01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa

Analysis

max time kernel
127s
max time network
132s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Size

910KB
MD5

218e181245104ef15e7ecd9d5e8462f7
SHA1

ca582deaf5f4f3c2c640255374257d2afe0665be
SHA256

01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa
SHA512

854e524a8194b0eedf50341637555db3dfe4fa6e7aadfd90921f5876857524b871c0a6e280ab8ef1a7f57ccc55204dbf30ba12232dd662132eadbb0c6ab04682
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

xxlWLhUZlv3uu.exe

description pid process target process

PID 1816 created 592 1816 xxlWLhUZlv3uu.exe svchost.exe

description	pid	process	target process
PID 1816 created 592	1816	xxlWLhUZlv3uu.exe	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xxlWLhUZlv3uu.exe01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\7MCOlbbrn8M8IsGL4xI8sQPSyrt8IrFUg0rTceaZFF0HVQeAGD2E.exe\" O"	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Adobe\\Updater6\\5mHZKn6ghWrrrm0E4wcyorH6y1ZntOkjoGvEI8TAqjQiY6S6kRkKWSaMQd2XaHn.exe\" O"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\gtOasf9CsWdx3RTrAUNfEA7gS6YKO43Au8nmBQLzIF1.exe\" O"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\6THCX874\\yux1c20FFtIwD1iHgGyQ.exe\" O"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xxlWLhUZlv3uu.exe

Executes dropped EXE 2 IoCs

Processes:

xxlWLhUZlv3uu.exexxlWLhUZlv3uu.exe

pid process

1816 xxlWLhUZlv3uu.exe
1712 xxlWLhUZlv3uu.exe

pid	process
1816	xxlWLhUZlv3uu.exe
1712	xxlWLhUZlv3uu.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xxlWLhUZlv3uu.exexxlWLhUZlv3uu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	xxlWLhUZlv3uu.exe

Loads dropped DLL 3 IoCs

Processes:

gpscript.exexxlWLhUZlv3uu.exe

pid process

672 gpscript.exe
672 gpscript.exe
1816 xxlWLhUZlv3uu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
672	gpscript.exe
672	gpscript.exe
1816	xxlWLhUZlv3uu.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exexxlWLhUZlv3uu.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Q9zOC7x0O3ym6vLD3P7e7QYQk.exe\" O 2>NUL"	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\upGBX91IqBSWlApU2xCiY6S9Q8kz.exe\" O 2>NUL"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\fZVDc9rO14By.exe\" O 2>NUL"	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\CifZx8doWlFDVsCX3p2wxMpBWVJizSs7XlhwpN69jDwGnUAWSXwJiFW.exe\" O 2>NUL"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-19	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Credentials\\5KuCuak8T1iOROM3MYSqvf2vpxrDVnPjY5JJALdgQlNjLX2CX0NWZxp3NiqkvJuerT.exe\" O"	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Recorded TV\\feUYCILuMkOzmAznxkpyNskiyUOxjbplNf9qD00aWkkeDgyHVTB6CjiZmKgI.exe\" O 2>NUL"	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\it-IT\\f20cjQs58cfRQGMyA6gFDGLW.exe\" O"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xxlWLhUZlv3uu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	xxlWLhUZlv3uu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d09fd1a2e500d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\.DEFAULT	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\v3bdr2xMJ0hL3XqiTfQUnXEPiz.exe\" O 2>NUL"	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\Keys\\t6oLSx9IqPUk.exe\" O"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\SafetyTips\\D6jRV3oJ4kIwYjkLKMNtcjb8rCWcEpLTGyblAIq4ekLoTHSRJ76dR3MAXSNa71mEZ1MUZ.exe\" O"	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Favorites\\ow9QQVTIeHQD0kBp23.exe\" O"	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Color\\tdJIcclr2RW2zfAqUvP6XDYZGg2wnbmOheo.exe\" O"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-20	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\wJLq6cI0HCpbxyzn.exe\" O 2>NUL"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\RwJ82TGshy0wZmt.exe\" O 2>NUL"	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\\packages\\4lxMTjxIKwCW0LdwR.exe\" O"	xxlWLhUZlv3uu.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\datareporting\\archived\\3pcdbxvvwFG3XNtwrPYq5vz0xqBzZi8W3YBCKt4uo7fUfLOKybUXgz4RsJ6UHcrorvMed.exe\" O 2>NUL"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\OpWEtf31t4IkwTHQoyS5AjwG.exe\" O"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft Help\\vwx5nHYf5ZimIPcK5vGuSbEzz.exe\" O"	xxlWLhUZlv3uu.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	xxlWLhUZlv3uu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000090640ba8e500d901	xxlWLhUZlv3uu.exe

Modifies registry class 12 IoCs

Processes:

01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\52\\HeHjtnj1gFmp8ZoMUdHWhYHMmIFn7qx.exe\" O"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Command Processor	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\packages\\wMomc2dHWiXevoCfuC1j68MoIOYwiqjRpvBN2o88tsO.exe\" O 2>NUL"	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xxlWLhUZlv3uu.exe

pid process

1712 xxlWLhUZlv3uu.exe
1712 xxlWLhUZlv3uu.exe

pid	process
1712	xxlWLhUZlv3uu.exe
1712	xxlWLhUZlv3uu.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exeAUDIODG.EXExxlWLhUZlv3uu.exexxlWLhUZlv3uu.exe

description	pid	process
Token: SeBackupPrivilege	1168	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Token: SeRestorePrivilege	1168	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Token: SeShutdownPrivilege	1168	01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
Token: 33	2028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2028	AUDIODG.EXE
Token: 33	2028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2028	AUDIODG.EXE
Token: SeDebugPrivilege	1816	xxlWLhUZlv3uu.exe
Token: SeRestorePrivilege	1816	xxlWLhUZlv3uu.exe
Token: SeDebugPrivilege	1712	xxlWLhUZlv3uu.exe
Token: SeRestorePrivilege	1712	xxlWLhUZlv3uu.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exexxlWLhUZlv3uu.exe

description	pid	process	target process
PID 672 wrote to memory of 1816	672	gpscript.exe	xxlWLhUZlv3uu.exe
PID 672 wrote to memory of 1816	672	gpscript.exe	xxlWLhUZlv3uu.exe
PID 672 wrote to memory of 1816	672	gpscript.exe	xxlWLhUZlv3uu.exe
PID 1816 wrote to memory of 1712	1816	xxlWLhUZlv3uu.exe	xxlWLhUZlv3uu.exe
PID 1816 wrote to memory of 1712	1816	xxlWLhUZlv3uu.exe	xxlWLhUZlv3uu.exe
PID 1816 wrote to memory of 1712	1816	xxlWLhUZlv3uu.exe	xxlWLhUZlv3uu.exe

C:\Users\Admin\AppData\Local\Temp\01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe
"C:\Users\Admin\AppData\Local\Temp\01f6049d59f92526be8f60eb70be8132041349d3f5d3753bd53bb0291e0fbdfa.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:592

C:\Users\Default\Desktop\xxlWLhUZlv3uu.exe
"C:\Users\Default\Desktop\xxlWLhUZlv3uu.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:888

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Default\Desktop\xxlWLhUZlv3uu.exe
"C:\Users\Default\Desktop\xxlWLhUZlv3uu.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\f20cjQs58cfRQGMyA6gFDGLW.exe
Filesize
1.8MB

MD5
d6de446adee666396c7661016fd457cf

SHA1
0f0a293643504ed8c0747890b3a3ee3cfd82a91d

SHA256
29cb931c6945bce4a43b23537f056da78a3c0bc8064dcd12907800512b02f4e6

SHA512
ddd3e1e521d3f4075d21962a233fc0aa6be2781134abf871f77730e4c4fb487d7f01d21f8bf57963dd86086e25f2c52be9e1ac8e865f141031f03e67d0ce80d8

Download Submit
C:\ProgramData\Microsoft\Windows Defender\OpWEtf31t4IkwTHQoyS5AjwG.exe
Filesize
1.7MB

MD5
a2cdb6f6d1019e279c96e1fe1beae58c

SHA1
f40cc9603fb3d4db7ace7dfcd06cc30735d32ade

SHA256
7f1e4736552ca3deb7ffe0cb9e8a35e82043b5b2582d684943f5ecb89b87b6e1

SHA512
3becbbc6aa7d87775a75bcfe7386ad2091c010e329d79018b7e0c5bc1aa80adad26c99e8467c1309638912db34f1753bd9cc92103dffaded5cd724fa6e1d53ad

Download Submit
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\vb79gmh6xIgo6rxhwGeLovFq4TzMJk6R9xjFGt7nwOBjX.exe
Filesize
2.7MB

MD5
bda49232016dbc18a27573b91772a8ab

SHA1
af9d735dd034f7bae1e361b7c24b0734384d0b7b

SHA256
55a26812e835c282cb773d75c51715941eca4f7bbe37f5eca5ce2276002ca7cf

SHA512
dc68f250adf674166a04757457508ebf496b9659671a916ed05ed4f3bc4b61e43f26d2d0861aca277fc49bca3500ab5e49925d780c60c4ff9cbfe5a15a31397e

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\gtOasf9CsWdx3RTrAUNfEA7gS6YKO43Au8nmBQLzIF1.exe
Filesize
1.2MB

MD5
c79b9e3288b6261a35afbf59cd6eeb05

SHA1
f8af561510be4cd1de8b26a185e02e10b03fd94b

SHA256
20aaa9765455f255298e65f5ae171b9f54215aef7a524523178bef2b572cce6a

SHA512
5927ba33ba5c853eb9f1dfdcedc155dca68076aeb1093bec0238c89e19d4ed53d048ad59e11d01237cefd7db2f7082b895cd08ba75f6e620d0dfade31e6c64fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host\g2p5YS2Rl1kF2Wx.exe
Filesize
1.6MB

MD5
6badb1de413a4413482a881deda3e59d

SHA1
cf1740f85c31ff9db754835f8e5d1f197d0da494

SHA256
48a4f0d5b39899df0439801f06c2a4a3096c6f183a32c4a8b700089939a8e07c

SHA512
605e5670b318a3e8ed69b0c42c8c42fcda37bf04a7bcdd751574bb5a00558abf725aa66fb5be3f810e86d96072759afcce0e1ac841434deb75dad0198d031c85

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\tdJIcclr2RW2zfAqUvP6XDYZGg2wnbmOheo.exe
Filesize
1.2MB

MD5
afc928c9540bd3216ca958aadfa76dc0

SHA1
fc9f8261dc166076642efdbdb43378b46153fee3

SHA256
f4985bbbefd2b65e84b711b9371fd480a71683aa6c1f2c0877a2335cc7087483

SHA512
a2d46724213e9835de8739cae98604dcc4cbfa382b3ad8fab962ee12a4cf29f984a7db2640d28138088b31206becc818afdeddd29014d7c773e0aba2a3ff7452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\ZfxBrPjWvtnWjla.cmd
Filesize
2.5MB

MD5
ef535b890b45a58deed91542d1d52a85

SHA1
225a7c8afeb1a3f0badb8db2e86c3789c64f0b72

SHA256
338c935c41d5ec008d45cc5f74b4f0a8b6c286135e7b9e346c5afd39d4227227

SHA512
7dfa320eadcc747d08e9e94edc2ae18f6d8b2c3de7d8bf194e3536ce16b66d731f618a45ad6952322d4bb06ca19453cb678c84fd307531b14e5b4d3452f3460e

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\CifZx8doWlFDVsCX3p2wxMpBWVJizSs7XlhwpN69jDwGnUAWSXwJiFW.exe
Filesize
934KB

MD5
833d77eec56d18a9957df69224521379

SHA1
a6e8ac3687d6765cff0c7bca2fa2351d87046858

SHA256
5fb1dbf4d2ce4c0c71a1efd519e1142679e5fca912f10de79ebea3a69897b974

SHA512
4ff4049dbbc1789ff1044db39dda8821dfdc1728882ac3b06a29823e2a141c2ddf56015778c3cc534c414f849cc9890f69e4d9a7695af2943b743797c4b69d11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\datareporting\archived\3pcdbxvvwFG3XNtwrPYq5vz0xqBzZi8W3YBCKt4uo7fUfLOKybUXgz4RsJ6UHcrorvMed.exe
Filesize
1.0MB

MD5
dbd837e9259c4bb6a9f60f7d964a4f98

SHA1
24e9bb5beac15717195dcfc8eb1ec5aae72198d5

SHA256
88e60d48121219caf471dee7a6f8846993b1d9130512d7153a467a353b0e3e0c

SHA512
94ba5e90f73755812de8088cba1a5659f9a2326ac48361912e97e457bb8e842bdaf9dab6a1fa7b82271b079bfc9da6d65d7b1ca4e5ced9a2dd535bdf643f3c4f

Download Submit
C:\Users\Default\AppData\Roaming\Media Center Programs\wJLq6cI0HCpbxyzn.exe
Filesize
1.0MB

MD5
e969800ed70dabc4b22bea830e77af5c

SHA1
60f18bc83f342a9935b3ed2485c72149cea0a1f4

SHA256
b1217139e3255aab18348262e7f020a35c2853f3771c03e2c4ffb375844c7049

SHA512
94c06f666f6dd432584dfd1496f58899cf1076dc223a7c3a09818f72c8bf1acb7940835a09a4c7dae5d9383a4dca14c8076326e4d30d3fab86eb719984c94479

Download Submit
C:\Users\Default\Desktop\xxlWLhUZlv3uu.exe
Filesize
1.6MB

MD5
f7970d1e42ee374b0426ee9f9ffae6eb

SHA1
a4d385b8bf1eca1f2dd5cba23f2c5c0c5aa52853

SHA256
0b855e281086bfdba803806446b3977f2db124e3c38921eeacede84b7aba6d1f

SHA512
4ebd086479debeb021cdf38c29d28d1b6fcfe752484a8a8a210df3fc9d5155576d2b76364963ebe3ef57c1d45dee31f0601cb539fd1986e2dd7eeb7bb48ee74b

Download Submit
C:\Users\Default\Desktop\xxlWLhUZlv3uu.exe
Filesize
1.6MB

MD5
f7970d1e42ee374b0426ee9f9ffae6eb

SHA1
a4d385b8bf1eca1f2dd5cba23f2c5c0c5aa52853

SHA256
0b855e281086bfdba803806446b3977f2db124e3c38921eeacede84b7aba6d1f

SHA512
4ebd086479debeb021cdf38c29d28d1b6fcfe752484a8a8a210df3fc9d5155576d2b76364963ebe3ef57c1d45dee31f0601cb539fd1986e2dd7eeb7bb48ee74b

Download Submit
C:\Users\Default\Desktop\xxlWLhUZlv3uu.exe
Filesize
1.6MB

MD5
f7970d1e42ee374b0426ee9f9ffae6eb

SHA1
a4d385b8bf1eca1f2dd5cba23f2c5c0c5aa52853

SHA256
0b855e281086bfdba803806446b3977f2db124e3c38921eeacede84b7aba6d1f

SHA512
4ebd086479debeb021cdf38c29d28d1b6fcfe752484a8a8a210df3fc9d5155576d2b76364963ebe3ef57c1d45dee31f0601cb539fd1986e2dd7eeb7bb48ee74b

Download Submit
\Users\Default\Desktop\xxlWLhUZlv3uu.exe
Filesize
1.6MB

MD5
f7970d1e42ee374b0426ee9f9ffae6eb

SHA1
a4d385b8bf1eca1f2dd5cba23f2c5c0c5aa52853

SHA256
0b855e281086bfdba803806446b3977f2db124e3c38921eeacede84b7aba6d1f

SHA512
4ebd086479debeb021cdf38c29d28d1b6fcfe752484a8a8a210df3fc9d5155576d2b76364963ebe3ef57c1d45dee31f0601cb539fd1986e2dd7eeb7bb48ee74b

Download Submit
\Users\Default\Desktop\xxlWLhUZlv3uu.exe
Filesize
1.6MB

MD5
f7970d1e42ee374b0426ee9f9ffae6eb

SHA1
a4d385b8bf1eca1f2dd5cba23f2c5c0c5aa52853

SHA256
0b855e281086bfdba803806446b3977f2db124e3c38921eeacede84b7aba6d1f

SHA512
4ebd086479debeb021cdf38c29d28d1b6fcfe752484a8a8a210df3fc9d5155576d2b76364963ebe3ef57c1d45dee31f0601cb539fd1986e2dd7eeb7bb48ee74b

Download Submit
\Users\Default\Desktop\xxlWLhUZlv3uu.exe
Filesize
1.6MB

MD5
f7970d1e42ee374b0426ee9f9ffae6eb

SHA1
a4d385b8bf1eca1f2dd5cba23f2c5c0c5aa52853

SHA256
0b855e281086bfdba803806446b3977f2db124e3c38921eeacede84b7aba6d1f

SHA512
4ebd086479debeb021cdf38c29d28d1b6fcfe752484a8a8a210df3fc9d5155576d2b76364963ebe3ef57c1d45dee31f0601cb539fd1986e2dd7eeb7bb48ee74b

Download Submit
memory/672-68-0x0000000001030000-0x000000000105D000-memory.dmp

Filesize
180KB

Download
memory/672-67-0x0000000001030000-0x000000000105D000-memory.dmp

Filesize
180KB

Download
memory/672-76-0x0000000001030000-0x000000000105D000-memory.dmp

Filesize
180KB

Download
memory/672-77-0x0000000001030000-0x000000000105D000-memory.dmp

Filesize
180KB

Download
memory/992-55-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download
memory/1168-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1168-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1712-80-0x0000000000000000-mapping.dmp

Download
memory/1712-85-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1816-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1816-62-0x0000000000000000-mapping.dmp

Download
memory/1816-81-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1816-69-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads