1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a

Analysis

max time kernel
207s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Size

872KB
MD5

b975f849631c3bdee73a78eb9f3c2dd9
SHA1

586ba9d75a0907e1ad3577f48fd8429429ead3d8
SHA256

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a
SHA512

0b48f9c0afd7925dfc889545accc4f6f00ecf48a494939b1ba53d1f2e1ce72480472ecddaad375fcbb3dda2a2a1f4d8dfb1351d136e36c565898515d350e7036
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exeExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\fr-FR\\AMPQ7tj9.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\blob_storage\\dhYOAVf04zVqOvQuMmqI8PLJoDwt50tEwXAudmNeZppRre1I8fkFdnuCHZNelDqkJm.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\vek4K4LIkkbGN0yxDJg5R5VGsXf727WF23WHDERomqBAme3tHRrcU2DWqDsA.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\85f3QLohwNgTseEiRpTWhlObIMakpTbcUnWNNZQwafDAgr1zLQj8SQMc6oFX.exe\" O"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe

Executes dropped EXE 1 IoCs

Processes:

ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat

pid process

600 ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat

pid	process
600	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1436 gpscript.exe
1436 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1436	gpscript.exe
1436	gpscript.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exeExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.batgpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\minidumps\\aEQqogH1o88LaHLC92m7IRj7LKVAbOwNuATRyM6dsnBGtjtduFRuhzC.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\jdk1.7.0_80_x64\\gHmRFNqby7sszZoXAUNZRiHUFhOgQjVAYT5tF5V477fHJZrW56uhqcU5Y.exe\" O"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\61\\hFMp7nihCkGzk77MXL3vjyAyUpYmGCTc6.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c09ea37ee400d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Network\\Downloader\\NsiZXNXXMz.exe\" O 2>NUL"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\WebCache\\3GHm0jf8W7wNMa.exe\" O 2>NUL"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs\\2sokWWEKDcWdtOXLRpPSkdjasNpwLxGgjNPVs2mClXNXZb6xg.exe\" O"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000040e250a4e400d901	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3406023954-474543476-3319432036-1000\\13IWfxl8HuL3wdZjjGGObfnvs1tTxNjlv0G5.exe\" O 2>NUL"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\j9iITNuUiBOfTRqecEgqg3FR3g8zu7B0X5Sblovusf6YsUmn1g1sxrFtbY1MtNHZc9Ub.exe\" O 2>NUL"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\GPUCache\\WxMiqnea0nYbV2C2WG31R4X9.exe\" O"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\UaYbHRm9M2Dq3HXa31EBCU0L1MoJgsPgtWWLjrplo.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Pictures\\WuShpEDsKL6Ja.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Data\\LevelDB\\zNiPwuReyshBDswEb2s3EIsa44NbCTGZUb2iq8XotswbZzWYk2oJxP9GszJF7geyK2aNakj.exe\" O 2>NUL"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\guyXNlw8YcY1d2hCQ1JCGabhNo765hmO7sJjI9OTPHAPwVzg13.exe\" O"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\8zN1FbrOXalucthIEpM7jf0te6rMjJn7CWHWN.exe\" O 2>NUL"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\WwanSvc\\WQnCNZZDE.exe\" O 2>NUL"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\js\\USLBFe2aLcabmIkaQ3m2CyRJMyHIM19tN1XbDLQyEnfD.exe\" O 2>NUL"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\S-1-5-20	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\eQ3ooUzcqNPAcqH8zoqYE1pCr1Dk823rb.exe\" O"	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\thumbnails\\6Ztr68ktRUoCgJE8f6GtzQHG3gzN701MdhRN1t30e.exe\" O 2>NUL"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-19	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe

Modifies registry class 12 IoCs

Processes:

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\security_state\\OKYMp3X3CzGigBH30kcOMYuUoeg2aHqBbLXQJZoPqMpsn947y3WrFB.exe\" O 2>NUL"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\\packages\\KgMgXrOhkIqukGMArmtQSOT.exe\" O"	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exeAUDIODG.EXEExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat

description	pid	process
Token: SeBackupPrivilege	1992	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Token: SeRestorePrivilege	1992	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Token: SeShutdownPrivilege	1992	1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
Token: 33	1648	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1648	AUDIODG.EXE
Token: 33	1648	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1648	AUDIODG.EXE
Token: SeDebugPrivilege	600	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Token: SeRestorePrivilege	600	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1436 wrote to memory of 600	1436	gpscript.exe	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
PID 1436 wrote to memory of 600	1436	gpscript.exe	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
PID 1436 wrote to memory of 600	1436	gpscript.exe	ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat

C:\Users\Admin\AppData\Local\Temp\1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe
"C:\Users\Admin\AppData\Local\Temp\1db9b19cb422cef2a7211c98cf20a5c2b651fb7bfc90e25ac38cfddad0ca023a.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1524

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:600

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\hFMp7nihCkGzk77MXL3vjyAyUpYmGCTc6.exe
Filesize
1.6MB

MD5
431b59de849d01fdc3f029b3b489131e

SHA1
837b2da4ad4593712c5a2026e35020c1fcc4e47f

SHA256
6238f6e642c444c026cc9e6c61fa25a0b20f8799287db4eef9b1f77637186578

SHA512
4aa295bf4541eb6c4af560c0510d178f9c676dee3ebc98b7bff6fdc5443cdb0572f16ccc65f88bcc9cdfbb2682adfc55c147e9a8677a02194cf15c3a8aba3e15

Download Submit
C:\Users\Admin\AppData\Local\8zN1FbrOXalucthIEpM7jf0te6rMjJn7CWHWN.exe
Filesize
1.5MB

MD5
77a18cb210cd355ef46ea3567398619a

SHA1
ef580de357e3f4a64efa5f6918b86389c39f91a7

SHA256
fe212b76c487073cddd8d819bfa013f45ed9c8e3a874a2faa615743d210a3f01

SHA512
330220437073c707d6f31033ffef259d94db81ff478a24b7062e5c59c9499dc952a4ffc5721b17df7175eaf7c36fbbfa30368b6f59fcb2e059506d0268c41d2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b4dwFjiDjVMtVeQp5f18ikvie5xZWRc6wZzzBfkP2bdFgiioRNWWRDW92.exe
Filesize
1.2MB

MD5
bee6d69f71158b2f29f6f42ee602b5a0

SHA1
00115db5a9f92575ddaa862170a025fb85ac9214

SHA256
085d57dc6963ef563b4b4463d4c0225a818b11695f7bbf92a542c0a8e3f29431

SHA512
f0a156289a435a633ff89382e1c3a2c74ffdaf1847c854609d7082f6a20a3167bf0838c113831eb7b3b500be8976a89d6ad673e62a5e5f3b793eacb5dc0209e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\dhYOAVf04zVqOvQuMmqI8PLJoDwt50tEwXAudmNeZppRre1I8fkFdnuCHZNelDqkJm.exe
Filesize
1.0MB

MD5
f2445d71a450626ff2fa744481dddc78

SHA1
e6b1c14bdef5c12db865ce6047ac94094b43243d

SHA256
78b661f7839e182afc87408769727b7f0b6f6a215abafbfe316d598e65bf4abc

SHA512
2e0529c9cdced7ef7e72325191ddeb4a7bb4c91b1e735543575ea28c1cf872eece4def2b72b3dc0d32d9c979a05a62ae8d65a224396b2665c57788fad7688151

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Filesize
1.5MB

MD5
587134985e6ed3475411aeb71e721ebb

SHA1
2d2eb0fc0d1df8edb5dad4389e5a2a6291d45c47

SHA256
f3b318e8d681b2b6d1fe3121c6ed5ca4fc546b34a7ef1010196459ebc51f5f90

SHA512
88d557066f1a303f31af64ed2b55bbcee3d78f4f7f7dfa9a5f3083c7bd3427888269990aa0d626173ee88361f04508677a88aba8c3542473738f1fd92eafa03a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Filesize
1.5MB

MD5
587134985e6ed3475411aeb71e721ebb

SHA1
2d2eb0fc0d1df8edb5dad4389e5a2a6291d45c47

SHA256
f3b318e8d681b2b6d1fe3121c6ed5ca4fc546b34a7ef1010196459ebc51f5f90

SHA512
88d557066f1a303f31af64ed2b55bbcee3d78f4f7f7dfa9a5f3083c7bd3427888269990aa0d626173ee88361f04508677a88aba8c3542473738f1fd92eafa03a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\3GHm0jf8W7wNMa.exe
Filesize
1.5MB

MD5
28820dcfdcf06cf4a39ba297cd832179

SHA1
c7bdcf3ac072edb9051f47043ee4e40185fa55a0

SHA256
801c9b0eb687b8a1a7d80df3e505b1a625244a0d9b8d49154b20afa99debb507

SHA512
210078d096f9cf6c5ccd893caf37ba50a4a8438a597c26b54daecf101e178fe8af814865119a90ab393baf671309519c2943586debb6243d75a1f32fbf1b1021

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ae6vytmk.default-release\thumbnails\6Ztr68ktRUoCgJE8f6GtzQHG3gzN701MdhRN1t30e.exe
Filesize
876KB

MD5
a153dbe8dba7edc327853762158a15c8

SHA1
507f33f8895fe25f00eba775a6ad7924352f85e5

SHA256
7412378895807f187f496bcc827a8a3ab2eeaafcd248452e5c85e2bdecad47c4

SHA512
1e8d04291c5b1add9350ff54a368bce74ed3ea4f572cf9cab34b1cca1e9b6d9893009f5f76f2eb9f8cd667c83d5f23bea7a865693c4d76bfcd7bda7f13230890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\UaYbHRm9M2Dq3HXa31EBCU0L1MoJgsPgtWWLjrplo.exe
Filesize
1.1MB

MD5
00aebf4695b25315cb79b8876fdb1061

SHA1
456b1169efd094b9211c3cc8ad0fc9d05661f1a1

SHA256
2ce794978d4ad94467b991045cf09a0cbe66d97d178a47ab12aa93c4ad6c1f01

SHA512
5d4e25f57c7bc417fe1d22b90b0f99676832afc865cf6039c4b5ba732c383a862cc8a8d8cc45e2ec96e2993a17a489dbcc8e88147c81c4c885244f9e0f7bf7c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\minidumps\aEQqogH1o88LaHLC92m7IRj7LKVAbOwNuATRyM6dsnBGtjtduFRuhzC.exe
Filesize
1.3MB

MD5
672863c2e8217abbc7897c419dd0f5f5

SHA1
863c690ceb1f2420b3123f89271c14ae8748710a

SHA256
2cded36c9303067fe55747425aa109d1f0d14e1fe03c0258f8b0bd5440f004e0

SHA512
6b97273e05025e1d16fc31d685c338bff3fe81102479e8184e86910dcf005282d6b0f89db666d0c5a4083d0bba2b6824cc50edf77dcfcef70e64a1542a0ef406

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Filesize
1.5MB

MD5
587134985e6ed3475411aeb71e721ebb

SHA1
2d2eb0fc0d1df8edb5dad4389e5a2a6291d45c47

SHA256
f3b318e8d681b2b6d1fe3121c6ed5ca4fc546b34a7ef1010196459ebc51f5f90

SHA512
88d557066f1a303f31af64ed2b55bbcee3d78f4f7f7dfa9a5f3083c7bd3427888269990aa0d626173ee88361f04508677a88aba8c3542473738f1fd92eafa03a

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\ExUE4mjJdjT9dMthENwFa56FLGY06kMLvGprsvJ1RaN522Kv4.bat
Filesize
1.5MB

MD5
587134985e6ed3475411aeb71e721ebb

SHA1
2d2eb0fc0d1df8edb5dad4389e5a2a6291d45c47

SHA256
f3b318e8d681b2b6d1fe3121c6ed5ca4fc546b34a7ef1010196459ebc51f5f90

SHA512
88d557066f1a303f31af64ed2b55bbcee3d78f4f7f7dfa9a5f3083c7bd3427888269990aa0d626173ee88361f04508677a88aba8c3542473738f1fd92eafa03a

Download Submit
memory/600-62-0x0000000000000000-mapping.dmp

Download
memory/600-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/600-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1176-55-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1436-68-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1436-69-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1436-76-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1436-77-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1992-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1992-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads