d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df

Analysis

max time kernel
35s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Size

1.6MB
MD5

36f3fda0230ca7a65772c26a6f256350
SHA1

77ae24ac1114cb28424ccfbc7b5744577a9d6dbe
SHA256

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df
SHA512

47563b9bd36bbc0522abbfc549e6b4b98b8e973bb909118724ea8fb0212ab0691657a7975b3702f16847affcd9f50140d676c0e08ec63e1bf19d9a31f5865142
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

bo4Mhcw2XKvtjnG5rpX.cmd

description pid process target process

PID 1488 created 660 1488 bo4Mhcw2XKvtjnG5rpX.cmd lsass.exe

description	pid	process	target process
PID 1488 created 660	1488	bo4Mhcw2XKvtjnG5rpX.cmd	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exebo4Mhcw2XKvtjnG5rpX.cmd

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\10\\9zs7f74iaUISuENw6XaKD9aWQdBen.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\PinnedTiles\\7603651830\\M3nB8Od3qYbiw9IemnsQB57.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\17\\EKc8u2pie8855mZo5Fmyj2WhGGOCHzBuQGzmAOR8ZXOGNtH.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\INetHistory\\FCiuaxNzC23dQmo1ToLIJxYM3YvkKQMgTOwAPSg6r2dkLay7VmXLK.exe\" O"	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe

Executes dropped EXE 2 IoCs

Processes:

bo4Mhcw2XKvtjnG5rpX.cmdbo4Mhcw2XKvtjnG5rpX.cmd

pid process

1488 bo4Mhcw2XKvtjnG5rpX.cmd
1180 bo4Mhcw2XKvtjnG5rpX.cmd

pid	process
1488	bo4Mhcw2XKvtjnG5rpX.cmd
1180	bo4Mhcw2XKvtjnG5rpX.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bo4Mhcw2XKvtjnG5rpX.cmdbo4Mhcw2XKvtjnG5rpX.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	bo4Mhcw2XKvtjnG5rpX.cmd

Drops startup file 2 IoCs

Processes:

bo4Mhcw2XKvtjnG5rpX.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vaew9tyZTAhd58aO41vQWsm4XAWTTJlO9crfnweS0hkwYxUm.bat	bo4Mhcw2XKvtjnG5rpX.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\rr22SMvOJOybo9i0uzpGZo1eU0Xfi.exe	bo4Mhcw2XKvtjnG5rpX.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exeLogonUI.exegpscript.exebo4Mhcw2XKvtjnG5rpX.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\DeviceSync\\xtjetA5qP.exe\" O 2>NUL"	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.CloudExperienceHost_10.0.19041.1266_neutral_neutral_cw5n1h2txyewy\\Rjs8J3HCjq1s7ugnsRDty7Sq48LIPztYYRQWuvxz115cAPnuEGHEyoAv8s2aBk2KaMr.exe\" O"	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b88ec61fe500d901	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\2OGmRJpzOTxTvHZFCtxx8ykXkox.exe\" O 2>NUL"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\88000165\\gH7p8D41or.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\USER\.DEFAULT	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\SmartScreen\\f20FQdF3PkEmqrI8a1Kx0TF8TUm31nGScnbmCjYPIYAX72fB.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\\AC\\INetCache\\KQOZ8WgrBrY417RPQPI9HUvKsXVd0WaPQ6HLgeHQJSnrCFj5SDffpXuA.exe\" O"	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Desktop\\DK50cDnopYGPAhzGlumi3WyJxJ20aNdj6.exe\" O"	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\qfcyWuGECvLfuc1RO3PB5LwR9tF7actrUXDg.exe\" O 2>NUL"	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\eu-ES\\9AOrBd5AqtsAG.exe\" O"	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bo4Mhcw2XKvtjnG5rpX.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Licenses\\5\\pFFOYpiNFm.exe\" O 2>NUL"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\aTOc6bimF4eRJ6HwwVEFxopBwoJa2QLd6OurW8OFc22527Zvzvb9VWqgsvtc35aNNAOP7t8.exe\" O 2>NUL"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\\TempState\\WBMeW1Or6ApqJ8.exe\" O 2>NUL"	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\7w4Wso7sIBZTFFQXJYu7YXygPq5xxiYX6ytbpLvwoNjDptcNCtlmfCf.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.CBSPreview_cw5n1h2txyewy\\AppData\\SLOlMiDqLwT1X5FGgMYakauX36wfZFo58CC.exe\" O"	bo4Mhcw2XKvtjnG5rpX.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe

Modifies registry class 10 IoCs

Processes:

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\K6T4zOwAi1Wxcrvl8w3b8DD18AzsFbrZtQ2gYuSYXbtJ77Pl22sUrerDu.exe\" O 2>NUL"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\\Settings\\mNJ5JrOWSywQoaFqyWZGMRm2cUmzggl1Feaj9YhK1sb0AXp.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bo4Mhcw2XKvtjnG5rpX.cmd

pid process

1180 bo4Mhcw2XKvtjnG5rpX.cmd
1180 bo4Mhcw2XKvtjnG5rpX.cmd

pid	process
1180	bo4Mhcw2XKvtjnG5rpX.cmd
1180	bo4Mhcw2XKvtjnG5rpX.cmd

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exebo4Mhcw2XKvtjnG5rpX.cmdbo4Mhcw2XKvtjnG5rpX.cmd

description	pid	process
Token: SeBackupPrivilege	4284	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Token: SeRestorePrivilege	4284	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Token: SeShutdownPrivilege	4284	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Token: SeDebugPrivilege	1488	bo4Mhcw2XKvtjnG5rpX.cmd
Token: SeRestorePrivilege	1488	bo4Mhcw2XKvtjnG5rpX.cmd
Token: SeDebugPrivilege	1180	bo4Mhcw2XKvtjnG5rpX.cmd
Token: SeRestorePrivilege	1180	bo4Mhcw2XKvtjnG5rpX.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3588 LogonUI.exe

pid	process
3588	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exebo4Mhcw2XKvtjnG5rpX.cmd

description	pid	process	target process
PID 3980 wrote to memory of 1488	3980	gpscript.exe	bo4Mhcw2XKvtjnG5rpX.cmd
PID 3980 wrote to memory of 1488	3980	gpscript.exe	bo4Mhcw2XKvtjnG5rpX.cmd
PID 1488 wrote to memory of 1180	1488	bo4Mhcw2XKvtjnG5rpX.cmd	bo4Mhcw2XKvtjnG5rpX.cmd
PID 1488 wrote to memory of 1180	1488	bo4Mhcw2XKvtjnG5rpX.cmd	bo4Mhcw2XKvtjnG5rpX.cmd

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\bo4Mhcw2XKvtjnG5rpX.cmd
"C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\bo4Mhcw2XKvtjnG5rpX.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Users\Admin\AppData\Local\Temp\d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
"C:\Users\Admin\AppData\Local\Temp\d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ea855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\bo4Mhcw2XKvtjnG5rpX.cmd
"C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\bo4Mhcw2XKvtjnG5rpX.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\vXbFEDvO8b318RW1Hkdm71THBMMiNcEmM7Qr8rvg4Zkpu.exe
Filesize
3.4MB

MD5
18e463eb9a9aa97ca8d14aae864e392e

SHA1
0d84eaf3da19c024df0868dca739985c874cdb08

SHA256
f8ce5fd7e2bff9198ce6156fa516daf6b3726d2829816f02e5682b3eb6e64066

SHA512
92fe79618bc0c0b6e09c73a46d3c7bb55b859e606002c6d0e3520d47bf85f58de80609179959d3f47ca3a98c9c516bc674e52b109f819fc3eb24e625ff13a35c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\2OGmRJpzOTxTvHZFCtxx8ykXkox.exe
Filesize
2.0MB

MD5
e1c49e71e1fbdcee8972f1870ff05282

SHA1
3c48dac66eef1c59b4a844780e1b318730103cc6

SHA256
69555039163f78f2111c5068a5d41fb16db0e395c0dc86a87d13e7f86fc3ec43

SHA512
cd3d87b34c158c8e50520e0777b480731b269d33c61aa5e99b42feb64345c035e1e50e45075dd9b34dc79c232436ce10698d9f0b660b75509a4570ba9ded80d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ro\QraUb7MjXuOctKQDoA8EooMGziQuS5HgVfQsEvtWovqH0PwZR.exe
Filesize
2.4MB

MD5
e6e6dacac96951a5b23ce216c0faec24

SHA1
58006b809e1f1a1ff1f2a5f49f2b2fec7beb6a53

SHA256
0143727487bae4b316a97ac027148b5a7466ad04a5b4d87ce7a0cfe4c5e8f27f

SHA512
d31da2e087c9e6bb947f2bd1dd86139aaee5a4e52ebc8939896252f61d1f6fe6f774501205a33a22025563b2474de1db66551420ea857029c163330837c2bc8f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\Settings\XEbL30Nhf.exe
Filesize
2.5MB

MD5
e92f415b4cf6e5421e64c5eb79cbf6c9

SHA1
5e105eb238b3c0dd2ed798ce2612e3eb1e63ce7c

SHA256
c07070dcfff68494106ac83182cf48fa2ad8c6fd429d2d5e8c4b8ab7d27f98d7

SHA512
7b03e89d76ba411672da7af13dabe0f4cb28ee42b7f6e5a9df73eb1fdc32da252f4b2c4f10e7c1260742d782c07c9c8a3ab59f9a5a85eb29fb96a578646dfcc6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\VoUKxZd2Amax0YKzaZBeOYRzkW8zYbOVmp3qGO1r6QL2ACsXL1D.exe
Filesize
3.0MB

MD5
d51203063f7885106289821c264bd73a

SHA1
80520898516296c68e8d5ac1fe322c8a0497fb49

SHA256
cab9738aefa145db1e07f76ae78129b53d7a2e9498c1d5295810ffdc7bbbaadd

SHA512
f89851cf6648ea7c3d8b0cf3e5bf1085de7b2bbf7ad42b6dd7ca79ab867b0db7449dbf43d17197aa630ec29e0838a60580c55e18fdaef976077380ffae0bbae7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\M3nB8Od3qYbiw9IemnsQB57.exe
Filesize
2.7MB

MD5
8fd7066818b078a4758bca1a3e58d606

SHA1
5581f9754a9ee5b77a6a0fff662a0551c6d57b25

SHA256
7394323235a198776b1d7a59d38fec103a67c27e368dbc01c24279d2600f2f1c

SHA512
72b7c937133bd88f622aa3d2f6171905e770bb9aa6ad2459a8cfb468080845868873850857482e7d61ff7f7f207709c1ea4833df5018a56bcaf5977fcf1f23a6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\8n51XjL3pDQYIp1OQ.bat
Filesize
4.5MB

MD5
f7bf639c4ad0a87f36fd5b3c75c1bda0

SHA1
61959e3bb2ce5cfd16c9ab9d5dc83eb3dcd33ee0

SHA256
28ea4e78931839db87505d3a5764ec74d634f85f5550f8a677751ddf0695a643

SHA512
d9ab62ae3bcbd983a2a69d05681a625e79b6cd91cc30a1f72e6ca5ae96e9d7c2861cdeda504b6e83f1cf988a5616a5a461099fcac4d335072900714563c5bc13

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000165\gH7p8D41or.exe
Filesize
2.3MB

MD5
4eef0a81b42cbf89cc40a97afb7b07d2

SHA1
9ce2c15b7b7ad157e4238c1a20e461d85d2c58e8

SHA256
3e5b74a934f083cc05f65025287a0d7c4f29cfb1bdbe8220f489f5e91ce2ec1c

SHA512
6aedc06cf89782281021fb189765fc84affb5d0eb527ec17a67a30a9e88759a6f8748d1d06bbf196625ddaebb3feb610c6a0392e0a267ed3077f9ff0832bac11

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\bo4Mhcw2XKvtjnG5rpX.cmd
Filesize
2.5MB

MD5
cdbd5882d72237f349bc91db3704936b

SHA1
5782a4fcbdb73e0c2a23d68302533b70cd73f72b

SHA256
a3fc3787b09335d697e7cf6639686b4abcb9725647a944bb6296129ca78e07a8

SHA512
81b78dc10c8b67c28def13eeea55eeecc88bc7a94f2a386c3d9ec2c7b82d2e4963ae3e8adb812182107d2e6dcb1f166a682323420ec71aab05433edf8cb74ff1

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\bo4Mhcw2XKvtjnG5rpX.cmd
Filesize
2.5MB

MD5
cdbd5882d72237f349bc91db3704936b

SHA1
5782a4fcbdb73e0c2a23d68302533b70cd73f72b

SHA256
a3fc3787b09335d697e7cf6639686b4abcb9725647a944bb6296129ca78e07a8

SHA512
81b78dc10c8b67c28def13eeea55eeecc88bc7a94f2a386c3d9ec2c7b82d2e4963ae3e8adb812182107d2e6dcb1f166a682323420ec71aab05433edf8cb74ff1

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\bo4Mhcw2XKvtjnG5rpX.cmd
Filesize
2.5MB

MD5
cdbd5882d72237f349bc91db3704936b

SHA1
5782a4fcbdb73e0c2a23d68302533b70cd73f72b

SHA256
a3fc3787b09335d697e7cf6639686b4abcb9725647a944bb6296129ca78e07a8

SHA512
81b78dc10c8b67c28def13eeea55eeecc88bc7a94f2a386c3d9ec2c7b82d2e4963ae3e8adb812182107d2e6dcb1f166a682323420ec71aab05433edf8cb74ff1

Download Submit
C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\aTOc6bimF4eRJ6HwwVEFxopBwoJa2QLd6OurW8OFc22527Zvzvb9VWqgsvtc35aNNAOP7t8.exe
Filesize
2.8MB

MD5
bef08c5d5c0a9699e3205642bc9f3aed

SHA1
1f5aa2fc7cdea33b48fdb3ed1a12e2ee7711b8bc

SHA256
ebe3e2372dbf4aaf79ddff8da484f30511f9674868589938df11fa1e7b0adccc

SHA512
d06871f70797d36afcc30f0e526bbe6bc16f5dab953cdb9dea9b18e5bb7adf3e84ae0d3b3c1d65f37313f57a8e84d53104008af6b13a5f9361a5ba00b8df5c3b

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\7w4Wso7sIBZTFFQXJYu7YXygPq5xxiYX6ytbpLvwoNjDptcNCtlmfCf.exe
Filesize
1.8MB

MD5
1faa43b94559aab75728a6255a536b47

SHA1
434dc0de0b551bfb262d2fefb13067d542d6c0d8

SHA256
8d2840398a90baf1305e0ea211a5c33aec0b2d5b77bec10babe2023c5d29e4e5

SHA512
696d0ffb569d01dff1015ff614e214fc0dc1ae50d4091671468ede7a6ce364f0d8b415f12fdcc593425ac0f021a363839931acc3cde8e648e0ebdb26fc63c646

Download Submit
memory/1180-147-0x0000000000000000-mapping.dmp

Download
memory/1180-150-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1488-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1488-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1488-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1488-134-0x0000000000000000-mapping.dmp

Download
memory/4284-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4284-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads