4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f

General

Target

4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Size

1.3MB
MD5

de0a6c3bd90ba04ba7e222c2342eb83d
SHA1

596731db56a389b656f6cb1557aac8965f8f20e6
SHA256

4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f
SHA512

aa8b78be9ba123cb81437b9dfde7835fc2243c677fb278e7093727c322cd6b73df0e9da0e18f23e0629caee8326bc8aeea4aec7c4a1c73be339ff19065198bd4
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\63\\kVCX8iVk4.exe\" O"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\it-IT\\xW4JGKRS8FA2NOhq8EkjdLd1vG64cJSvUKxYtmhV1vuOV7NWATi7xzbC.exe\" O"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\7LhXzjE1GRgM6ua2X03CdTpxHh6UqBBSMHJ60SdARGgWH7G3jW8ueF0BYq5eED.exe\" O"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1692 gpscript.exe
1692 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1692	gpscript.exe
1692	gpscript.exe

Modifies data under HKEY_USERS 37 IoCs

Processes:

4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-20	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\\lJ9cILJzWNs5sGnOsgEdrvBnNCj.exe\" O 2>NUL"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\.DEFAULT	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\VVzVnzxi44Nkxze8AgWkzmoWGTh9juPk1fRdL8blxvZHszdpDbcqQd6q5m6Do87Taqpl.exe\" O"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\10\\NvC9bpVwoDsUBM.exe\" O"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000300e4460e200d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\dozshqpt.default-release\\datareporting\\archived\\9mPhsbw1beiz.exe\" O 2>NUL"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\1\\wcZqJSDvPSAq3i3ujH05lzmnMT2cBzl0Nnf7SaqI10EG4Y9HfnuXOv9eMhyCLg.exe\" O"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-19	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Adobe\\otChW15lajLMwhHrVw4cC866GAciBGIdMGW2uCBbg.exe\" O 2>NUL"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\h1kpkawoPWiyEev64WWp8OIykUFpiYyuhdDc0XO0gxFZL2b4LQMJLeE.exe\" O"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\SafetyTips\\UPZNs4Cn38CzBuqlIfSzbrFq7Tp49GqWov54ZNpnUTsfr4kQ73X0Erd17v0gcW1Wh24OfZ8.exe\" O 2>NUL"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe

Modifies registry class 12 IoCs

Processes:

4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\1\\56smLoFteOVp8C6b696LrcaHWVtCZozGuwCIpe.exe\" O 2>NUL"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Command Processor	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\38\\wMb5TXTEhwux8prr2ZYOxeR69bvfLwhLsAttH8XGMDLaXxGepkVp0KcmqajfHN9.exe\" O"	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	1360	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Token: SeRestorePrivilege	1360	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Token: SeShutdownPrivilege	1360	4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1692 wrote to memory of 1644	1692	gpscript.exe	kFaUhuepfZZbN4RdVivU.cmd
PID 1692 wrote to memory of 1644	1692	gpscript.exe	kFaUhuepfZZbN4RdVivU.cmd
PID 1692 wrote to memory of 1644	1692	gpscript.exe	kFaUhuepfZZbN4RdVivU.cmd

C:\Users\Admin\AppData\Local\Temp\4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe
"C:\Users\Admin\AppData\Local\Temp\4cf91235020eae322d8591d850d3982eb7f6bd18fb2838d322adbfd620c0924f.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2016

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1012

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1692

C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\kFaUhuepfZZbN4RdVivU.cmd
"C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\kFaUhuepfZZbN4RdVivU.cmd" 1
2⤵
PID:1644

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\kFaUhuepfZZbN4RdVivU.cmd
Filesize
1.5MB

MD5
1963756e61dab7a48edd1818172eb1c0

SHA1
c29b874a84cc7efb0fac2bebb914cb493ddf6897

SHA256
eba64736d88322325682aeaee8d7c12256b5417331c4bab3584bb8eacfd08361

SHA512
7565304f28b5d91d840f82896318aed5f94b28239c85957f30b4e517c9d6ae1eefa38a60405d9b6bd8e91d3df4b5b17d962ada0f02d14af0e4e27acc04ef5def

Download Submit
\ProgramData\Microsoft\Windows NT\MSFax\SentItems\kFaUhuepfZZbN4RdVivU.cmd
Filesize
1.5MB

MD5
1963756e61dab7a48edd1818172eb1c0

SHA1
c29b874a84cc7efb0fac2bebb914cb493ddf6897

SHA256
eba64736d88322325682aeaee8d7c12256b5417331c4bab3584bb8eacfd08361

SHA512
7565304f28b5d91d840f82896318aed5f94b28239c85957f30b4e517c9d6ae1eefa38a60405d9b6bd8e91d3df4b5b17d962ada0f02d14af0e4e27acc04ef5def

Download Submit
\ProgramData\Microsoft\Windows NT\MSFax\SentItems\kFaUhuepfZZbN4RdVivU.cmd
Filesize
1.5MB

MD5
1963756e61dab7a48edd1818172eb1c0

SHA1
c29b874a84cc7efb0fac2bebb914cb493ddf6897

SHA256
eba64736d88322325682aeaee8d7c12256b5417331c4bab3584bb8eacfd08361

SHA512
7565304f28b5d91d840f82896318aed5f94b28239c85957f30b4e517c9d6ae1eefa38a60405d9b6bd8e91d3df4b5b17d962ada0f02d14af0e4e27acc04ef5def

Download Submit
memory/1360-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1360-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1644-62-0x0000000000000000-mapping.dmp

Download
memory/1692-63-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1692-64-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1692-65-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1692-66-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/2016-55-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads