6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3

Analysis

max time kernel
170s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Size

2.1MB
MD5

fb8c5facc879b47e7450bcc02ab51987
SHA1

4c819f1026b5f4960d87c8906f54a66a0e35a037
SHA256

6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3
SHA512

ec061153ba730e83fd176d22e2dc3d01b4ad32793755ca44a1a5b6e345f6673cf39a44e28c93e710f802ee213cbbad8b11a15f9a769b96262b5073157f69bbeb
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\ewdalbMHqnuZ176aWLvePaU.exe\" O"	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\AppV\\Setup\\0Nf32lDRXGeLW7FFV1r5YjZgMI2cPzD01f1rkVNdjsAdXc.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\Settings\\4Ax5s3VYdSEi26wjaM0QyJNpdroZe8mDHcvGCvD.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\2zxMLLHJAF9M5mDeI76QqkFsuZiQFcl2P.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat

Executes dropped EXE 1 IoCs

Processes:

sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat

pid process

820 sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat

pid	process
820	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

gpscript.exesS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exeLogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d6d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Parental Controls\\settings\\YiWWewb4cmSSBtG5QvnMcHUIP.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\\SystemAppData\\tqVlO5VqXDbAocl4BaSHz0Wo3FApue9r9C8tWEA1hpSeCB5bU9ludRqZAUL6dvwIbxGG.exe\" O 2>NUL"	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\WindowsApps\\Pj5O8mv42dXgUZ.exe\" O 2>NUL"	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\q8Tvem52Z4KxQf4q7dV9TMMUaZN24QYmvcry9608Kp2HrGlAFkqVawYlC.exe\" O"	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\d1Q7jOQ0onDHNYrTPdnWa7c8q5dbsOkytYys4wfod9jE1DNrab0YcS5V.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\Ue7c8fpK8IxGXrjNoJycpwHXJ7WEXG9WBBtwaLvSeTrhhxEbFU9W0bPwm1edGjJye.exe\" O"	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\mUictuFgJAwDJe3luDH2k.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Mozilla\\9fWnu51e.exe\" O 2>NUL"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\X2Ur5DEyUD52PrqRXYqm3L.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f4d90e70eb00d901	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\fr-029\\sT4jgJgW5zeVMo2VHorIv.exe\" O"	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\bvYvP0mH3E00CjpLLvFScs3dodrE4HBzdbcayoDyjUBlk2Cm.exe\" O 2>NUL"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\LocalCache\\aByVxX40P5beTJeTFmYJlWiq1fofIOsrpIlu59oI9SvbwubCu7Z58pvMI.exe\" O 2>NUL"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\eu\\U774TqW9wep.exe\" O 2>NUL"	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\0fx48ci0.default-release\\bookmarkbackups\\EJwFDOqZ4zlaurfsf6BhbXBhhvc3mhHOYXnPrbexILXRWyAw2bXHe9o.exe\" O 2>NUL"	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\adfZego3yGaSbwCp8ZDuX7ps.exe\" O"	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\WNIQ5QQMz4ul5okco7xvt8v0KtkH.exe\" O"	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe

Modifies registry class 10 IoCs

Processes:

6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\RetailDemo\\OfflineContent\\Microsoft\\SUhq9ZPjWMqMInpD.exe\" O 2>NUL"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\3q2IxRTlsm1HZ3zSDcG5XELHWb0er8guIj7eStFRf5qlKxuTjHnx3juCQN9i2DfI.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exesS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat

description	pid	process
Token: SeBackupPrivilege	3940	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Token: SeRestorePrivilege	3940	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Token: SeShutdownPrivilege	3940	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Token: SeDebugPrivilege	820	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Token: SeRestorePrivilege	820	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4756 LogonUI.exe

pid	process
4756	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 4488 wrote to memory of 820	4488	gpscript.exe	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
PID 4488 wrote to memory of 820	4488	gpscript.exe	sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat

C:\Users\Admin\AppData\Local\Temp\6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
"C:\Users\Admin\AppData\Local\Temp\6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ca055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4488

C:\ProgramData\Adobe\Setup\sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
"C:\ProgramData\Adobe\Setup\sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Filesize
3.8MB

MD5
3e5c43be5d6ec5ad2b3f66013607f8e7

SHA1
6617cf7494a9683be3dc2c01ad3901a8a1f239bc

SHA256
978fa1045a9da6e5c46cdd7ea22ea63bfa90c145a168623913588f5131037087

SHA512
3ccdbee202b5b928c78d0f388246c97dcf60f3c9284570165ae61718dcfbfa55886869d788b5c3908a0961e9a5b631cc0dd48179b65c8e870718ad7723020bf7

Download Submit
C:\ProgramData\Adobe\Setup\sS47so4iTEX1zxM263pTRxtJ6pIzfNyvQ8r3o95jF88XeO7WFb0TpZRMsiS7qp6oiys8iSz.bat
Filesize
3.8MB

MD5
3e5c43be5d6ec5ad2b3f66013607f8e7

SHA1
6617cf7494a9683be3dc2c01ad3901a8a1f239bc

SHA256
978fa1045a9da6e5c46cdd7ea22ea63bfa90c145a168623913588f5131037087

SHA512
3ccdbee202b5b928c78d0f388246c97dcf60f3c9284570165ae61718dcfbfa55886869d788b5c3908a0961e9a5b631cc0dd48179b65c8e870718ad7723020bf7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\d1Q7jOQ0onDHNYrTPdnWa7c8q5dbsOkytYys4wfod9jE1DNrab0YcS5V.exe
Filesize
2.9MB

MD5
18b82887381b76034fde948e0d3565d9

SHA1
ec77072c968e9bce34d94da0d0e874f399d8a9c0

SHA256
22a847ede37a890662263ec56a0156a5947bb6a4c579453aea45b629f8284022

SHA512
bb3fac0846a439d1f721778be925a687c2914edcbdfbd7d102fe38416fa41ce968621be1d309e0237f578a1a8643fafb049da21cf8ff175618ed95b1f30ed95d

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\INT\bvYvP0mH3E00CjpLLvFScs3dodrE4HBzdbcayoDyjUBlk2Cm.exe
Filesize
4.1MB

MD5
c552cbf50c05440e630f3a911fe345dc

SHA1
417a5ce4aec3706a16bbb88c68c492032fc6cb23

SHA256
2c5a8b9bb87f48e8a2d1702e8843f6b20229e9423ac889a83f6d9b0ab3186517

SHA512
9ad81a5907c51b07acdd7a3bef0842c5825262c88153b3e4e08a795a82b0f01e0334af3738797a3b732131b725588c255034e70e915d235c75808831db9da1f6

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\K49opA0H0ocH2HPjBz.exe
Filesize
2.9MB

MD5
622e85dded5335540224f0e376de6f92

SHA1
5020c49c33d8e6b790814a0eda58fc6dd5f9f3ac

SHA256
95052bd5a727d19451faa75518be8b6a29e4d02abce59bc963dc68dc77b7180a

SHA512
4a4da963bc59ed28c4bc834d7b64bf0845d51f87274c6629aca1ed34cd57621313285ca55184a2bf92ff34ee4dd00dbba76767e5568b03a60aa72be6035f5321

Download Submit
C:\ProgramData\Microsoft\Windows\Parental Controls\settings\YiWWewb4cmSSBtG5QvnMcHUIP.exe
Filesize
4.1MB

MD5
9adfe606d3f65f3d412219aedc6777f4

SHA1
587adb4a015e9618a94c4254dbe9553789642458

SHA256
bfeef7703da91eaa5e3a4d48d80a2a2582ae67978d9fe20eca1eea832f228a79

SHA512
facf14e267fc2d76d498e1e03c8a7384d8e31c55f2e608b0254f0dc0a6826e620f486b0495114c9838fc1f29b1f86fff9eac16fd7832d15bb39a293dd3ddce58

Download Submit
C:\Users\Admin\AppData\LocalLow\Mozilla\9fWnu51e.exe
Filesize
2.8MB

MD5
94327be58d23eb01bbd0b974983d210f

SHA1
dd20716fb3a3851a0e927b907e24b38c7cb1bd55

SHA256
05c5a6c0d0567fe56b37e3cfc9bbf744457c3ff963ca31ecc87e561c31679386

SHA512
3ffe3d7d7ce3f5957a5c8a54ffb9c1f08f3edb95d5c13db6537f7a32b5d18db71e33f2969f1d6d4b6afeefdfbe0718c590ddff0d992de1c94086c038cc5cf0e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\KLB3ajmi0HqQUtztcZi59tnZkp9BrOytGeW6gEUYP93cRVFMq.exe
Filesize
4.0MB

MD5
501f27ebb466ca44dbf1dcae8e3d65e9

SHA1
507db9ee2a937956652793e7b72bdb394719874b

SHA256
dfdd2aca00ac06904116ffa3f5348aca5aa0be4fcfe89d048dae8c4a64d68819

SHA512
e462af8e3308b0feeb82866aaa067c1e374cbc3d765cd114cd83763f1e582d12ea21c5dae92891dcc6ede19635204c8144cb10fba39a9ee0de5482deec1cd00a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\4Ax5s3VYdSEi26wjaM0QyJNpdroZe8mDHcvGCvD.exe
Filesize
3.6MB

MD5
533931fe4fbddfae31adc00dbeee3d0c

SHA1
a1ef8bce4b485c1c11c31e458af3f99446e800f5

SHA256
4559d72d1028fbbd1b0e9893e77736d96fbd1d8212838605339679739f4b4c59

SHA512
ca7009186ef940d114ae982edb810e889ca23cf492d0a2fb96750423ed91bcb43df063e48d231b80f2b03235d107aa1dffd3e0c9272d823ba82849fe5d788fee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\mUictuFgJAwDJe3luDH2k.exe
Filesize
3.2MB

MD5
8da715f614f1fdeb4642d27fb21a9929

SHA1
961df115355cedab19d247b834b70802aa6d78d5

SHA256
4975e92f382bf33c5fe5ca074f8ad73d54001ac5d680989632cbcb4420c384c9

SHA512
e4424538465de19a51ea9aab76b24b8e2a8082541c5928500850b3c841e07316aa0cf6cc9b9a14c87fecb850a522799c78b1c544f55f3bd20b4cfcf2368c9bc5

Download Submit
memory/820-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/820-138-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/820-134-0x0000000000000000-mapping.dmp

Download
memory/3940-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3940-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download