de0ad3ccc75c73

SHA1
b3fc7687077b8ea3ee7e0a395c6e5681b264af22

SHA256
c7d55a46050b3d7924e7db9f7bc1075ef7f6daf6fb427e640332717771a8b776

SHA512
058a75c97bf50990910c94eb5968d9dc06e310154926f0dc9cdf3c26a2bc492d0fd53865af1cd148cae4f6f2aa1d33651209a279be76bc93d28e152295c80ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\es-GT\FPrNj9ALWSRZfYCE0YGjdpmW7R0OJXO5tG.exe
Filesize
1.4MB

MD5
1290c7566d004c0f53a1e67c0ee27052

SHA1
0962c3621f2dac65f85be5db9f89ea268226634e

SHA256
eaebb759fcc9386a3b063940690b2d498c71eed50ee93cd6b3eb8cb29be1e22c

SHA512
61938bd1afd647d51e8738c32e4bb0255652362edcf9c152de657a17bf45a5b83092d6f2c9a9a5eb9805c355a4528da4a9d06932bf119c18e1debd1d5980a507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\pt-BR\FUkAAzY3Rs91PzibcWQBsjiECI2VdO9trQaUhnH9e98AOD.exe
Filesize
2.4MB

MD5
26eef5c064eae4b23690580f51581e2d

SHA1
73f17d0e63c55c4ccd69de0df6b1350d89756220

SHA256
566142bf75d7b5da620ded1b74a2282a609b2cbe2f38f39f2a2d20edf7120f09

SHA512
12b952eaf48c6346001b49ac2aa011aa3e8b3ea5a86a7899cddf4fc2154992e4ca0996a03cbdd2b3d4f6038fa17f8dc1e94b39147df15230bc72041ac229cd8e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCache\UPM8K0XK\jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Filesize
2.4MB

MD5
145307671e35b688dd0c6c961351c783

SHA1
83d8f67f15f67180a7896cb4e5dfcf79b39f7bdc

SHA256
6f8ed8c9f87b91b43ca6adbf8241fa8f82e4e61ecb95986d501a66a57190b9dc

SHA512
b43d66de302efbb0ad2badabd9cb92e56dc1d1327c487a6ddfb1183f2903f2332538befc680a45a70dbe00624711d0e00613f83343e5e2bfb3b71d3b9c393f0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCache\UPM8K0XK\jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Filesize
2.4MB

MD5
145307671e35b688dd0c6c961351c783

SHA1
83d8f67f15f67180a7896cb4e5dfcf79b39f7bdc

SHA256
6f8ed8c9f87b91b43ca6adbf8241fa8f82e4e61ecb95986d501a66a57190b9dc

SHA512
b43d66de302efbb0ad2badabd9cb92e56dc1d1327c487a6ddfb1183f2903f2332538befc680a45a70dbe00624711d0e00613f83343e5e2bfb3b71d3b9c393f0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCache\UPM8K0XK\jRWlpdbXGo8obWZoMAWezsyl0NkJv1Njs56aooROCpmSoc53q4NFM462bbp2TV2av2NYT9i.cmd
Filesize
2.4MB

MD5
145307671e35b688dd0c6c961351c783

SHA1
83d8f67f15f67180a7896cb4e5dfcf79b39f7bdc

SHA256
6f8ed8c9f87b91b43ca6adbf8241fa8f82e4e61ecb95986d501a66a57190b9dc

SHA512
b43d66de302efbb0ad2badabd9cb92e56dc1d1327c487a6ddfb1183f2903f2332538befc680a45a70dbe00624711d0e00613f83343e5e2bfb3b71d3b9c393f0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\AC\Temp\21JllgogbNsDZcNzLE97m0cOrW6t2KGmIJiagfqcTFOVdqht.exe
Filesize
2.4MB

MD5
10852bcebabd603ca04152547d7cbdd7

SHA1
d68c1e675663c2badb887bb757994963900a33e5

SHA256
28f857544205e29dab331f8e51eed0ec413a17d56a6a373f68bcde2e338d905d

SHA512
b48e55b9c459a8a5ebe833a62729ac80d02599a449d04e349582106e6fc39e2aa3e3f99c5906e9766e8d85df9cbe51ca8c2e5927514fc6e73af79497981450da

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\P46UOkwYVPPvsZvdj8eiGI0pBXq70ejtPxuXp6G6XQfKbPM0.exe
Filesize
1.4MB

MD5
2cd134bc8770114b22e901ec31f8c7cb

SHA1
626a982987eb68bf2b8a64de410f4311d45220c5

SHA256
86d34140e61a97ce0fe92f4396c4676e91ecf611c25b309160ba69318f950176

SHA512
765b16b26e416f8b4ec1b5521dd5c65c23606c2c31c24c68e99666e9162c5af1e894ca152a40839f30d70eadb87659d371b2c048d7f9f313d6dc7a8984dd4565

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\PPTLrjoyMLEzFXDqCbYBLRFePR7P.exe
Filesize
2.0MB

MD5
9fa9a019e30b4019610db2b7f7f2641c

SHA1
302e58000770aea590e284c01b43eeb4590da3e7

SHA256
6ca42da7100644222650e70c599fed18ba573cf7eaf45f295a8abad5a3b772b3

SHA512
d5fbfef7bb029fb093e16d07df6efeadce900fc95c4ca358092752893da2ce5e178a9468f0acb25902356a20d9cc80605c87cd2978f8fad0ac23d21038204974

Download Submit
C:\Users\Public\Pictures\3cqLfIRNdUxzjkvDWvY1s5MhFf.exe
Filesize
1.5MB

MD5
0629c67efb68eba73bec00ce31470a49

SHA1
99f9c782e9a49866dd5c27b3625564fa494e1f29

SHA256
02578939578e0becd1c8bc24cfc44bdb8c38aae25f76cce5d15f3e3b376f1b95

SHA512
e97718d322eae00e6ffd4f1e2ec7d7b56b632ee24189956201dc0f2edc67f56c806994c61997e597192b8d1c49d6ff141f3c00edcb53a6cc4b3f1e5f7a502f2a

Download Submit
memory/1260-140-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1260-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1260-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1260-137-0x0000000000000000-mapping.dmp

Download
memory/1892-150-0x0000000000000000-mapping.dmp

Download
memory/3364-135-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3364-136-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download