f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da

Analysis

max time kernel
50s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Size

1.4MB
MD5

d238ae7703ab2718b189586a0e5c6bd5
SHA1

4a9c59150e4682c5749902a1c90da24274a5e369
SHA256

f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da
SHA512

8c6a490ea6cbc93f45bb4d45d02da4152d50aa6af52e3c3bccc51058389f16ea083004c7cce6203ebd59c3c738343763707cb23a9417e3f28b0149169e088b1a
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

MhlpLqjwsRWIxjYdc.exe

description pid process target process

PID 1124 created 576 1124 MhlpLqjwsRWIxjYdc.exe svchost.exe

description	pid	process	target process
PID 1124 created 576	1124	MhlpLqjwsRWIxjYdc.exe	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exeMhlpLqjwsRWIxjYdc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\jdk1.7.0_80_x64\\gA7pMUwSAmsPMYSVcQcjeBlMRk0274DVzSYU.exe\" O"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\startupCache\\6YJduXMZ2ysUIX3fbVWFXr0Klk3jlBtiIfS9jRO42UxtNj56Jia9wYLYdB46z2un.exe\" O"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\6252p0ZLFZRt1AKLJSoRAyHTUbuiimp0yGd722xoaYEYhn7HA.exe\" O"	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\AutofillStates\\FZDYqViPTGfzTWHiJrYL9z8EbzNrc2CbBrrlOIbw6NAfkV6zWjeH9yD96dN73B96OTxKV.exe\" O"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe

Executes dropped EXE 2 IoCs

Processes:

MhlpLqjwsRWIxjYdc.exeMhlpLqjwsRWIxjYdc.exe

pid process

1124 MhlpLqjwsRWIxjYdc.exe
1504 MhlpLqjwsRWIxjYdc.exe

pid	process
1124	MhlpLqjwsRWIxjYdc.exe
1504	MhlpLqjwsRWIxjYdc.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MhlpLqjwsRWIxjYdc.exeMhlpLqjwsRWIxjYdc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	MhlpLqjwsRWIxjYdc.exe

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeMhlpLqjwsRWIxjYdc.exe

pid process

1364 gpscript.exe
1364 gpscript.exe
1124 MhlpLqjwsRWIxjYdc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1364	gpscript.exe
1364	gpscript.exe
1124	MhlpLqjwsRWIxjYdc.exe

Modifies data under HKEY_USERS 57 IoCs

Processes:

f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exegpscript.exeMhlpLqjwsRWIxjYdc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\CI5sLXlSqG8lwEsjqEGSvmGUbb.exe\" O 2>NUL"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\.DEFAULT	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030cbd365e500d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\liOHOrIS8mw.exe\" O"	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\i5DsH0UL0FA.exe\" O"	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Floc\\lr0hpclMYmUCEWeDe6ecZvxtR7BQIP.exe\" O"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\21\\rGI4r5wrQAbQtu06rTeeV8s0tDlpfl1A.exe\" O 2>NUL"	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-19	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Platform Notifications\\wu1oEqPAtIRiy30Bni4MHyhxgIY72NTHulteCfQdviQHVOMOoUAgNO0r72R5TW.exe\" O"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\eHome\\oa1XdXje0601SPQg5eOfWdwefEfSzQUGAI835x.exe\" O 2>NUL"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\0\\c7xLzItmP3xrGXv2xMF.exe\" O"	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\kEOZjj9oJICHKuVOG2oNfiac9he7nzd6q4NBdnHcv0.exe\" O"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\js\\index-dir\\NoySuPaXe4rYYjFh8JHWoxDSXGub8a5TnyOw.exe\" O"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\Downloads\\50KO5foDHM.exe\" O 2>NUL"	MhlpLqjwsRWIxjYdc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft Help\\kdUwVbYH54PrueJcKDuqofzQocumcz1ydjxrvV3S0hXBj6e.exe\" O 2>NUL"	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\leveldb\\IF94dBSOoq1d.exe\" O 2>NUL"	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\cache2\\entries\\Kdvy7XaLHCIKhY7Gu7X1uP0nbPhMVMQfKZRVVa.exe\" O 2>NUL"	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\js\\index-dir\\qVjs8kHb3r0lBeqUhTU0SaJFfe0Ophe2irw44T1wD3I37q2xvpQlKuZ9cbS8k496NuIza7.exe\" O"	MhlpLqjwsRWIxjYdc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\Tiles\\pin-2845162440\\mKVVAoDfbVsVC9Rqtz.exe\" O 2>NUL"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\4TNC32EG\\eXUa23n0gPqkgdHZQkOzejKaNQHeQI.exe\" O 2>NUL"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\9BU0sm2D7Jih8DzNccKNGJJqT6GMoJJ4AfYI4lPKjdPfKJKJbJ.exe\" O"	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	MhlpLqjwsRWIxjYdc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-20	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe

Modifies registry class 12 IoCs

Processes:

f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Command Processor	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\zOF3NgCIGkPfAocvlKBUxsmVjKxU5QlJIOG.exe\" O 2>NUL"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\7fbjJW1W0io8DQIjxsJZ5oyf8WYEpQT4zc25.exe\" O"	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MhlpLqjwsRWIxjYdc.exe

pid process

1504 MhlpLqjwsRWIxjYdc.exe
1504 MhlpLqjwsRWIxjYdc.exe

pid	process
1504	MhlpLqjwsRWIxjYdc.exe
1504	MhlpLqjwsRWIxjYdc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exeAUDIODG.EXEMhlpLqjwsRWIxjYdc.exeMhlpLqjwsRWIxjYdc.exe

description	pid	process
Token: SeBackupPrivilege	1340	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Token: SeRestorePrivilege	1340	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Token: SeShutdownPrivilege	1340	f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
Token: 33	1704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1704	AUDIODG.EXE
Token: 33	1704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1704	AUDIODG.EXE
Token: SeDebugPrivilege	1124	MhlpLqjwsRWIxjYdc.exe
Token: SeRestorePrivilege	1124	MhlpLqjwsRWIxjYdc.exe
Token: SeDebugPrivilege	1504	MhlpLqjwsRWIxjYdc.exe
Token: SeRestorePrivilege	1504	MhlpLqjwsRWIxjYdc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeMhlpLqjwsRWIxjYdc.exe

description	pid	process	target process
PID 1364 wrote to memory of 1124	1364	gpscript.exe	MhlpLqjwsRWIxjYdc.exe
PID 1364 wrote to memory of 1124	1364	gpscript.exe	MhlpLqjwsRWIxjYdc.exe
PID 1364 wrote to memory of 1124	1364	gpscript.exe	MhlpLqjwsRWIxjYdc.exe
PID 1124 wrote to memory of 1504	1124	MhlpLqjwsRWIxjYdc.exe	MhlpLqjwsRWIxjYdc.exe
PID 1124 wrote to memory of 1504	1124	MhlpLqjwsRWIxjYdc.exe	MhlpLqjwsRWIxjYdc.exe
PID 1124 wrote to memory of 1504	1124	MhlpLqjwsRWIxjYdc.exe	MhlpLqjwsRWIxjYdc.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:576

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\MhlpLqjwsRWIxjYdc.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\MhlpLqjwsRWIxjYdc.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Users\Admin\AppData\Local\Temp\f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
"C:\Users\Admin\AppData\Local\Temp\f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1072

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\MhlpLqjwsRWIxjYdc.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\MhlpLqjwsRWIxjYdc.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\es-ES\WQRcef17zkzaN55MAzzbJHdFWIvBuL4OEsH0w7KQmLbYYpKi7W.exe
Filesize
1.9MB

MD5
15969f571982b924cd4334199371e6e9

SHA1
c2ff918568b45d5294f16199a3e2c86b280ae30d

SHA256
3cd2a5da7dcea8d072b2146bcf93ac6bdedb1fea5b8ff0ea9487e399f371f7fa

SHA512
a681e471e0d55820eedb0a6a46150b0a9f7e5af2aebd8b8472e37253061a465ddb6b9c8669c4e0966bc21cc8be27e7de5b597d759beb7c9f789450e4d0cfd563

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\SwL9OE4ujyrWazGCtoDAxBoulGDuM4MnpzMbgD.exe
Filesize
4.8MB

MD5
da4e851f9c5bbec5f5016c1daae54dca

SHA1
2b13735a44d4aa556905183712e23af92aab78c2

SHA256
c54ffbae9264bd0f5ce40c9423c3c31e27232257b629076c68306d2f49e43a32

SHA512
38c7c19a126ae1bf17089bab6a3a1337a06294daf70cba15d919c10b4b7389172c187cfe9eb6b2d256f40a231d192156f52573b4b50c744d3b96cc932d7db346

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\gA7pMUwSAmsPMYSVcQcjeBlMRk0274DVzSYU.exe
Filesize
2.3MB

MD5
052acc47877a0196a34ddaee7c55dcf9

SHA1
04feada190ce36211f7adb3da1fcb5a613a05722

SHA256
26dbcb45cc91f23779da7479b140b2a82105002cefef2149ff6cd7c17c17d917

SHA512
6872b6ed617dfbc31be0254b37624e49e15c2e9936052f55ae398a3ccabac8d986c52e262a73887aed463c421b8a4ba65101ac7914205e9a68bf825ec0f42ab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\NoySuPaXe4rYYjFh8JHWoxDSXGub8a5TnyOw.exe
Filesize
2.6MB

MD5
a9f39e1cd0f6a405b8dcadb6d8f1e66c

SHA1
f44ec061b1d520ce86720551ba98e8b368b4fed6

SHA256
900687440b4b5b52c91919d29016163c7b196c6c452eb31e33bf97c45832217f

SHA512
0efd810d991dbcc5eb048583ccd0d1d36a0d8a72692ccbecaaf122f5fdf82a08b54790b35693e709e5d7ea99def108487dfc08c06cf347b914499f91ccab2605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\wu1oEqPAtIRiy30Bni4MHyhxgIY72NTHulteCfQdviQHVOMOoUAgNO0r72R5TW.exe
Filesize
1.8MB

MD5
299fc27c8801ab04e62fbbd90a782332

SHA1
7260412c35293807b6713d7abe413d84da84502c

SHA256
8305c27000a14c8696b727556cc942975bffc01b7875d28b68f3d6ea151e0985

SHA512
32e4c6d9af86abcab5b26717c6ff2efe05c8e7ca93d35ef47c43374efda2ccd405455fc93b290e7333b2e3601e136ad227b1c7811ea9d94f3151b024c2c75232

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Floc\lr0hpclMYmUCEWeDe6ecZvxtR7BQIP.exe
Filesize
2.0MB

MD5
51269256d302d29828f6b9ed883f2c82

SHA1
190d3f6599155886f2393fcb8e8e8e6c5962d059

SHA256
c2f90acd19f42e21d03fa9d6cf93151c79b4da82cff002892b8d667ca5fc54fb

SHA512
264e6e1226d5079cd394771f44167691902e015608fa61936c38c3c4e124926f8b63dbc885a9aedb2179e9b40c508d267d40a9c7f984d1f7cb1391064d0c7b1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\MhlpLqjwsRWIxjYdc.exe
Filesize
2.6MB

MD5
482a9dc5491cc09c3befe41fa1f1c791

SHA1
23088622a620ff13432d13d8f0c18fa0908d312e

SHA256
46b57a70c9fb8279c2c2f9a819d6b9b00752192796723dbcfa9db79e9594bc59

SHA512
6ef1cdafd4a913276f0cee62bc5971f0a18dd8bbae9bebb122864ec232878f2e69977c38cf4cbc189bafeb8e304de9a65603e4ce64178372a2db7ab7e7f99e8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\MhlpLqjwsRWIxjYdc.exe
Filesize
2.6MB

MD5
482a9dc5491cc09c3befe41fa1f1c791

SHA1
23088622a620ff13432d13d8f0c18fa0908d312e

SHA256
46b57a70c9fb8279c2c2f9a819d6b9b00752192796723dbcfa9db79e9594bc59

SHA512
6ef1cdafd4a913276f0cee62bc5971f0a18dd8bbae9bebb122864ec232878f2e69977c38cf4cbc189bafeb8e304de9a65603e4ce64178372a2db7ab7e7f99e8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\MhlpLqjwsRWIxjYdc.exe
Filesize
2.6MB

MD5
482a9dc5491cc09c3befe41fa1f1c791

SHA1
23088622a620ff13432d13d8f0c18fa0908d312e

SHA256
46b57a70c9fb8279c2c2f9a819d6b9b00752192796723dbcfa9db79e9594bc59

SHA512
6ef1cdafd4a913276f0cee62bc5971f0a18dd8bbae9bebb122864ec232878f2e69977c38cf4cbc189bafeb8e304de9a65603e4ce64178372a2db7ab7e7f99e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4TNC32EG\eXUa23n0gPqkgdHZQkOzejKaNQHeQI.exe
Filesize
1.7MB

MD5
c28326db7fde62c672402b7374eff4ba

SHA1
f6a2d8a32c8f8c70615da3b6a0a8ea230098adec

SHA256
43d530a9ea47986092f1f51fd58d52a74c40ab645435a94eebb095523c8163d8

SHA512
cdb03ce2837c038803c8d01a0ce44b026ef9e06cb62fd295489f10d6ab6bf58d9a943353b94d0c52b617cdc66eeba8221c872fb16df400f30b4569f54ed2f073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\CI5sLXlSqG8lwEsjqEGSvmGUbb.exe
Filesize
2.7MB

MD5
950baa18d2a5b96402dd0747a4e50a20

SHA1
df6dfc5a3da1efcf1b5f2c631f713153d7f8480c

SHA256
c43d18431ee91e2ab39778d2bdf247ac56b987799d60dcae3bed0fb0ff780699

SHA512
1814ded90da07739b22f5a1023bf41299d78e4809c2114135a05bcd66d83743931c4b918bf141535e6e33eb993b78aa5d61abd7ae71c71f65ede3a458ff30be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\mKVVAoDfbVsVC9Rqtz.exe
Filesize
2.0MB

MD5
f83846698bb542b97814b38acee05d39

SHA1
3030d4d22af439d435f5e7284dfdcafda7fa907a

SHA256
b19da431b7ad2d8fff1c0be5b19a3a353a311e12d26e24db48d75cbd26a2e9c2

SHA512
c258cb405ef2200ab41a8e97c508dd5d341c2e9368098ef7e53868c941a16934aaa3d344d67226dbd4cbad7b06ebc47fd799085017ae7c0639e6014aea543a7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\3xMqF2AmSGfN7mqjnNWAIu7IWc6AlpF2r73RVUdGGS8dgtmnDGqWIn5KbMWveXznn2VZB.bat
Filesize
3.1MB

MD5
12a86c48fd18468a815d2325bbb93b8a

SHA1
12999b5026467873b393f2a35eab3ac1b8520c61

SHA256
9add8e40939727e6644425cb96880df84874561b2d1a460ea75ae1ecc53b19e0

SHA512
e753d2a84d1e73d056189179e75d4c5d12287cf7ec79f1406aee2628067a9c6068f63694db685811eb8cc0c6612800aeb8cabcb879de07d87b234900a81eda53

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\MhlpLqjwsRWIxjYdc.exe
Filesize
2.6MB

MD5
482a9dc5491cc09c3befe41fa1f1c791

SHA1
23088622a620ff13432d13d8f0c18fa0908d312e

SHA256
46b57a70c9fb8279c2c2f9a819d6b9b00752192796723dbcfa9db79e9594bc59

SHA512
6ef1cdafd4a913276f0cee62bc5971f0a18dd8bbae9bebb122864ec232878f2e69977c38cf4cbc189bafeb8e304de9a65603e4ce64178372a2db7ab7e7f99e8d

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\MhlpLqjwsRWIxjYdc.exe
Filesize
2.6MB

MD5
482a9dc5491cc09c3befe41fa1f1c791

SHA1
23088622a620ff13432d13d8f0c18fa0908d312e

SHA256
46b57a70c9fb8279c2c2f9a819d6b9b00752192796723dbcfa9db79e9594bc59

SHA512
6ef1cdafd4a913276f0cee62bc5971f0a18dd8bbae9bebb122864ec232878f2e69977c38cf4cbc189bafeb8e304de9a65603e4ce64178372a2db7ab7e7f99e8d

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\MhlpLqjwsRWIxjYdc.exe
Filesize
2.6MB

MD5
482a9dc5491cc09c3befe41fa1f1c791

SHA1
23088622a620ff13432d13d8f0c18fa0908d312e

SHA256
46b57a70c9fb8279c2c2f9a819d6b9b00752192796723dbcfa9db79e9594bc59

SHA512
6ef1cdafd4a913276f0cee62bc5971f0a18dd8bbae9bebb122864ec232878f2e69977c38cf4cbc189bafeb8e304de9a65603e4ce64178372a2db7ab7e7f99e8d

Download Submit
memory/1124-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1124-62-0x0000000000000000-mapping.dmp

Download
memory/1124-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1124-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1340-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1340-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1364-76-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1364-77-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1364-64-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1364-65-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1440-55-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/1504-80-0x0000000000000000-mapping.dmp

Download
memory/1504-85-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads