26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80

Analysis

max time kernel
205s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Size

1.9MB
MD5

c6511b788cc04d044adfc4c2ccb42851
SHA1

0b130417b6974177879d26b49908ed5891787992
SHA256

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80
SHA512

64533253f21810a325a9926a59f90bcac79dedaa96ab550306d6cc67baad07ea775de1f532564331115ebb23742aab2bce49ba298b3f10f331a6ba3ca2c4a326
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exeI1qNQWtbrinXd301ISN2EgI8hg.bat

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft OneDrive\\0JFopVLTNy9b5A4MqYz3VyhgTwqUpvlUrbOqSMoI9HBMklxEDhFaJC7dDQzJgRR2CAOeM.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\\Settings\\LdKmtZED4lyHLb6t6a1X4lAjB8vakTkjPqaSCRd.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\\Iqr1on8eCHJ8gh0UpHTqPCYR.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	I1qNQWtbrinXd301ISN2EgI8hg.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\adm\\ru\\OYgKta9GVzaTbFYcHz4.exe\" O"	I1qNQWtbrinXd301ISN2EgI8hg.bat

Executes dropped EXE 1 IoCs

Processes:

I1qNQWtbrinXd301ISN2EgI8hg.bat

pid process

3964 I1qNQWtbrinXd301ISN2EgI8hg.bat

pid	process
3964	I1qNQWtbrinXd301ISN2EgI8hg.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

I1qNQWtbrinXd301ISN2EgI8hg.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	I1qNQWtbrinXd301ISN2EgI8hg.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	I1qNQWtbrinXd301ISN2EgI8hg.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	I1qNQWtbrinXd301ISN2EgI8hg.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	I1qNQWtbrinXd301ISN2EgI8hg.bat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exeLogonUI.exeI1qNQWtbrinXd301ISN2EgI8hg.batgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\vs209UguN4yERv4FgozWOULTIm1kfY4mSwHiNi3rS97p4LApa7ZCF4ZWvue0Fhwg.exe\" O 2>NUL"	I1qNQWtbrinXd301ISN2EgI8hg.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	I1qNQWtbrinXd301ISN2EgI8hg.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.ECApp_8wekyb3d8bbwe\\AC\\INetHistory\\8UNQ8yZR7eSWcnpaWDaL845mCByN1w00E47qJNYKN8kv396zrytvFfJkJ0Gr.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Local Storage\\leveldb\\EqhAwdPXE7mvLIQz.exe\" O 2>NUL"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	I1qNQWtbrinXd301ISN2EgI8hg.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	I1qNQWtbrinXd301ISN2EgI8hg.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Flash Player\\Ja8wmXJuwFo7utOjQTe.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\CLR_v4.0\\3ZxU03f7TeF6FWqsY7IibPVbJFmjUIzqzsQHU4gIy7HhdBvmZlhcqUwa.exe\" O 2>NUL"	I1qNQWtbrinXd301ISN2EgI8hg.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\GrShaderCache\\ecMKacPSOPISQdRDLQKtga8dhrNxrZb.exe\" O"	I1qNQWtbrinXd301ISN2EgI8hg.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e2128baced00d901	I1qNQWtbrinXd301ISN2EgI8hg.bat
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\AC\\AppCache\\RSJZI66J\\3ZofjNUdLLOQt9IowP.exe\" O 2>NUL"	I1qNQWtbrinXd301ISN2EgI8hg.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Or4N7dfM23nOWaLKZPBiJbA46FWQ5NXsX3L02hCTuvDXG77geQsHVxQL4K.exe\" O 2>NUL"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\\AC\\LaP0e8MT0rga3W85Xb94x3DODBBo9kuzTfBw4XjdGf8UCKE9lVj0LOCUepd.exe\" O 2>NUL"	I1qNQWtbrinXd301ISN2EgI8hg.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\PinnedTiles\\7603651830\\SeTRuborizm8UcVxKZ3BfSvQdc2KdsWPmyj5KFKerJq.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\FmlCI6NELX4CyRJwTz6ajqHblb45jhyNfsBDg732qOgbzCKmd2biFl.exe\" O 2>NUL"	I1qNQWtbrinXd301ISN2EgI8hg.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	I1qNQWtbrinXd301ISN2EgI8hg.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\es-ES\\xcHyXWRSG5GQlxEJpekCssr.exe\" O 2>NUL"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Burn\\IKZLsRk67U4HcLPm7IRXv9AMZRiCL1bHVajXogLwatBvdE6KyA8q6kkkUAINMeVOTQ.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Vault\\WZovj7KGm4yQ.exe\" O"	I1qNQWtbrinXd301ISN2EgI8hg.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Videos\\6Zh1ZC1QsbmKSr.exe\" O"	I1qNQWtbrinXd301ISN2EgI8hg.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\oDSDvNQzjj3kNZ9HWHXn3AZsGg95QPu89bxGdjFOuFmjImHSNtkQvIiUvpxExB30xW.exe\" O"	I1qNQWtbrinXd301ISN2EgI8hg.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "240"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\9SxBNDQKyFKrqTgq3fLih91gA7tOOPV8oevEljm.exe\" O 2>NUL"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe

Modifies registry class 10 IoCs

Processes:

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.ECApp_8wekyb3d8bbwe\\AC\\uXtcNxvxm6AZBggoMXvZ1Pspp0bnh.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\af-ZA\\3U2OD06Nih2zLTUiQstSav7Xp0EyL5ybCWmNyFUaGiu9SqSkgbwv.exe\" O 2>NUL"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE\Microsoft\Command Processor	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\SOFTWARE	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exeI1qNQWtbrinXd301ISN2EgI8hg.bat

description	pid	process
Token: SeBackupPrivilege	1344	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Token: SeRestorePrivilege	1344	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Token: SeShutdownPrivilege	1344	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Token: SeDebugPrivilege	3964	I1qNQWtbrinXd301ISN2EgI8hg.bat
Token: SeRestorePrivilege	3964	I1qNQWtbrinXd301ISN2EgI8hg.bat

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

208 LogonUI.exe

pid	process
208	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1824 wrote to memory of 3964	1824	gpscript.exe	I1qNQWtbrinXd301ISN2EgI8hg.bat
PID 1824 wrote to memory of 3964	1824	gpscript.exe	I1qNQWtbrinXd301ISN2EgI8hg.bat

C:\Users\Admin\AppData\Local\Temp\26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
"C:\Users\Admin\AppData\Local\Temp\26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e7855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:208

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\I1qNQWtbrinXd301ISN2EgI8hg.bat
"C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\I1qNQWtbrinXd301ISN2EgI8hg.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\xcHyXWRSG5GQlxEJpekCssr.exe
Filesize
3.2MB

MD5
0243e5349e33f873e2332fa094a749bc

SHA1
5219883ac95a8c12a6aba3cd2f234fa577406bd4

SHA256
ed339ac20d7569ebadee072d64447c4036036aaf7a53d872e17adb7b87d36986

SHA512
f370256f1c9addccc664bdb65d4ea8945f57825e4dba9b609a73d3311075007f14c14b2c2f873ac95543000c7b430f6cc825e87d98913ae7d64b41e211031e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\EqhAwdPXE7mvLIQz.exe
Filesize
3.4MB

MD5
6fad1fdda35fdfd2e1de0da9ee70b72f

SHA1
dcb32bd8ceab40fe19019831885d8580b2353f9d

SHA256
92d8ad3cd2256376042386cc84c5e6fcd914f8ae24d7848dd00b9f2bac53d5a2

SHA512
c61692c2aab66463407acf08b0160a9c04915c89c38d28fd0b3c70dcfece469a65f0eb5a94053fe897df494102a2a8ded85e77e7d8d5ce5d53cc1fc51e140cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Or4N7dfM23nOWaLKZPBiJbA46FWQ5NXsX3L02hCTuvDXG77geQsHVxQL4K.exe
Filesize
2.3MB

MD5
2a482ef59f73cf0fb776c9aff9002db7

SHA1
8566051204a7b3e4a14100f3bab3d4752574033d

SHA256
3a59142e6040e7753c518c806a5fb516c3742a0eb75740eec895f2dfc693b345

SHA512
a93dab851eaa5783363d06251d0f1a950652a6232cfc934ac7ca728be21d9bd626bd65d3f2d6611c3352f2b2edf51a49f0ab54b47826a46222746865094979f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\LdKmtZED4lyHLb6t6a1X4lAjB8vakTkjPqaSCRd.exe
Filesize
3.1MB

MD5
08c738b52916370161bcd7f2d3460c44

SHA1
72f7b2c16920c55f021b78554602722980b6b9fe

SHA256
cd4db625836fe510e00cd5f93c3efa79523d71269740002f4b8fe8a6baa51e5c

SHA512
8a789d1d984803c6c5c315824ca5fa2427ecba7f58e543c17bc2c87750cf4ae48b61d190f58a4a7050cbed59fe6fe94c3de789d9d22d705000c266cc0e5bcbea

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\INetHistory\8UNQ8yZR7eSWcnpaWDaL845mCByN1w00E47qJNYKN8kv396zrytvFfJkJ0Gr.exe
Filesize
2.9MB

MD5
6f70ea0d6987f03c93dfb3a3f621caaa

SHA1
a077aacd0aae5874950ecbb7ee2f20635708aec1

SHA256
031498fb4a9dc89461f72f7b0743332fb29510456f952ff32f78dd1de5e034bb

SHA512
8057ec57f48472984c59ca0ddb3b4dde42bcb7bcd508e0490e061d13cecb8ae813d67f1fe2d81774f5fa0c85a2fe86c3a77d8cb389c1ae949a65c89934450e35

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\SeTRuborizm8UcVxKZ3BfSvQdc2KdsWPmyj5KFKerJq.exe
Filesize
3.7MB

MD5
819ce3477b50bbcb94f99852ada0dc94

SHA1
45f849a7b15df555b8a1a123e5a7afa31c17228f

SHA256
92eb7f6df4a3c6312e09f12e903f5fbc3f2b589cb66e04c047682ea0d7b27aa6

SHA512
a954d6cca725c5abc38e0b840bef5a405a85f7024d2d2a9038825b3dfe829ea6284aedc22d23d4123a827f9c56daf5a55be44168bab317dc67b8786181e5c062

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\wJcdF2YbJj9PVbmPrcFSrFO3r4fApIpWkHmcKp6y8zC4tILEYfA1NPcGj0PAHR1Qvos.exe
Filesize
2.8MB

MD5
4ff2c8baf90d77c3125a1f0ccbb4a37e

SHA1
206f476cd889082552be051c81eec3848166cffd

SHA256
729bf7aeb3d967cf808de24ca6a5155f75ba4803ae6dc4d53a763399d05cee5e

SHA512
6771753469e78ed3db467b3fcb6893a51a8d433fc6f4b7919543a38861787c87b18359bbb62f320e72b78169f8911b6e984e9474589fe2efdcdbf87dc4cb4150

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\I1qNQWtbrinXd301ISN2EgI8hg.bat
Filesize
3.6MB

MD5
960bc44e6adb904be4b064b865d3169f

SHA1
e826ff136c4b4b417adfd9c3ca6186e985684dda

SHA256
fb343a630b869fe74ca7059e93ca4ccb3fc4eb9fde6cd6e3712dfd0ba2c71bb1

SHA512
65f61ba7fadcb946a4523c49763fa467ee26341c9f28a6ab34ce9a682a2a80f6abc9765a9104e3d8b8b0bd54132152d921c853d96b8be534996c0137e9447efb

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\I1qNQWtbrinXd301ISN2EgI8hg.bat
Filesize
3.6MB

MD5
960bc44e6adb904be4b064b865d3169f

SHA1
e826ff136c4b4b417adfd9c3ca6186e985684dda

SHA256
fb343a630b869fe74ca7059e93ca4ccb3fc4eb9fde6cd6e3712dfd0ba2c71bb1

SHA512
65f61ba7fadcb946a4523c49763fa467ee26341c9f28a6ab34ce9a682a2a80f6abc9765a9104e3d8b8b0bd54132152d921c853d96b8be534996c0137e9447efb

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\Ja8wmXJuwFo7utOjQTe.exe
Filesize
2.8MB

MD5
e631c181041821849fcad50dd581a29c

SHA1
da5820f546b86250858804bdb77e14acf891fb30

SHA256
0ee10efbdcf7d89627fc02415edebda52d8fbedc7777960e1c6baca5c09f7dbb

SHA512
635934c17691cdaf3a38d353cfbfdbd55b9adcbf5cb1be201531ba3299e67b68d6e4280a39402607564f7a7803dfaaa9a227d79566a7624f33061d838821b0d0

Download Submit
memory/1344-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1344-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1344-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3964-138-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3964-135-0x0000000000000000-mapping.dmp

Download
memory/3964-147-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download