90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe

Analysis

max time kernel
204s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Size

973KB
MD5

c66f140df79c28dbcb79511467400d7e
SHA1

5ef2b80388644c8c3e7cf4a30190531a0398ddfc
SHA256

90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe
SHA512

3567e045f0258a0698dceeebfa3be11c7ced260d3e5c393b62a761ea0d7833ce291cc1827672627b26e096866bc78b48667d53db6d268118dc8fcfb4302c9ed2
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Templates\\L3fpEPbaVR7.exe\" O"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\ctUyVeohvuJTllBqqsxpkmOfaE7MJ9amI2w8Fj.exe\" O"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\DmS2xAdlJK96t2E86ZK.exe\" O"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\jk8LcsWpMyUBdFBXwllDjLWcus8.exe\" O"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

Executes dropped EXE 1 IoCs

Processes:

1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

pid process

1172 1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

pid	process
1172	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1388 gpscript.exe
1388 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1388	gpscript.exe
1388	gpscript.exe

Modifies data under HKEY_USERS 56 IoCs

Processes:

90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\ja-JP\\UKQpsslyyDOoEFFkA64aPKE5boGYIkBjwy8WGFO46NKOyuZ7d2YHqBEg97hEm7.exe\" O"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\RAC\\LsV0YDaj4PlXmA5ufDH3hwHy6w2hfnJKE.exe\" O 2>NUL"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\gSAMcuqnJlQn58w3U4WoPNTC.exe\" O"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\41\\kPf8uxMcfuhFR6udvGG9Fjtr7hMMVC9oHHKmEO.exe\" O 2>NUL"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\blob_storage\\b83cd490-c15e-4180-aaef-4d51d2209149\\SpFb6lJCoEh1LKQ.exe\" O 2>NUL"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Key created	\REGISTRY\USER\S-1-5-20	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Libraries\\70lJD6CJsH69hoXudRXo1T7FwnvEvso0y7hb.exe\" O"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\nGJxTjQwi0teurDT8Mz3DnCKv8Z11Tlk1DsTB9W1mT87d8jN9uPihhuDyELRgtEdK0Tv4X1.exe\" O"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\.DEFAULT	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\\8ctbfDuil71Pk2Lb.exe\" O 2>NUL"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\DeviceSync\\0pHjPQHB1YpKTq24aLQpJwBSKrT9Rxg9Ap4j4x8aQJMQn9SdYKpGFNgkCX17.exe\" O 2>NUL"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\SAeLFv3uNlTF0tecuIvV4RmrL4vnqMtDYq0T1oqnPh8hBqZFkJ0kJrtZBns.exe\" O"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f02a0edeea00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\C7z2V4NXKyrG6kGCi5tEv0qtZd5RoVGhLAXgun8GJZI6aAzPrnr7Lp.exe\" O 2>NUL"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-19	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\Low\\3xfJl3pLwuJ3qLQ9FIxuOEqPj3X0ATO3KFrar3qt6nh2lD84quptYQrzNK3Qx.exe\" O"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\SecStore\\ILoKleJQ7Fzy9cz9dKrFDnG50ySMgNYLyxpPJlTDL.exe\" O"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\MF\\13DPIGUbZVXTK3YApSINRXZlCkeOl3klx5hl5fYudHZfcCutSlmnGp4u1hAbG3uBI9iRIDN.exe\" O 2>NUL"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\hi7KVB361Q72TxHfQe.exe\" O 2>NUL"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\OGEhxXydIoR4ljH614GmQUrzTjQ4EVPO0G7hw8HeeZpBMfZyN7Qm73AFvCiz5nm9HhLQof.exe\" O 2>NUL"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\84LRS8BJ\\IOqglnZilsz6D9zLS4JI6gy2pn087b5GHetKgS8dZYD.exe\" O"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\44\\r692LhdSnqx.exe\" O"	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

Modifies registry class 12 IoCs

Processes:

90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\wasm\\index-dir\\sSXxwmKaTcjLQuctYY7gJIYsRPuYH8F4AfexdFHQUQt.exe\" O 2>NUL"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\44g72wgDgVdEr2MGVPv.exe\" O"	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exeAUDIODG.EXE1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

description	pid	process
Token: SeBackupPrivilege	960	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Token: SeRestorePrivilege	960	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Token: SeShutdownPrivilege	960	90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
Token: 33	636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	636	AUDIODG.EXE
Token: 33	636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	636	AUDIODG.EXE
Token: SeDebugPrivilege	1172	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Token: SeRestorePrivilege	1172	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1388 wrote to memory of 1172	1388	gpscript.exe	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
PID 1388 wrote to memory of 1172	1388	gpscript.exe	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
PID 1388 wrote to memory of 1172	1388	gpscript.exe	1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe

C:\Users\Admin\AppData\Local\Temp\90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
"C:\Users\Admin\AppData\Local\Temp\90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:340

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:428

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1388

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
"C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1172

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\C7z2V4NXKyrG6kGCi5tEv0qtZd5RoVGhLAXgun8GJZI6aAzPrnr7Lp.exe
Filesize
1.0MB

MD5
5d6697059fe7213567862a5650ca5320

SHA1
8b2e4bd6ef8daa6ec277b0e15b79c74d274f6985

SHA256
aed123cc4a87bea15b58ab298c5f06b30d3d7f9615f9e509e38114d263b57abb

SHA512
97b0c0dacaa5d9ad1d5f7e0f0290ab2de0d455930f8ff62fc8adc1ebf7be90067756e6ed85dc6349d6d2fac9ba666ba58ce72e61cc394cd966b37f9961ed72eb

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\UKQpsslyyDOoEFFkA64aPKE5boGYIkBjwy8WGFO46NKOyuZ7d2YHqBEg97hEm7.exe
Filesize
1.7MB

MD5
ee4ffb53786d5def131444a9b71ff43e

SHA1
723b1366796e81774dbda0fc3535c76a59406a1b

SHA256
00f5df4c203d011705e8154dce5d5bba68fdb26e12cf1aa8f2acbdb037a646c6

SHA512
ccf80f9e91939b2d2ad49be64732d0e9a668a8bf6c62dcb7788f2368a9c252473fd2cbd03f28132ee033f10c5fb84c47cd255f360196fe1f8c846c9b8bbaab42

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\sZrEW4MrbuywwbyYK3DuAhwOpKPIPv5Q9X6gMIT5.exe
Filesize
1.6MB

MD5
946e989f3c72cfce735c865da454e49c

SHA1
df685d6439057b5b4d5851e350d6fa047432ac1c

SHA256
0977c291a3858bbac5cc71222466dd0d6a0a8436fee94fe4a4e3e31d4f51c1b8

SHA512
98f2374b94a35b39f31eab3dc84ab489d5cd3483e3ef9a4a112d22b9a83e65f22f08b5d94e855699e8197752d3d919847aafb632948052bb91bde64c39102b2d

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Filesize
1.3MB

MD5
d386f796494bbd6c64dfe8c47c53046d

SHA1
be385670c8b1cdb4dee34359a5c8a853724138b4

SHA256
a5824b383b95b26c135dbac6eb06adcb1b431f39eb2c356fa75642c94dd06f71

SHA512
cd73e82dbff5ebf66ef2ffe551273b84d03d9c1a43a33f73ee290aea84445b0c05434899db5d59f20c729e0acc1db209ee79113d7a1069062bed6c0b3e3b8251

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Filesize
1.3MB

MD5
d386f796494bbd6c64dfe8c47c53046d

SHA1
be385670c8b1cdb4dee34359a5c8a853724138b4

SHA256
a5824b383b95b26c135dbac6eb06adcb1b431f39eb2c356fa75642c94dd06f71

SHA512
cd73e82dbff5ebf66ef2ffe551273b84d03d9c1a43a33f73ee290aea84445b0c05434899db5d59f20c729e0acc1db209ee79113d7a1069062bed6c0b3e3b8251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\b83cd490-c15e-4180-aaef-4d51d2209149\SpFb6lJCoEh1LKQ.exe
Filesize
1.3MB

MD5
571f4c765271e444e1296cae92dad7c8

SHA1
ac5f068314951ac4bc9b3aa8f86a72a90f59c13b

SHA256
922e301654481ae7a4b2c87292a51ab74e4f4105a63e8ad797043a55bbff9bf2

SHA512
17526bf71b815c71ac9fcd3b8b5cdb8f3362ae8f7eb2cd119dadebe7b56a90b8fc5c203718a5935b83be9a87b9dead6770d6a9983503ae0222bc19e522d068ef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\gSAMcuqnJlQn58w3U4WoPNTC.exe
Filesize
1.2MB

MD5
7b21473e1e923c4d4cf3bf0344449ce1

SHA1
d2ce525408d128e4cf613d0f16c990eceb88f359

SHA256
fa4cacc55555aa3951d0e3010e867c25f351ad2278ba8d475f430f633223bd10

SHA512
57c163b2ce1edbdbcdc02238ee747d79267536b7a5838ebcc0839c8aef238eea643c2aabc150c607fa12647e11647be2f9830df349ecfb70777dfb13bd52ed19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\8ctbfDuil71Pk2Lb.exe
Filesize
1.4MB

MD5
e3c527937e2d801ec6fe9e00ae6b4c92

SHA1
9579bf9b234a14668c1a108c565ade93199e8337

SHA256
0c07b3658067717bbdb9f8d12619e8d96570cf6d8a781ca4dab0eeb3c31292ad

SHA512
8f2a84819b1073d1c0c3837530107206efeb0e73b5e637ee84e6732115d8eeac4e1c569b26c3897dd6829c682a1d80f24a6650307ab2198b92bbb101245d385f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\SystemExtensionsDev\ctUyVeohvuJTllBqqsxpkmOfaE7MJ9amI2w8Fj.exe
Filesize
1.4MB

MD5
659ada449385f6d9bb9225f7f3ce16c9

SHA1
7a480bd8aad5ae93fa179cb2e22c9d7e092c9fde

SHA256
3d2d5e68ab2b9b410d8282bd42d1bf5dc869112a3cb830d253956d2506d30e58

SHA512
03b178a6d640916952f8ffd6b594e638925b2d99e5bf3423da110796cfce274f9d0ec5be878b815d7395656785aecbf9fbd3945e37bf98cb292012bd9c1abe7a

Download Submit
C:\Users\Public\Libraries\70lJD6CJsH69hoXudRXo1T7FwnvEvso0y7hb.exe
Filesize
1.5MB

MD5
030b23233e110c139c6e3dcb1ed6f0ab

SHA1
22fb1df44138bd52cba4969fd9e4505f1a565dfe

SHA256
0506a2824759830567d7dcdb9664d9f5214eb447f9d0c935db5b9e91ad512b3e

SHA512
35d30c73617d3a52d7cd1b98c5f5041fd19ebcc72cd760498c7ac12a545fda4b30b3c38150d19a311deae9251e9a49bdf8956b8993630795a930e191eb6e5b18

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Filesize
1.3MB

MD5
d386f796494bbd6c64dfe8c47c53046d

SHA1
be385670c8b1cdb4dee34359a5c8a853724138b4

SHA256
a5824b383b95b26c135dbac6eb06adcb1b431f39eb2c356fa75642c94dd06f71

SHA512
cd73e82dbff5ebf66ef2ffe551273b84d03d9c1a43a33f73ee290aea84445b0c05434899db5d59f20c729e0acc1db209ee79113d7a1069062bed6c0b3e3b8251

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\1KFshlXS0Yoo3tGkr9rmmz5deeRRu2sYIM.exe
Filesize
1.3MB

MD5
d386f796494bbd6c64dfe8c47c53046d

SHA1
be385670c8b1cdb4dee34359a5c8a853724138b4

SHA256
a5824b383b95b26c135dbac6eb06adcb1b431f39eb2c356fa75642c94dd06f71

SHA512
cd73e82dbff5ebf66ef2ffe551273b84d03d9c1a43a33f73ee290aea84445b0c05434899db5d59f20c729e0acc1db209ee79113d7a1069062bed6c0b3e3b8251

Download Submit
memory/340-55-0x000007FEFBAC1000-0x000007FEFBAC3000-memory.dmp

Filesize
8KB

Download
memory/960-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/960-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1172-62-0x0000000000000000-mapping.dmp

Download
memory/1172-68-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1172-75-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1388-67-0x0000000000F30000-0x0000000000F5D000-memory.dmp

Filesize
180KB

Download
memory/1388-74-0x0000000000F30000-0x0000000000F5D000-memory.dmp

Filesize
180KB

Download
memory/1388-66-0x0000000000F30000-0x0000000000F5D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads