99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d

Analysis

max time kernel
166s
max time network
29s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Size

560KB
MD5

9c040fff2ebbd6e4125be6df9df0423a
SHA1

e08f6aa7c92ba39784de7822cfdb15987a47853a
SHA256

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d
SHA512

139cb384da5cd4500fb243429ecfd59f9bb7d4ba085ce6dc104774a0a7fe519c0d6b167ef109947a0b5963c61ef505ac1c136e8a736b77a2eb4ac8e4e86586f0
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6qbW62HJg5sC2GT5.cmd99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6qbW62HJg5sC2GT5.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\YB33FE3E\\gzcDx7jO5erJr1leu0W5zJe.exe\" O"	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\XwwnmqMJfa6QoASFPvrpbLN2Nc9c52rnvXr69IT7uFRnoSckTfgslfW5u6H1tSsD7aqHMu.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Mozilla\\wKYvsburcsj1l6NRju7j4zz6OpBxb3cS6fnWFhkrHeIBzn9qOc9Z.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Mozilla\\updates\\3KlNnA1MRKsOsQlOqvz.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe

Executes dropped EXE 1 IoCs

Processes:

6qbW62HJg5sC2GT5.cmd

pid process

1984 6qbW62HJg5sC2GT5.cmd

pid	process
1984	6qbW62HJg5sC2GT5.cmd

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6qbW62HJg5sC2GT5.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	6qbW62HJg5sC2GT5.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	6qbW62HJg5sC2GT5.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	6qbW62HJg5sC2GT5.cmd

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1476 gpscript.exe
1476 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1476	gpscript.exe
1476	gpscript.exe

Modifies data under HKEY_USERS 56 IoCs

Processes:

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe6qbW62HJg5sC2GT5.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Favorites\\Links\\l2ryhCZjmjd6yfiPqUTLck0CEV.exe\" O 2>NUL"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6qbW62HJg5sC2GT5.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateRevocation\\iIUzKGM9ogsLi1K7HV3hcUTOkO7OwAESmkZiN0bAz2hNL2ZXe72B3PNR.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6qbW62HJg5sC2GT5.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	6qbW62HJg5sC2GT5.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\fLz6Lat87FpskU8uoUxG0sYtaefHwrYWsAtAFT5ykHUQSauf0kWt2fa6C9UDloiNXhu.exe\" O"	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	6qbW62HJg5sC2GT5.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\ahHUfUjtBRPXmOoFvesan3JSVuel2ji1ScPnCuavlXH5yWkyrr0eH1ovXiosqZyT.exe\" O 2>NUL"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\MtnVKnaSdWko8b4eQZMtK8b9pDAdhbticS9ev5cNujN87bbr51QGMurQXr8jVbxC4b.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\eFHgTqUxGGbavFx6kyFdzDk2GGnyoYKmk.exe\" O"	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\packages\\vcRuntimeMinimum_x86\\UZ7DAodVOSNAz7i7IdEyqgt8TcnqY9dDSNEnwCcDoyDismCmOpHF2RSm3.exe\" O 2>NUL"	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\storage\\default\\qICAKhnfC6R4S3O23KWkBOX8LWUhPxHpkmsS8eFqZgxEAhkkMNvrDX.exe\" O 2>NUL"	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6qbW62HJg5sC2GT5.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\Replicate\\asTpEpHLTRDl25qJjIv2vXHdC5rlSja6awMoylRWcTShPUbnRw7WNFqfb5A6wzRx6JToBo.exe\" O"	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\lAge2oL2k1z5f7cNcKIET04i0bKKOWfwhbauwfsgIrVPUQrDwKYzwiPH.exe\" O 2>NUL"	6qbW62HJg5sC2GT5.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\aeglQMT3tiGj5xDU8tULGyn4YamxV9XwG2kDzPFiOQxYhB8WwxRrHda9FU7PUr.exe\" O"	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\S-1-5-20	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\\1eFrVyn4141iZfy.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\MjbdspypJit2LIySGGTiipmIXlh82f6FoJLXI3dJmRk7hiENLuEW.exe\" O 2>NUL"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\28\\wERxdaquhJOHaVXdxkDM6uF8qJOv6ktaLNfIQmZpLVIiRDrWY.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Media Player\\OCQBY3cH1cMn44K3GJsywejJKX4iCjJWhgXQcEbnqPXeDlt2Okh0XxzBS6WPrQFr7C.exe\" O 2>NUL"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000080865607e800d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\FFvhgEsJzdUlqK2mPJSLBgIoez2VzjfbPYgQjgYXDRG7UpKOdkI9VbY4j8cnSGwa3KUQF.exe\" O"	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Config\\yttVrTjYNR9bAX6kSoeRBr3lYPtGF.exe\" O 2>NUL"	6qbW62HJg5sC2GT5.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	6qbW62HJg5sC2GT5.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	6qbW62HJg5sC2GT5.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Local Storage\\leveldb\\zXAs6VujLZpFJgQ4oRcTdCatGQhXFCrXAlVws5XkRZKphvPVGRiSpzXE.exe\" O 2>NUL"	6qbW62HJg5sC2GT5.cmd

Modifies registry class 12 IoCs

Processes:

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\EfSdfHmtTcqTbu94WaE6rCduvDNQDrY9jFy2m4zuhNAze.exe\" O 2>NUL"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\m94GYy9xaw6xrib6.exe\" O"	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exeAUDIODG.EXE6qbW62HJg5sC2GT5.cmd

description	pid	process
Token: SeBackupPrivilege	2028	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Token: SeRestorePrivilege	2028	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Token: SeShutdownPrivilege	2028	99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE
Token: SeDebugPrivilege	1984	6qbW62HJg5sC2GT5.cmd
Token: SeRestorePrivilege	1984	6qbW62HJg5sC2GT5.cmd

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1476 wrote to memory of 1984	1476	gpscript.exe	6qbW62HJg5sC2GT5.cmd
PID 1476 wrote to memory of 1984	1476	gpscript.exe	6qbW62HJg5sC2GT5.cmd
PID 1476 wrote to memory of 1984	1476	gpscript.exe	6qbW62HJg5sC2GT5.cmd

C:\Users\Admin\AppData\Local\Temp\99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe
"C:\Users\Admin\AppData\Local\Temp\99f795b31cb5185520e9d5d0f6a903a38fc55d62c21abaa3ecba4a96fcc62b1d.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1692

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1476

C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\6qbW62HJg5sC2GT5.cmd
"C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\6qbW62HJg5sC2GT5.cmd" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1984

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\6qbW62HJg5sC2GT5.cmd
Filesize
795KB

MD5
726137a4bed1e53ff66e559b061486f3

SHA1
f2916f7c66a117b8f1f0a5bc87c81feb72bb87c9

SHA256
95f50201cf8025671ada9d3f9d48363e9b0ba655e987a670b771d4b4c2b1b02a

SHA512
4089fa6d0964d33945ee013c5ac54a4db75105d67a4a43648dc3f9cb0eeeed2d93d6a68573f5cafc51adb6d43abe21309ac3524d7a8584c8507b5b4fb8e8e360

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\6qbW62HJg5sC2GT5.cmd
Filesize
795KB

MD5
726137a4bed1e53ff66e559b061486f3

SHA1
f2916f7c66a117b8f1f0a5bc87c81feb72bb87c9

SHA256
95f50201cf8025671ada9d3f9d48363e9b0ba655e987a670b771d4b4c2b1b02a

SHA512
4089fa6d0964d33945ee013c5ac54a4db75105d67a4a43648dc3f9cb0eeeed2d93d6a68573f5cafc51adb6d43abe21309ac3524d7a8584c8507b5b4fb8e8e360

Download Submit
C:\ProgramData\Mozilla\wKYvsburcsj1l6NRju7j4zz6OpBxb3cS6fnWFhkrHeIBzn9qOc9Z.exe
Filesize
861KB

MD5
87120a6479da4234ccf32451842418c1

SHA1
7d999254053628dc8ea96a519683c0faa39cf3a7

SHA256
776edf7df5751ee154d47444249774f15083673d45e1ac92c190efc8e22ffaae

SHA512
9c901a8c1930a25e0b5fc6a965a86a189c9d2be9c5c9cdba23797ab61525fa2945e458e92eae2f05a1c048b945f46126cf6a0f8ee7d15a3ccc08256f84b08c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\yV1Gg7reUWFRS1KWtWMi0uOusS3i1ht2Xp1NGWF12SRdYsC.exe
Filesize
1.0MB

MD5
329ef10cde7c60bde7d32980daf23fb9

SHA1
53f75f1d3d7024765c62b08aaa757dd454207550

SHA256
dde9409a853ee85f93afd6b45a15eded7fe9bae6516b2163b472d4547f7cf3a9

SHA512
18cc978d5db14eaba2f87eba2f603a8be8e26a487725861d9bf8fa4a5adbab61c85e5950ed371a8f3b6fc5deb2a9859bd37c4f17ca853b00b036d56098a7f158

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\wERxdaquhJOHaVXdxkDM6uF8qJOv6ktaLNfIQmZpLVIiRDrWY.exe
Filesize
606KB

MD5
0b05ad55db9ac81956034a3d19dc5f36

SHA1
d373ba2ec54af41cd79702554021259b290a457b

SHA256
09fb3817f07602554a7a426dbced0891f3f959f8ab8a2510e47efaa8d503a7d5

SHA512
49417f04dc470ae2f43b9223607aada0252b0f19be4fbdc58fb5b7d39a805942aea8ea8d750c11799b82f02ab14da9568f6deb187194b73244c99435eaab8bf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CertificateRevocation\iIUzKGM9ogsLi1K7HV3hcUTOkO7OwAESmkZiN0bAz2hNL2ZXe72B3PNR.exe
Filesize
900KB

MD5
3de1a9421a4b429dfcd12cb5891c6581

SHA1
09bf1aa0e831599349f748bbfb68e26c20759abc

SHA256
baf2facde4c8d01a028fde0dd3854d64bfb2a12d810fbe2200bae5c30f66f1f8

SHA512
6600fa70d036da0b5db1f9009d88e92cae2ed893aab37091dbbe397d31fa5d7ede9582f008da1a4654826c556b2658e0bc341a7b8cbe195d719f11f8d8effd49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\OCQBY3cH1cMn44K3GJsywejJKX4iCjJWhgXQcEbnqPXeDlt2Okh0XxzBS6WPrQFr7C.exe
Filesize
833KB

MD5
c90e1e713f4b42d17a5665956eade95c

SHA1
420c9d282e09a0e456fea200ccf20a239943058a

SHA256
564a5721ab7b6267da5f5e7a60aeb02d7c773d2766b5210ed2d862f6c55016bb

SHA512
a3687c9c29d275dd47ef5db736d106638c3911403c8943f313396f6359cd3fa5ff5b389ace0894f1b90e8a1f3e586c745de598bb6e3139c1340ff31e36fa3012

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\MtnVKnaSdWko8b4eQZMtK8b9pDAdhbticS9ev5cNujN87bbr51QGMurQXr8jVbxC4b.exe
Filesize
606KB

MD5
e89566240520c70e4b677094f7067f56

SHA1
cc5e065e9df8e59fa0d03e45e66a14f84830d5b0

SHA256
d7211a93c6f599c8fbcf6c8460b3a020c986e5eecf2bf2dad41c47005336eafe

SHA512
0974338407f9c9c53fdddb6f3a8f83d3ab5f0ebbd6d42f74acf01989c5fc49033b77f8d0cfde99c7be135b1166bd8745a31bde5b5349c0ee71cd871065d416f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\ahHUfUjtBRPXmOoFvesan3JSVuel2ji1ScPnCuavlXH5yWkyrr0eH1ovXiosqZyT.exe
Filesize
582KB

MD5
35d8ac3ff98d139de2c914685b95af5e

SHA1
a815689624a2fee110919c9c5d4cd4fd63e0bb45

SHA256
771b353c992ac34a64df333609eec553d75a85417e2cd91f83256b8669696e3c

SHA512
4eea3d6226c447ff7e3c25a5dadec50edabc641e397781f60c105f6b6be2df7ce27d52dc9e39b2eb431f8e2cda27447525e24bb43d801847b149d42113737d5c

Download Submit
C:\Users\Admin\Favorites\Links\l2ryhCZjmjd6yfiPqUTLck0CEV.exe
Filesize
1.0MB

MD5
8c2ab9c621ac81765e60ae88d308923b

SHA1
06b7b5a309c297650dbaff5ca5a856ddd4feaf4c

SHA256
a5776dbf05e92ff55f923e284bd9781c961d7914a156cbd0019c5417651b4590

SHA512
2369f3fd37dc9f573550496352ea8701c044eaffb40b6096bfcb99df5f2d062b38465828cabd0b613ae027952ddaad36d0433cf496a214a003101b1c39d94870

Download Submit
\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\6qbW62HJg5sC2GT5.cmd
Filesize
795KB

MD5
726137a4bed1e53ff66e559b061486f3

SHA1
f2916f7c66a117b8f1f0a5bc87c81feb72bb87c9

SHA256
95f50201cf8025671ada9d3f9d48363e9b0ba655e987a670b771d4b4c2b1b02a

SHA512
4089fa6d0964d33945ee013c5ac54a4db75105d67a4a43648dc3f9cb0eeeed2d93d6a68573f5cafc51adb6d43abe21309ac3524d7a8584c8507b5b4fb8e8e360

Download Submit
\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\6qbW62HJg5sC2GT5.cmd
Filesize
795KB

MD5
726137a4bed1e53ff66e559b061486f3

SHA1
f2916f7c66a117b8f1f0a5bc87c81feb72bb87c9

SHA256
95f50201cf8025671ada9d3f9d48363e9b0ba655e987a670b771d4b4c2b1b02a

SHA512
4089fa6d0964d33945ee013c5ac54a4db75105d67a4a43648dc3f9cb0eeeed2d93d6a68573f5cafc51adb6d43abe21309ac3524d7a8584c8507b5b4fb8e8e360

Download Submit
memory/1476-65-0x0000000000FB0000-0x0000000000FDD000-memory.dmp

Filesize
180KB

Download
memory/1476-64-0x0000000000FB0000-0x0000000000FDD000-memory.dmp

Filesize
180KB

Download
memory/1476-76-0x0000000000FB0000-0x0000000000FDD000-memory.dmp

Filesize
180KB

Download
memory/1476-77-0x0000000000FB0000-0x0000000000FDD000-memory.dmp

Filesize
180KB

Download
memory/1696-55-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download
memory/1984-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1984-62-0x0000000000000000-mapping.dmp

Download
memory/1984-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2028-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2028-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads