29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0

Analysis

max time kernel
225s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Size

987KB
MD5

ab160cbd5ba23bf8bdda57fa0f2b1650
SHA1

3ad1f672f16d54af418cf731eb702528f083d823
SHA256

29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0
SHA512

fbf19e5da3d22989ebe764a1683fb69fb0999c3b9cf5b44b6794def95d93d4777c9ea1c22f00ee3071f360ae0afeab4c3d62cc04c8dc895c4dc75102eb588e48
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\mvICHkOQxEeRlm2QF.exe\" O"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\43\\g5jlgKCb59oWkpsrG5klYgXMWf.exe\" O"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\MSDN\\3hKPQutx8aeO8Y0am7YSM4AjME1XXC6hKscyncfj1Iz.exe\" O"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Music\\HpXIre4zHr8jGvRYFWtLIHN0nfbWOyd27wKNmoOMKM99.exe\" O"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe

Executes dropped EXE 1 IoCs

Processes:

0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe

pid process

960 0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe

pid	process
960	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

2012 gpscript.exe
2012 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2012	gpscript.exe
2012	gpscript.exe

Modifies data under HKEY_USERS 55 IoCs

Processes:

29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exegpscript.exe0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\EO29F9jzM8LTS9jBnUCFI5tgHBKQLaYME4dQN2L07.exe\" O 2>NUL"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\kezyzRJ2G.exe\" O"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e027f59ce400d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\CVjMmN18naf0nPoW8KZNn9NSYuprFlnwNv.exe\" O 2>NUL"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\leveldb\\XsJPlRhRP58nwhgyMaTEy7bXmPGYK2A.exe\" O 2>NUL"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\fUBQ9Vz1nvQoyYs.exe\" O"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\0YgCFkttbdYYY.exe\" O 2>NUL"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\R2UQ752E\\mbp74pJdvCfkgBggz0hFhEct6NkPy2GvuguFW4.exe\" O"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Templates\\3CRbFC4Ln3YKc5ZRjAf3gFw66.exe\" O"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\9ze2FSO79kU1xiv5efKLp6A.exe\" O 2>NUL"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\XlrjxrQ5CuLZ8r8Tm1.exe\" O"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-19	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\pe9iawd3.default-release\\safebrowsing\\uYOBbmGYiv3X5sr.exe\" O"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\9QG0t3hbeJvwXTNUsS9xpt1P0k6xtSAMhDwV9ZgS47E.exe\" O 2>NUL"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\.DEFAULT	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\edKYKm8sXqlyyd5pOvY4oMvyrorcmLvKKFyD9WIERlq193UC3aaMUjWVEe.exe\" O"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\Saved Games\\5xiygXhWr8.exe\" O 2>NUL"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-20	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\50\\A2uG1me41nJADXG4mHot6BK4foxNnd2mYunjr5khaKyle.exe\" O"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\mvn3oeOVRQmZHjVsMRulaS5p1Wo.exe\" O 2>NUL"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\6Mn07EoCCzldPEvCwmv5BV8aMRkNCrykgsu8vFiqk1qiRHgb.exe\" O 2>NUL"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\ja-JP\\CcrXlepmFxjp6nitKvX.exe\" O"	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe

Modifies registry class 12 IoCs

Processes:

29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\SOFTWARE\Microsoft\Command Processor	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\h7pjJnChilH4NAX6KFhaYra6kg6FuPB.exe\" O 2>NUL"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\NonCritical_x64_3eb5ea8473594499407cacbd9887e2953d50fd80_cab_03808c18\\p9YdWmtblc9OvVRdfdwNpVdANfM9xKCcVWZY9ai0XiE8nzDHS0FsHWLpvFWlyh.exe\" O"	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exeAUDIODG.EXE0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe

description	pid	process
Token: SeBackupPrivilege	1680	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Token: SeRestorePrivilege	1680	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Token: SeShutdownPrivilege	1680	29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
Token: 33	544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	544	AUDIODG.EXE
Token: 33	544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	544	AUDIODG.EXE
Token: SeDebugPrivilege	960	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Token: SeRestorePrivilege	960	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 2012 wrote to memory of 960	2012	gpscript.exe	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
PID 2012 wrote to memory of 960	2012	gpscript.exe	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
PID 2012 wrote to memory of 960	2012	gpscript.exe	0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe

C:\Users\Admin\AppData\Local\Temp\29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe
"C:\Users\Admin\AppData\Local\Temp\29f8a9d8884e1aa38f1fe2ede25da6287bfb24586dcb35fd2679e90ab12feef0.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1328

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1960

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pe9iawd3.default-release\0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
"C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pe9iawd3.default-release\0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:960

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows Defender\Support\QENb1HoG5D6BGIPEaDVIFtGrrI5vpOeqWjpLm.exe
Filesize
1.2MB

MD5
55c281a984bf983167be74e57024b4e2

SHA1
dcfde86a2becf057b3cefcde2653f33faadb3912

SHA256
8fb66fe1b9db8c6ce567f8092d56fd639475840c0e5a79b208204e16bdbcec85

SHA512
2d26b8f269cbbc0c06009986808be62677713372032873fda09ab85e95faf2661000ed8a002ec31ff5cc9fc1ef8d1804ad92163f37387b6095d88d9b49cd9279

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\9QG0t3hbeJvwXTNUsS9xpt1P0k6xtSAMhDwV9ZgS47E.exe
Filesize
1.0MB

MD5
4072ab3fa5fdc8c6960e49a9eede7d31

SHA1
c644773c0f6eac262ee5e6d12304bb5b476b8503

SHA256
327ff16e964f749369b828b4578dd8fddd7cf0822c9293b314d2d09bdf0ea174

SHA512
1ef183620a7371b16c5441589ff81da2423a8b759ef9da90ce54a84b598ddc10669f8770a941da6c43807d306786907f9a37eee395a18ca1bbf6fdba9e5153a8

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\3CRbFC4Ln3YKc5ZRjAf3gFw66.exe
Filesize
1.2MB

MD5
8a24202cefdfa5785577cdebd55848c6

SHA1
4691a3a74c04f6c0553b5d5c89badc7267556e9c

SHA256
de37cc67efb722ff1f6c527e9509b8819f68dfb50dd3513e869eb4ae23333c04

SHA512
69c439b46f84b5a6275372fef381a399d95c9033d465d3059cb9767c7f163fd1b083fe572239e505b05bc0e695512299322d98919e280fb226bf6bb5c05df81d

Download Submit
C:\ProgramData\Microsoft\mvICHkOQxEeRlm2QF.exe
Filesize
1.9MB

MD5
a6950f8d65096c17e6c649951011ddb7

SHA1
efce1f4f408ddede550589be29c49eb84c9fc252

SHA256
4892439132f3277989184e59e11f8db6658d3aee1458e68c272581433ca3205c

SHA512
ef191c3692ce014285e58b19a17d7fdaca9a84c2b199c238821cce7dadd173e86cf57f5d97425eeeae7eb291e869ac0702abb82893efc7c970284d071a01fc8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\R2UQ752E\mbp74pJdvCfkgBggz0hFhEct6NkPy2GvuguFW4.exe
Filesize
1.5MB

MD5
57476e69d80ef7506e835f6aaea69272

SHA1
cf7a280f55123105cd4ef34053063a0e09b5fe6d

SHA256
5c9e4cd50bf184e77af5f1413b84ff56ce272f6a1a50a15088d920d7fa153795

SHA512
242eaca3bfed9a26aa7e8067f5fccf233b7567490779b117b4f6d48b609a8e4953520cf40152077a83af3e7de51c8c96880518c921e18363b5f247c2b95b124a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\fUBQ9Vz1nvQoyYs.exe
Filesize
1.5MB

MD5
e4dbf710eea347e4cd2ba390b5f706bf

SHA1
fbdc7ebf3b84a4ebc31c394af43ae676a7c38555

SHA256
ce53b02e45806608a9636ce1bba70096181c8a59d6a9cf7756456176166e2060

SHA512
949b76fee9188699126631004f5a64ff2c7fb1c768f6a8afbf8787d1988bd3838932bee9a1f44d4b40ed9d2d652df5ad35fa82648b84138766b288b3ce94ad9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pe9iawd3.default-release\0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Filesize
1.2MB

MD5
26eff89141d5c30f0f7f98fa87f6e55f

SHA1
6ed4336a65228c30622dad9619343df5361b4ca0

SHA256
5b127822e838ed6d0ceeaf34292a64cb5a10b81d27924ad4131ef4e346478c14

SHA512
dcd8e18ce8297c1de91c2455cd7f291be679e60f678cfc930b91280720fdd58473452077f73c88a7f0890cc5c74e3b67ee5ed060c696b077f30b295418f17493

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pe9iawd3.default-release\0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Filesize
1.2MB

MD5
26eff89141d5c30f0f7f98fa87f6e55f

SHA1
6ed4336a65228c30622dad9619343df5361b4ca0

SHA256
5b127822e838ed6d0ceeaf34292a64cb5a10b81d27924ad4131ef4e346478c14

SHA512
dcd8e18ce8297c1de91c2455cd7f291be679e60f678cfc930b91280720fdd58473452077f73c88a7f0890cc5c74e3b67ee5ed060c696b077f30b295418f17493

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\9ze2FSO79kU1xiv5efKLp6A.exe
Filesize
1.2MB

MD5
cd3f57601b3d892901cc83afccc17d9c

SHA1
dae9883da7061e1c1f16fa899955484c348a60bc

SHA256
3a3d8eca54ed71aa84fb87bea1545052f76629144167778f5849d9292fd41d80

SHA512
2ea7a4b34b67a3eaf34b963d33b588dc271f32eaeee3166c381599543e58e1632baec6b36abab59b2cd70a67cacb83de439d2b52ebad04cfa4bf2784f7395040

Download Submit
C:\Users\Default\Saved Games\5xiygXhWr8.exe
Filesize
1.7MB

MD5
1d15249811da856eb91d64cd95d1da79

SHA1
4695ccb5dbd13c573b0221771e61bce7315bd2ef

SHA256
f2ed9817d1d420e5b33d00b745852179df7f347d7aff0718bc369aeb3b889464

SHA512
c2711133a84881f57ba600facd315fada2bd514055f23db9bda29bb978c0af44cff16fd8b00ba22d1ddc9429881c2e9f503316d9cd0c264ff9c7f25bde0cb6d5

Download Submit
\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pe9iawd3.default-release\0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Filesize
1.2MB

MD5
26eff89141d5c30f0f7f98fa87f6e55f

SHA1
6ed4336a65228c30622dad9619343df5361b4ca0

SHA256
5b127822e838ed6d0ceeaf34292a64cb5a10b81d27924ad4131ef4e346478c14

SHA512
dcd8e18ce8297c1de91c2455cd7f291be679e60f678cfc930b91280720fdd58473452077f73c88a7f0890cc5c74e3b67ee5ed060c696b077f30b295418f17493

Download Submit
\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pe9iawd3.default-release\0dpX7IaArdIVYKbMpISlFB3M4GLxw14BpD9eCAIqmTy2QY2d.exe
Filesize
1.2MB

MD5
26eff89141d5c30f0f7f98fa87f6e55f

SHA1
6ed4336a65228c30622dad9619343df5361b4ca0

SHA256
5b127822e838ed6d0ceeaf34292a64cb5a10b81d27924ad4131ef4e346478c14

SHA512
dcd8e18ce8297c1de91c2455cd7f291be679e60f678cfc930b91280720fdd58473452077f73c88a7f0890cc5c74e3b67ee5ed060c696b077f30b295418f17493

Download Submit
memory/960-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/960-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/960-62-0x0000000000000000-mapping.dmp

Download
memory/1328-56-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/1680-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1680-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2012-69-0x0000000000F50000-0x0000000000F7D000-memory.dmp

Filesize
180KB

Download
memory/2012-67-0x0000000000F50000-0x0000000000F7D000-memory.dmp

Filesize
180KB

Download
memory/2012-76-0x0000000000F50000-0x0000000000F7D000-memory.dmp

Filesize
180KB

Download
memory/2012-77-0x0000000000F50000-0x0000000000F7D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads