Analysis
-
max time kernel
168s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 10:15
Static task
static1
Behavioral task
behavioral1
Sample
ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe
Resource
win10v2004-20221111-en
General
-
Target
ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe
-
Size
512KB
-
MD5
b63ca533cfdbbbecfba41c4ab916b4fd
-
SHA1
2ff1cb9bce8f2ee1526ba3ef68a9056ecadb96f5
-
SHA256
ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d
-
SHA512
09d53166aefb0e04f87aade925cd12400b733cff28e16fa918dceb08a87a168ece3ae5b9ac39c0a453e7feb0c8e9fa825a7aca449085542de76ea83472d76dbb
-
SSDEEP
3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\G0AQGJOdbuPSt36A5f.exe\" O" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataStore\\2PhqQzkXFAbdMJ18UULrt.exe\" O" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\IEDownloadHistory\\GdcOFdetuiTJKnxKyaw69OScrk48sL2ngZqouXoEif7QHwZ0xzDBeYRTCNZe9.exe\" O" ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.5_0\\_locales\\id\\CthqlIxHmp3pjf4fb71uWT77Uhb7Y6aJC3DvTo0UD5NR6Kr.exe\" O" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe -
Executes dropped EXE 1 IoCs
pid Process 4268 ErEW2SeiexiLprngu5Of2odgnvFUF.cmd -
Sets file execution options in registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " " ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " " ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe ErEW2SeiexiLprngu5Of2odgnvFUF.cmd -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2229298842\3699837181.pri LogonUI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.10_0\\_locales\\th\\Z9Rjh8ufNvkeAMnboRvVrJS9zJhUDkb74esWWSlKmk8wd5xVu9YyVpzzVYUjx.exe\" O 2>NUL" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\fr-CM\\Y9Y2FpNimFdmfJGFM09gY2Jb0rDvf4TO3elW8IwkNaHP0md7GzPIfmYvnxj0NZWfTU.exe\" O" ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d7d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 gpscript.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\cQgXSjybRkZcUaU17tRZMDmmva9y2kew9bt0f98Iqur.exe\" O 2>NUL" ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\RoamingState\\mnfm9NaismKQafNHLWSBR.exe\" O 2>NUL" ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.6_0\\nd8OCocBUgo33BzR5rapqV2fcrWIsSz8rFGJ.exe\" O 2>NUL" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.49.1_0\\_locales\\pt_BR\\g8BkPydLu1ARDLDA4Ne64jeFcAAv1DPFIvhSuXL9TI.exe\" O" ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\Ek6oaUVRcCjZcFaN21EPMfZYvL.exe\" O 2>NUL" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\AC\\TokenBroker\\Cache\\PwYWj5tAeNSJ4Nc2dMLGYQZiZhkYzR.exe\" O" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\WindowsApps\\Backup\\K5lxfKZaiKKKJuA.exe\" O 2>NUL" ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-20 ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.2_0\\_locales\\lv\\xi99oGEVR0XNahtuaDpYY8RZtcCNsk7YSOaOkdQZnhRraMkVAAkINFTQGTtwoKVvzoh5Qc6.exe\" O" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\MEIPreload\\KSJkeXaEgh2.exe\" O 2>NUL" ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\YyiMRFKjRROR4epgA4N4EEAJABCQx9TZs2ygo0ZQlel6dNpKvpGiJrsdBDbW0QdBPE.exe\" O" ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\c4iyGWPQBTkpX526nss6TOgjCgCJNuPM8W1yHiI17QhAG60K0Btkb.exe\" O" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-19 ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\Settings\\UDatR2b9WyQ5QojICVdhLF64GDdFHDAmAb2kpt7wIs8eq.exe\" O 2>NUL" ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Oracle\\Java\\installcache_x64\\7qWzVaxpingJhu2iVH04ZlHl5nEtTMHyQjY2H7HwSprDmENYDHkE8xyVG5eOedtMiy8F.exe\" O 2>NUL" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000009bada61ef200d901 ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\USER\S-1-5-20\SOFTWARE ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\v2hVx39eVZM1rAhe2td5PH.exe\" O" ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Key created \REGISTRY\USER\.DEFAULT ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\IwJe1iQ9OFcmvXrZk0mDDIuxtoskrvxP1syugZly9U2hVj6e6jNI8xzzIUqNHLJniNIo8Z.exe\" O" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\31\\IrEdRaOh2Zf5.exe\" O" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Diagnosis\\wMaHfKtlWk4jBySAZ91Xt2rsOOwa1Ol9Aqh0GN52s2jpSPShOp3sMDXw1.exe\" O 2>NUL" ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Command Processor ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 4988 ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Token: SeRestorePrivilege 4988 ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Token: SeShutdownPrivilege 4988 ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe Token: SeDebugPrivilege 4268 ErEW2SeiexiLprngu5Of2odgnvFUF.cmd Token: SeRestorePrivilege 4268 ErEW2SeiexiLprngu5Of2odgnvFUF.cmd -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3136 LogonUI.exe 3136 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4832 wrote to memory of 4268 4832 gpscript.exe 89 PID 4832 wrote to memory of 4268 4832 gpscript.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe"C:\Users\Admin\AppData\Local\Temp\ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe"1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39e9055 /state1:0x41c64e6d1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3136
-
C:\Windows\system32\gpscript.exegpscript.exe /Shutdown1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Roaming\Microsoft\Word\ErEW2SeiexiLprngu5Of2odgnvFUF.cmd"C:\Users\Admin\AppData\Roaming\Microsoft\Word\ErEW2SeiexiLprngu5Of2odgnvFUF.cmd" 12⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\installcache_x64\7qWzVaxpingJhu2iVH04ZlHl5nEtTMHyQjY2H7HwSprDmENYDHkE8xyVG5eOedtMiy8F.exe
Filesize910KB
MD5638b66e961f7e8c5ea1770b4ab265aea
SHA162d0e7d54337efb5518e29d36fb5f9404d9fb0a1
SHA256b2a98bdfa3a21ebe75a620f61575942278e78fddc895c2ee9844019b384b0fc4
SHA51205cd24db89ae68addbd86baa06d8aef01e39a8a88377252e31e501ec6343cdd666b86c501b7a40d706dc220bf07b34db12ea9b6ba59a3fa497c0d5d3edab3132
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\th\Z9Rjh8ufNvkeAMnboRvVrJS9zJhUDkb74esWWSlKmk8wd5xVu9YyVpzzVYUjx.exe
Filesize693KB
MD56f5e7e00305083e7bc0f11ae98940e5e
SHA11e5f7a8878a84adeae56a27e840a8e92933943cd
SHA256c301a693165ba45c6c71ccb07166bfa680c584a1ea190969ad1dffd2d51a483e
SHA51252c7ea3846f58455852456cd08e498fa9ed756348473626b039a128018af00349a0402c5961323ae5e5d7b65fa8248b01b237681bcd680e8a9dd234d1cd4f012
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lv\xi99oGEVR0XNahtuaDpYY8RZtcCNsk7YSOaOkdQZnhRraMkVAAkINFTQGTtwoKVvzoh5Qc6.exe
Filesize933KB
MD508b058bcff655dea4aff3e705ed4bec7
SHA10999933d3656f1c9ed357e5cd031c9f98db91230
SHA256558efeb481b74fd81440d98d7768a522502d03c5a4382c93b0379bc0819af9ff
SHA5124fcc223b893fdeffa7d14c8062de05a597332d9967dd12f19590b14e425f524599539c4ea604ea60bb085f0b935005c9bf4e38971868139aeb67c04e7cdf871f
-
Filesize
1020KB
MD529aff335df0aec689a0024911b0f7742
SHA13b966f6d643a11b7f4673259795e4a1a76b25f83
SHA256fb27b01679d30af567d826cf2961f3b3e639c1d5f19fe449055d47574736ca99
SHA512ab3c2173049c83765103f7c04d6c4d5b4413b3e30292bbfa7b7e3617af9a06448b8f954e7fc371eb304cd8c4da71378f53c3f64825f225335650febda901c1d3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\RoamingState\Ek6oaUVRcCjZcFaN21EPMfZYvL.exe
Filesize844KB
MD5586aa8898a562a47787ab4255bf64fc7
SHA14f0877de187996be3ad4cc4a609e06375d154051
SHA256ca62fdcb9ca96147bfded6afbc1b3071f5c4d246a16ba861e2940a38ca2a0cf8
SHA512fefa119ad07038b72cbf3d37793df3062826ee1336d064c43f1a7c21b5a9121394f72568ed9be74a3d0e9f4377bfd22bf2ae6db1cfeae175ac8180ea3f8ceb16
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC\IwJe1iQ9OFcmvXrZk0mDDIuxtoskrvxP1syugZly9U2hVj6e6jNI8xzzIUqNHLJniNIo8Z.exe
Filesize663KB
MD57a904ef97680c4a623d2bcbbaf0cfcbf
SHA1ec0ec5ef881b816bbe6fc7a2d1e9f8a14999c44c
SHA256535a845429799281a61a2fc143b39e7ba6850becc024ccc96a06d1d0b1685f93
SHA51277786cb376ef7efec58d76416ada4bfa87632da94a395e6c34f9504a8f687fe507f1aa4c6aa5d3ce02fdbbf691df318cbcdb16d3e254e330e50caafaa71fe11e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\PwYWj5tAeNSJ4Nc2dMLGYQZiZhkYzR.exe
Filesize565KB
MD5e6349dc19b346d241acc3e93a9de8c02
SHA1c1c12d3616487dbf0acb112b1b35890add7a6b43
SHA25685c93407f993b9da59d004fd41d15989c65bbb88e82a5ac858a695f8d803d291
SHA512b0512de16e21a9bc1e0473762043e13bb75fc93bf56e09a17ff607c49c400a55b2157cdea5a2e93d2610af7a1c08c8716034362420a9ebf6b9b044a1ac11a555
-
Filesize
600KB
MD5a2cac62baab51f2587478e765d7cf213
SHA13ff81305e5a65a0d87ca6494b37ef77b7d28e3ae
SHA256dc54f2e43b518274e39aabad62ce3b95e274802b4b348e4b6fb85d91a51ca076
SHA5122f42959584c415cbd715caa595cb710e5f1dbeec71ffb53177a189a8e25d2df1aa4bc172a4053ad3a017818ccea3be2239ac3e95ced87718aba6a051de8174b0
-
Filesize
600KB
MD5a2cac62baab51f2587478e765d7cf213
SHA13ff81305e5a65a0d87ca6494b37ef77b7d28e3ae
SHA256dc54f2e43b518274e39aabad62ce3b95e274802b4b348e4b6fb85d91a51ca076
SHA5122f42959584c415cbd715caa595cb710e5f1dbeec71ffb53177a189a8e25d2df1aa4bc172a4053ad3a017818ccea3be2239ac3e95ced87718aba6a051de8174b0
-
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\G0AQGJOdbuPSt36A5f.exe
Filesize829KB
MD575290477f02b6c7f8378de076dcad858
SHA1800c49a2a99abe24e6bd5aacfb0b4a45228e22fa
SHA256f16c65e67ca8fa5c20c9746f0a7131873d263e05309c457e31f9fb4e88fa6133
SHA5127998fa713a753b38390ff648c654e6af2723da96b2f4e6f6515ad0b9ed9442deba6684ab7c87b1961b6b274fa921af62e47af5d3919cc0f92887d3e631ec555d