0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30

Analysis

max time kernel
207s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Size

732KB
MD5

1c3de1ad0032e87bd30f70744dfc1db2
SHA1

e8efd36b4d3fe602abe93951aba8fcbae36e21d9
SHA256

0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30
SHA512

a3bc08f8c56f142f24f7be683a5b640a33b8c143ffb0cb6530966dc259b7e02a179ad7563eaf6d55c44bbfc3976921206f85828919c66054801c21a4bab5f019
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\44\\y6dm8OFPBDo.exe\" O"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\37\\KQpKMvLnfPmOmrokkhmx.exe\" O"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\WebCache\\yynFQcXtq28XYIp3kTyfLwxcEb0vnGkEz2qGWD8oPQ0fRPfjTCI0EUbDnrN.exe\" O"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\Low\\irmkU4DxaqNhEkGPKh8l1qdOXvgalGXWMqEiqQVXdubcrxLgqVp.exe\" O"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe

Executes dropped EXE 1 IoCs

Processes:

SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe

pid process

1632 SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe

pid	process
1632	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1968 gpscript.exe
1968 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1968	gpscript.exe
1968	gpscript.exe

Modifies data under HKEY_USERS 57 IoCs

Processes:

0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exeSaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\storage\\za9cvxVkOgGhSoMhKtEE6y0raZvoojqwZgg55b4Td5G.exe\" O 2>NUL"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\723DG05gE6Tpzwu0KGgl9BO6m0hJNT9wAoHCeVYK4Zny6TOxLcUqT87.exe\" O"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\7CyfdGpH39gTKZ4g9ti3lNgVmvB2T2AheRVUAvWfLuIcHxbzSQDoGEnQnBeoWV.exe\" O"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\cDXSxV3NV7Od8wJwCSTAq4YnotiT6j0FmQdqyVkQ.exe\" O"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-20	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\bwjlcUDzBFE5yOwQmDOIQd91gAtuqfE2QuTAcM9wjK6T5u4IjwJN5U.exe\" O"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\Xfk8hztjMuqJITqb4cv.exe\" O 2>NUL"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\2pFhaiifGaI5Hai2JUXLBAnko7Xw7iKTD1T.exe\" O"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f01c981ce500d901	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Mail\\Fu5l9Mk8TmKO9aCTWB1Gt2ek.exe\" O 2>NUL"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\.DEFAULT	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\F8oVfnzlFjyQK5yuTRpzA9SE9VC496j.exe\" O 2>NUL"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\PrChPGtC8Kl0kp.exe\" O 2>NUL"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\MEg8wWG0Iy8hd.exe\" O"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\mJ8zDk5UTjLmyj0kYq8nsGQX9qdnfcEF5C4.exe\" O 2>NUL"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010368c1ce500d901	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\NZR5dv4A.exe\" O"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\FxWJpEiPx5hHcV7I8URufOffsK70d99JS9kSzS1CcDBLGgn95is4EFqwYi4jy9UUrps.exe\" O 2>NUL"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\GN2v2xf4QXxBNos6b39HyhrrOfRaf5J0HPqf8V8tk8ciXralJKen64DHptee9nYsj.exe\" O 2>NUL"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\jJ1V3QW0Cm6I75FW5m2hvC9UswB9EAfCtl14zJ7Gbd.exe\" O"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\MEIPreload\\iKxcyYA4MsfgIPhctQ4HDLxIEaT1S06q12wDmBq4a.exe\" O 2>NUL"	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\host\\OyVOPFpqHMoKxL.exe\" O"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe

Modifies registry class 12 IoCs

Processes:

0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\hfY3mdN6F1dwkFa4tQwH8dYMv.exe\" O"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs\\SystemIndex\\YPW0BdxsuVMYkuDiDVV3tm2GXjVkUG4G9JlPSKUBHW6.exe\" O 2>NUL"	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exeAUDIODG.EXESaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe

description	pid	process
Token: SeBackupPrivilege	2036	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Token: SeRestorePrivilege	2036	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Token: SeShutdownPrivilege	2036	0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
Token: 33	560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	560	AUDIODG.EXE
Token: 33	560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	560	AUDIODG.EXE
Token: SeDebugPrivilege	1632	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Token: SeRestorePrivilege	1632	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1968 wrote to memory of 1632	1968	gpscript.exe	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
PID 1968 wrote to memory of 1632	1968	gpscript.exe	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
PID 1968 wrote to memory of 1632	1968	gpscript.exe	SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe

C:\Users\Admin\AppData\Local\Temp\0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe
"C:\Users\Admin\AppData\Local\Temp\0b969de3264c49234a1a1b4392785172d8a79db373eda14bc9209f88cfa31f30.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x244
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1460

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\28QDXKFN\SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
"C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\28QDXKFN\SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1632

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\cDXSxV3NV7Od8wJwCSTAq4YnotiT6j0FmQdqyVkQ.exe
Filesize
1.3MB

MD5
a4a26aac5ab4c91574bd624cee0e0f1d

SHA1
c2ea4e6d8831156a855359b65817399d80d1b05d

SHA256
c5a82180092eb7c689305272bed71085d5b81924cdd29c16cece3f22fbe5353e

SHA512
0478c4c2f3391efe8e1d7604a04c3470b744b214bf6f15f9cc2891f55c9d2f9e2f03a0fab542ad24b1e050432677f92260dcd5583ec1ab54bd3334b0f2fd3f3a

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\1z9qYSfeEdQoiMvTfTMjPSfu6tkir4UQCf7TVMG5quwdGSyYbkRFAJ8W6nvfwKVmkQZG.exe
Filesize
1.2MB

MD5
fd1ecbf2718c71eb6e392c7a35651a76

SHA1
f3ae403ffcae3224c3feddb1e5cc9ec9652dc195

SHA256
550865a02be6e1fcbe69c15404de193de110c3c6fe3ad1bcdd6ad35931746881

SHA512
3e32c692e95fc4f2101d398aabf7d7092618b2e32ff7acb820dafb8ac2c339e45d528802e06e002750f09a170a823b983ff831444a3fe747890c1abd9ee23244

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host\OyVOPFpqHMoKxL.exe
Filesize
1.1MB

MD5
15f34d8fa5dc59c4ef4d5b576ef8ff09

SHA1
17f0e5b4857f2226ec4cebcf4625460b5cb4c7b2

SHA256
9f6c90656c8967037334f77432b33f5a85b833122f9ecb54b842a903c861897a

SHA512
c113bb99f83c0f13574ef63074579fb26654089407bdadf71f4f468f934806f3092f50b8e354ff2a232a741f214be1a316274208b1fffa3c6f4c26e31b7deb48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\28QDXKFN\SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Filesize
1.0MB

MD5
cc18ebfa05b54d41afbedd38f6e2735c

SHA1
cdcb36e6c4a1d96913b20cfcb21f82502b2b255f

SHA256
92a33ce47d9e4d0253ae94f790ca07611c7b090b69bed12a178add1685e5b4ce

SHA512
d0d81423a5e1a1c78c85be74cd4a538e0cd59c46e924b8a7dacd5e57989982db3a09525828d8d1c47e371fc34da23fdbf368ab100b769acdb50805bdd221c386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\28QDXKFN\SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Filesize
1.0MB

MD5
cc18ebfa05b54d41afbedd38f6e2735c

SHA1
cdcb36e6c4a1d96913b20cfcb21f82502b2b255f

SHA256
92a33ce47d9e4d0253ae94f790ca07611c7b090b69bed12a178add1685e5b4ce

SHA512
d0d81423a5e1a1c78c85be74cd4a538e0cd59c46e924b8a7dacd5e57989982db3a09525828d8d1c47e371fc34da23fdbf368ab100b769acdb50805bdd221c386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\723DG05gE6Tpzwu0KGgl9BO6m0hJNT9wAoHCeVYK4Zny6TOxLcUqT87.exe
Filesize
1.4MB

MD5
4bf32bc7f47111bb7a9f691ad894f3b8

SHA1
72be263a828a24dfba6c28dd2055a4d390025f5b

SHA256
86471306c20b6671c9014e16b20b29bff826405a34c274a7f054f351e731c355

SHA512
77f0597bab1ad47a425c36529dd9c40f42d91f0a6ddfa7cccadb936dbbc4b4c861fb3e61d56396e82bebb28d43a6d5acb75114273798b8d3e1e315f7e25df18d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Fu5l9Mk8TmKO9aCTWB1Gt2ek.exe
Filesize
900KB

MD5
d262c51b395f12982bf30e5f3d0f05cb

SHA1
706751cc03dc04273d7455a84ede6d36461d4f09

SHA256
b5cba4cb91d10256ace539f85a31a534e4401a3d7cc45126c3a801d303f5a818

SHA512
7d720f77800eeb648628c54ed9781a66ac3482a95e94508330a1bbb7b3104e3bd7b5b971340f13609897c2c9b9a1cfa41c069afcfd4984daa565ffe01b32f94c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\yynFQcXtq28XYIp3kTyfLwxcEb0vnGkEz2qGWD8oPQ0fRPfjTCI0EUbDnrN.exe
Filesize
1.4MB

MD5
4ff79511eb4b6639b922cfc5bcda3e64

SHA1
3908ee4c5b8b166c98eb1f08070024a9ddcaa39a

SHA256
a5a02e6c866ed4dff9979eba7db94c4952beff54ffae94c65f31b14de78afcaf

SHA512
c2a54baebdb0a28cd5c2f80910a29b4aee4b2ea66f11325346a237028889f6aa91501f9b6942d6515cc741b645d11a6c3125ab8b98f5166be670d355512a09b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\Xfk8hztjMuqJITqb4cv.exe
Filesize
958KB

MD5
822386f308741214d2d67cf4e7fe01b0

SHA1
fc43187762ef9912b6472939f373b11af2011690

SHA256
18b27a5913044a4f9cceaf74192440d0c23e007b70c2ecb4e6770400b5e91a4e

SHA512
0e06c6cc3b5ba1d0bd189532302260a31d38ccbda27f5bc270993ed95d678b530f9fbdb0014cea34310be095e67d25ab7db9fb34899658bf4f162ea3ea248fad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\storage\za9cvxVkOgGhSoMhKtEE6y0raZvoojqwZgg55b4Td5G.exe
Filesize
1.3MB

MD5
3389c4b2301bb78bd768541037bb8d52

SHA1
2d03f643479e626d1c8d28de18ef7d19edcfa97d

SHA256
3f91d1b1582602aab043789cff03f18bc19863c86e3035dd35d746f771748b5a

SHA512
1ae85cd36921d3472919ecddaef998c9b6b74f5584353781a397833e3a8ec90867c8089fc1e23ca9a4d3d87928747f7962227b9b01ae04d24248d287d6c6fff1

Download Submit
\Users\Admin\AppData\Local\Microsoft\Feeds Cache\28QDXKFN\SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Filesize
1.0MB

MD5
cc18ebfa05b54d41afbedd38f6e2735c

SHA1
cdcb36e6c4a1d96913b20cfcb21f82502b2b255f

SHA256
92a33ce47d9e4d0253ae94f790ca07611c7b090b69bed12a178add1685e5b4ce

SHA512
d0d81423a5e1a1c78c85be74cd4a538e0cd59c46e924b8a7dacd5e57989982db3a09525828d8d1c47e371fc34da23fdbf368ab100b769acdb50805bdd221c386

Download Submit
\Users\Admin\AppData\Local\Microsoft\Feeds Cache\28QDXKFN\SaVUWCzilFbJB163Rv1hJ2UzFStzFvKgKxf47.exe
Filesize
1.0MB

MD5
cc18ebfa05b54d41afbedd38f6e2735c

SHA1
cdcb36e6c4a1d96913b20cfcb21f82502b2b255f

SHA256
92a33ce47d9e4d0253ae94f790ca07611c7b090b69bed12a178add1685e5b4ce

SHA512
d0d81423a5e1a1c78c85be74cd4a538e0cd59c46e924b8a7dacd5e57989982db3a09525828d8d1c47e371fc34da23fdbf368ab100b769acdb50805bdd221c386

Download Submit
memory/1044-55-0x000007FEFBAC1000-0x000007FEFBAC3000-memory.dmp

Filesize
8KB

Download
memory/1632-62-0x0000000000000000-mapping.dmp

Download
memory/1632-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-77-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1968-65-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download
memory/1968-75-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download
memory/1968-76-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download
memory/2036-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2036-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads