e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3

Analysis

max time kernel
135s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Size

1.4MB
MD5

657490762b3af18de3c6ac4e75544172
SHA1

5ea5b9e41b3f59f486768b19c8347977384933a9
SHA256

e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3
SHA512

a46cd2da83c1433354e85c28d327e00fbe76845d33720dfd2140d80fdbf8ba09d8cf7f3d3d7cd4acc9671fb013ce164fdf9e35efd9b6af1b104f0b4f8f4c3c23
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

description pid process target process

PID 4532 created 688 4532 NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd lsass.exe

description	pid	process	target process
PID 4532 created 688	4532	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exeNLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\packages\\vcRuntimeMinimum_x86\\Efvaer6QYzH2szjycGeuGyhMp.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\QGga0W3bMNcNd53KzDwJrIGq3ksQTAHIx9ADZdpjFVMWuUfTIqHA2yDJ1m7w9.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.AssignedAccessLockApp_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy\\HdBzpIuGOChJ6P5Ll2BpbECy16R7maMaSLantZWQsEJ7LYYUHyg9yeMmMuUPOvS.exe\" O"	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\AC\\INetCache\\KO2OQOXF\\4TczeQgM2ZfT5EPDdqnqTbfQ14rkigPD83EtKpnQYCOKOD5IS9gH84lABWaFB.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe

Executes dropped EXE 2 IoCs

Processes:

NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmdNLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

pid process

4532 NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
4656 NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

pid	process
4532	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
4656	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmdNLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmdLogonUI.exegpscript.exee8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\\SystemAppData\\WeVtBszpLkGU80ehjRcMBGGwzj2pletJfY2FjHwWOhA.exe\" O 2>NUL"	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\\AC\\INetHistory\\ot61P3mX7.exe\" O"	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\.DEFAULT	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\\LocalState\\S0dU6FArqGajtZGloktYnucYJWFJ.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\huJsQkS6GBTcBfjm6HlKD9OOGczDXEaXGyemFgspyVfKJq6VQ.exe\" O 2>NUL"	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\AppData\\ON4imxC2XVgobwBHszv2x.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Credentials\\kviPYukWrwedAFZKAYK4Lbj15qQ1iWHmLLr62kSUZ.exe\" O"	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\NiYn0XtUjClsoOXGf6DLNbYiadxpxZd1GUmINh5NiNxi3cSWkGoomTKgNyz7I2XYEqpCn.exe\" O 2>NUL"	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\id\\xvBxCiYUps0hnSQ3prldp4K3sRHt.exe\" O"	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\ne-NP\\Y7glGjxejF1XCsNY2orT.exe\" O 2>NUL"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\0vEAuX7OkrAKV0IVhQU9Ast.exe\" O 2>NUL"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\0fx48ci0.default-release\\cache2\\TmAIymRqSTc2b8gHf1fLrVwtqI1OKEjDyL7nwDIL6FmzeylrEytoiqZTKPKFCFzIUTd.exe\" O 2>NUL"	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Mozilla\\xzcv4L8I8uNis1PT.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\tfNYlKuMexj7emIDqrgxjETi2xqGeJOfBQoj6fdpYP3WPluf8.exe\" O 2>NUL"	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Code Cache\\js\\UesofW0xbfZJFrfwknEVCFlkA4hUfIsEyKMsBS9yJlm5u5RIEcgYNPWYlkwpqDWKPH8P.exe\" O 2>NUL"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\\Settings\\aWduDPt7v.exe\" O 2>NUL"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe

Modifies registry class 10 IoCs

Processes:

e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\AinfZG8kumXsIFF3G.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\DNTException\\Low\\aJbpQye6VTtTv3ZzLuWX81WGEPrDF34o21z7tS61XBVv8u.exe\" O 2>NUL"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

pid process

4656 NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
4656 NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

pid	process
4656	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
4656	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exeNLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmdNLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

description	pid	process
Token: SeBackupPrivilege	4840	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Token: SeRestorePrivilege	4840	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Token: SeShutdownPrivilege	4840	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Token: SeDebugPrivilege	4532	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Token: SeRestorePrivilege	4532	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Token: SeDebugPrivilege	4656	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Token: SeRestorePrivilege	4656	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4752 LogonUI.exe

pid	process
4752	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exeNLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

description	pid	process	target process
PID 2468 wrote to memory of 4532	2468	gpscript.exe	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
PID 2468 wrote to memory of 4532	2468	gpscript.exe	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
PID 4532 wrote to memory of 4656	4532	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
PID 4532 wrote to memory of 4656	4532	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd	NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Users\Admin\AppData\Local\Temp\e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
"C:\Users\Admin\AppData\Local\Temp\e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39eb855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\9VLOkGam3bPKwZfrPK2NjwBNhcy.exe
Filesize
2.8MB

MD5
d5c5500e03d7da1645c8205e6dfcd2d0

SHA1
b27e2bc07339903ba19cfbd1caf3c8d5befb32c2

SHA256
ed147e8f2284ebc73042f9c302058cd9bbaecf98ef03a9f96c990e7ef355150f

SHA512
e79e36673abc5a3dc7667b8a58035888ee1aadd450f8be5e80cf7f2a097744cd12e6e5b5ccbc3f3b202c6706b6045efd55f71315f641b97cc87d1eae5d2ffc71

Download Submit
C:\ProgramData\Mozilla\xzcv4L8I8uNis1PT.exe
Filesize
2.1MB

MD5
b87e6f8bebb622ef41572614ffa3bacc

SHA1
4c9ec15bff1da6586203b59c6ab4a4ba8fbfcc2d

SHA256
ea1d1f448d02a20e3444e3d4a6abedc37f4ad6b3b96749ad3aa81f7e319ca405

SHA512
a80e8f4aab4344de35188d967502ad4e04af6ab7b0339b95eec6506882251d663aceaa0671f7f3132d0516b1578dc6d6b55536a646163168ee21f4879f74f418

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\Efvaer6QYzH2szjycGeuGyhMp.exe
Filesize
2.6MB

MD5
090ae9d0037e78a86e47a1e774a812fb

SHA1
089668eff7e38c2b06114b000c7eec945825cca4

SHA256
97a20b30b3c65405a3aee081a64a4399404129a84136d938af44b29eb92c8a66

SHA512
e9ce6745d5839d780bbfb3833c61e06c8df1c206652af6b2f062d59bae1ce37d14f1b0e57d0d0a28ffe8e234df3c5bccacaa2c6dbff291b7e77b1d314c057e3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\TYaeMxm4IXvFO6lRL5aZUl0EdYYGwCf1zvr9tmnHSLHKhabGhSFXsH0KjtK.exe
Filesize
3.4MB

MD5
b9fa3d1ee333244d1c0ee98910909000

SHA1
12e1d7ef7ceaff99370c2e81df09518b6ec11e35

SHA256
ab03be044aaaec59c750503917c55744e1b3af773f2e98cb1d6026da2c7852a7

SHA512
612a43e98ac4e3569fb2a68596a439b2969ae15629fb45f81536a65b1c8e462dcaa13973fb4dcc5528e3ffb7d209b4c2fea72d5377b91d7a712f1632e3855e82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Filesize
1.7MB

MD5
d905965fd5364917a0d8a9fcb2ee8153

SHA1
d37a3af40a53a0f0d11e7a69b5e959133cf6a578

SHA256
86f55c7af5c46338097eefb12b38cafa1b28722cd9fa95b4f22ab5bfdd8e32a0

SHA512
d2f2230ee35a3c35481df4b7120e7c3e429eb1398b53552bd872edf120fa8c73e3fadc0ec5824f9584a72431416bf24d9248b009ce096fbe67ab1c275f9d2320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Filesize
1.7MB

MD5
d905965fd5364917a0d8a9fcb2ee8153

SHA1
d37a3af40a53a0f0d11e7a69b5e959133cf6a578

SHA256
86f55c7af5c46338097eefb12b38cafa1b28722cd9fa95b4f22ab5bfdd8e32a0

SHA512
d2f2230ee35a3c35481df4b7120e7c3e429eb1398b53552bd872edf120fa8c73e3fadc0ec5824f9584a72431416bf24d9248b009ce096fbe67ab1c275f9d2320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\NLZxybaAo00mcLbRPvIyv10BawpGhgGpw1TQ83jzj.cmd
Filesize
1.7MB

MD5
d905965fd5364917a0d8a9fcb2ee8153

SHA1
d37a3af40a53a0f0d11e7a69b5e959133cf6a578

SHA256
86f55c7af5c46338097eefb12b38cafa1b28722cd9fa95b4f22ab5bfdd8e32a0

SHA512
d2f2230ee35a3c35481df4b7120e7c3e429eb1398b53552bd872edf120fa8c73e3fadc0ec5824f9584a72431416bf24d9248b009ce096fbe67ab1c275f9d2320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ne-NP\Y7glGjxejF1XCsNY2orT.exe
Filesize
1.5MB

MD5
7f3dadd06c5e5930a7fe512711e452c5

SHA1
0c510e8cb0a3e68f7093005161ede34173a9ad7d

SHA256
1aa368da8ced08c665d90599dcfcec3b202eaa52f00a0a7b997be27cc7a68dd5

SHA512
43923a0fb2fff48fc7ebdc014c3d34337279dba1f27983b22e6e2e92e997fab508da8f00c8d6cceaf67829d80c8c812d4bbd00571a44444ae58d2d64b28fece4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\LocalState\S0dU6FArqGajtZGloktYnucYJWFJ.exe
Filesize
2.6MB

MD5
266cd9faca38c4a28f1c64dc72e594b7

SHA1
9ad76d22da5f52e676acbd9d8e59032e1407dcb1

SHA256
bc5a2595bba9b13e8a93324f7cc377b70a77deea7acf0e49934046ff6d34f8b8

SHA512
5c18eb8d17bc4c9dd6d0a5df834a0b5ccf3da964e19aadddac14fe4e83214b830bb7fe7bd9ea2dfdd9dc4b398082f45e0ea37e6e056b3c17a6896a8e052177f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\IQ4XIi2RxSPvLa3LDLOKgr84NN.cmd
Filesize
2.8MB

MD5
0c200ce60c621bd1662315f1059d2911

SHA1
75fd1b25d77f750b30a9f68a00822437abf040fa

SHA256
02ba5f27b75e5873bd9342f574baf61620ce6d0a0495960a25c8758dbf9fab2f

SHA512
a3f6ea6f01a2dfa8aa8e09a434e5efe06adc9632e7e1ed05891a93c8ed45ba669a2e664d2bf3b78847334f99617c0b5ad19c3db0008540c071af700168d48700

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\ON4imxC2XVgobwBHszv2x.exe
Filesize
1.6MB

MD5
6b80a130eb26a02f0d8fdfa40379dbfe

SHA1
02995226566bfb325bd129a8bd44e165bd0aae7a

SHA256
ef6c17c6eb07f12b689b68d6dbe1b038cda36362a9107443e3eb683d58220fc2

SHA512
b451eca4ac229e82560fda4074917e02ba65f00742f2b790a98ad6ccc219e40b06376c00c538fbf5fca838f23a966c269705c9d949faf7a6a14b01fa18075d1e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\0vEAuX7OkrAKV0IVhQU9Ast.exe
Filesize
1.7MB

MD5
fa7d59783b6738651eba4ff3439b251b

SHA1
f49d524047c61413bf5dbdb869fb70c030847219

SHA256
cfe4b2e508cbab23ec7bea79ba553861ae6519f25f21009e7f77454d3dace0c7

SHA512
044774ffa3e7acb923806db6a0d6cf2cb3da206c3439973081466912e9be9f6091b0fb7d2248b5b9078bb786ef4271fafc9a192c8aaa7f1a09960f23f8cecc70

Download Submit
C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\aWduDPt7v.exe
Filesize
2.6MB

MD5
2094803bfce0243111709c7beb832686

SHA1
1d3bc06fcb800594eb8fa2ffb1f7826ad2922555

SHA256
cbe17946e1c80a2ec6b38f060842b190f1edcd304aebfff54e797dbcb070f528

SHA512
693e23e9ccb9038e8d8caff89bb0cd4c5b8242e8c26a525837c15f2c4be7289a9e597f9d3dd976f461c44a1937169def5088ea7db71f47f5b74832b9dbec6c09

Download Submit
memory/4532-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4532-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4532-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4532-134-0x0000000000000000-mapping.dmp

Download
memory/4656-147-0x0000000000000000-mapping.dmp

Download
memory/4656-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4840-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4840-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download