d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093

Analysis

max time kernel
145s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Size

905KB
MD5

960bb89f9be3934abba2bad6d26bd1a7
SHA1

1d3d8b2910b725d4e472ea1b90f6b10c0614c060
SHA256

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093
SHA512

d4423d6fbc84c3359c391d5b29097d33d10794bb636718cbff2b98cfc4c1f2ff40b671fa6c50fa097f299bd90c7c32650bca31e0081921cf65a2548e7c36d8a3
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exeByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs\\RnfcPtjoMXbVEE6NeVtlLMciuwVQas7mhJXAyxOOCUd9E7aVZBm5wCOFb5VDRakpnKo.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Sidebar\\t8J6lA218lcG78bjvdyy86aGUSOzslMsh3qjFsqDeJM.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\HfjGutTCLL7tN.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\storage\\permanent\\chrome\\idb\\1451318868ntouromlalnodry--epcr.files\\8riDOTlmKvn68wOn8Mga0MeQz0BRpahUeMnB9vflvbBZXAsuOC5FyM9H.exe\" O"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat

Executes dropped EXE 1 IoCs

Processes:

ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat

pid process

1640 ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat

pid	process
1640	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

972 gpscript.exe
972 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
972	gpscript.exe
972	gpscript.exe

Modifies data under HKEY_USERS 56 IoCs

Processes:

ByMPHfMquZPKUqgnpMgjr3pYg8Oa.batd3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\S-1-5-19	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\9\\PpugkhAdRYKr63SG6vpH0CtvIOyM4Q6yhcJWM.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\uYHxM1vrCsKk9T2b.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\lamJPzUeEqgdY25m3hWEesucjPLHXlDEp28uIuy8bd5F95OuLTDmgKTwnTW.exe\" O"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\52\\IJ2WWfdE0RlkdZXYK4i2R8JRY9A6NzV9hvEjNNRuCAvsRj4UtZNeq.exe\" O"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\0Jtu8fFMXVT1OSrTJ1k.exe\" O 2>NUL"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000040ef571ce500d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\ejrTlt4fgpZ33AAPP0.exe\" O"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\.DEFAULT	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\9DFGsj24T63fvm8oAJ8EWBGILoxJVYfwS9YXfNcVd1nyRZIqDszP60MW.exe\" O 2>NUL"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\43\\vswbC4EvPqbXuAV2uafjLAD3xXiq6RCBXzq5N4VnGzFsDCSjtGw2XhPki3Z.exe\" O 2>NUL"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\ae6vytmk.Admin\\yKjAV3RdQwrQBmhRzC70Oi1yovUFOg14iDE56gP9nEBwndg5w0.exe\" O 2>NUL"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\GbiXx2B2Mwc4Zcn2wyJBR7JeuDUxghrnw.exe\" O 2>NUL"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Platform Notifications\\brRsyaV3uZmLpqPAq1Cz4DOhLDJsSANKXhTvHFT0mgc2OvMrz6SEfnOz.exe\" O 2>NUL"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\fD3CJKuWghjtABXK.exe\" O 2>NUL"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\\fyaeuN6oMKSPoWAXqSz0qT4hobfDv6VPp5cgMl1ZMV3cm4ac4Aj3YVtzey.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\mwkJnTCnKhnckw5v7hncOkmB0Bup5u7ZlbLFmfyHReDl4dgxr3hh7sZE8lVfhjp2UDgkAd.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\6MVtrQce5wwOz.exe\" O"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Crypto\\DSS\\h2ZMU2510pqej7bxVc2gnwGhMF8e3Wv0Vapgv2jUCo9BSlacmgeBKJY.exe\" O 2>NUL"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\scbPUQWWVUJ77LBce86htTbCoAgW41ZfKZfXYDbe.exe\" O"	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\14\\ZxDhSNG1kfhFWpyqJT0lR.exe\" O 2>NUL"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe

Modifies registry class 12 IoCs

Processes:

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\extensions\\5UIq2Sd1Kn.exe\" O 2>NUL"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\packages\\vcRuntimeMinimum_x86\\s7hHoNsc9gn5lQZhm4ewZr.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exeAUDIODG.EXEByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat

description	pid	process
Token: SeBackupPrivilege	1244	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Token: SeRestorePrivilege	1244	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Token: SeShutdownPrivilege	1244	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Token: 33	1304	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1304	AUDIODG.EXE
Token: 33	1304	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1304	AUDIODG.EXE
Token: SeDebugPrivilege	1640	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Token: SeRestorePrivilege	1640	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 972 wrote to memory of 1640	972	gpscript.exe	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
PID 972 wrote to memory of 1640	972	gpscript.exe	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
PID 972 wrote to memory of 1640	972	gpscript.exe	ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat

C:\Users\Admin\AppData\Local\Temp\d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
"C:\Users\Admin\AppData\Local\Temp\d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1968

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1640

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\fD3CJKuWghjtABXK.exe
Filesize
1.2MB

MD5
1c1b17900d449d4a226bdc00b5fabdd6

SHA1
a8e74000d8edf9eba759179fa087a9d08e8493cd

SHA256
d6346d632a2aa6f0dda352c2502ea5c105fc194fe3afc7333a2c3567c86f88ee

SHA512
c274aaffc37f4e760fadbb3b227e154773a2ebdc458122e3e91b62759f9a8a93d15dfd284cd4729b34d88ddb11e1b33a0d38c67fce198bc06bda2b050fdeecc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\ZxDhSNG1kfhFWpyqJT0lR.exe
Filesize
1.4MB

MD5
87adec969b8b11ca98d7e146428dfd40

SHA1
88dcaad878561d0a30ac2f4120f110afb27f63f5

SHA256
e6c8d5ee474ba8525d88947d7f0afc60cc65512d270017ca256cc4eb15fbd9cf

SHA512
af1b69276d177399f478ce416acd580f2d208a51dec9b9836c48f806e64e3d2bc1ce3a02343b305080551a796603dcc2fb5f53ccc8bdf9454a21dd344d64d41b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\uYHxM1vrCsKk9T2b.exe
Filesize
1.1MB

MD5
d7a12c53a12d5e326fd2218cc4efc975

SHA1
697abede73cb7125d00696bb9bf20cf8aff4edea

SHA256
d56047416ab449bb1f71e6196e7ddb7640c3a4489336e33b4e89319b7dc7dc09

SHA512
751e974411ba0d56cdf02950e0fd444e51cb4d0459aa83524a96c5a2d4cf3b3b077169b7400a46b2bd6363bc6bcc5147e7b23eb333341104d2fad107c1447c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\t8J6lA218lcG78bjvdyy86aGUSOzslMsh3qjFsqDeJM.exe
Filesize
1.1MB

MD5
9f631a30ca318d9a94316720b264fb4e

SHA1
ef2391f36622a9c8e31f43d33255182db052fb5c

SHA256
b866bcabaffcd9e46cef00ab1d22913d79d676209029e07a519679dbf89eb87c

SHA512
100f63741c392dcaa5ef97ad825418a4529f569055ac1a78889e3b24471424275ea52b4292e9db70b8d31336afc11b9c75786472e76befe1d52c0c1fed18fae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\fyaeuN6oMKSPoWAXqSz0qT4hobfDv6VPp5cgMl1ZMV3cm4ac4Aj3YVtzey.exe
Filesize
1.7MB

MD5
626886f333ed11b28ed2d694094a0d70

SHA1
7392a8047cd714c34722dbb2471f512f284001a2

SHA256
bdb51f6ee07f9ae164f9f8a4a160b2587c9f37f87f37ee26c16a14f53f7f4a76

SHA512
b2616a70da6a606e867dc9c3b67c6aab93f8ef819cee7cf008eb48071b31913adf7d69f50001b031b7347b702edb4ee31c4bf634332dc0a17c7d9f2012073656

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\YULVUB3G\hsY9Peu7ghVzo9dnoVcqkW2EnVSa8hqs7qGhwEv7FmHH4qM6Gl7r7NGv4B9NDfB.exe
Filesize
1.5MB

MD5
199fe197cef623ffac9a7ba8c47dde39

SHA1
0e45d07cee3c1c2c567e03765f6b7dfcfb9a939a

SHA256
8778c1c53a6f1bd92a934706aee1da6266dcf7536852b972f4483b8b2aae5587

SHA512
e80876c740a18b2ad2d80a052dcfbdb9b33305c8d73a53dda614411b2ff3967c8e547b7415d1a2233e9138a765e0baa37c923be93a0edf7302306ffa88257055

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\mwkJnTCnKhnckw5v7hncOkmB0Bup5u7ZlbLFmfyHReDl4dgxr3hh7sZE8lVfhjp2UDgkAd.exe
Filesize
1.1MB

MD5
4c97f9656a6767b2ffab1779481b46d4

SHA1
7f96a2d8ceed8faf22f823341e3d4ef185b2394d

SHA256
b1c46e2c1c5e7740a5f4657d3d4a1ad87fdc7601ca574be68922168361db3835

SHA512
a4aa57fbd0bb82e258a8229d6ec1f29f02613f7330931baee7a3144a96a42c282970a495eb1a00afd800ace10f1597248b4e2641236c6665274cd12d4f49c13c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Filesize
1.3MB

MD5
394f7c41e3c4dd72b161b2ecd4774d7d

SHA1
11fe74af15a46e6dc99ba5263b389487a64d7dea

SHA256
99fd2599cc85004be6afc85fad8c0070500daf9d4ff6ac5cd74adb37bfd51985

SHA512
d392ced5ca80d0d4ec7ccde4b37ca315d76dfdbe6a13193bb38deef0ef1561331a7d9c20e848908a1aedaaa5ac22d7bc23ddd6a94764bb211242053ee56d0976

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Filesize
1.3MB

MD5
394f7c41e3c4dd72b161b2ecd4774d7d

SHA1
11fe74af15a46e6dc99ba5263b389487a64d7dea

SHA256
99fd2599cc85004be6afc85fad8c0070500daf9d4ff6ac5cd74adb37bfd51985

SHA512
d392ced5ca80d0d4ec7ccde4b37ca315d76dfdbe6a13193bb38deef0ef1561331a7d9c20e848908a1aedaaa5ac22d7bc23ddd6a94764bb211242053ee56d0976

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\0Jtu8fFMXVT1OSrTJ1k.exe
Filesize
1.1MB

MD5
31636c13b7e9f7f78d9f01de4549b551

SHA1
556bda4b96fb324039e547d6a760715df4dc382b

SHA256
234e32cc8881fc5f4aee4bc8b2b96161cf9acd3027361ac20746e9683a5bff2c

SHA512
461aa0b03c69fa841507cd6d4b3a3d0352f2da82fc0f18d16a13b9acda03f05fe796c8153726ae754d9d42998fa36b5c7bb9ea45274e5b16a7ec06f75b0a7d47

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Filesize
1.3MB

MD5
394f7c41e3c4dd72b161b2ecd4774d7d

SHA1
11fe74af15a46e6dc99ba5263b389487a64d7dea

SHA256
99fd2599cc85004be6afc85fad8c0070500daf9d4ff6ac5cd74adb37bfd51985

SHA512
d392ced5ca80d0d4ec7ccde4b37ca315d76dfdbe6a13193bb38deef0ef1561331a7d9c20e848908a1aedaaa5ac22d7bc23ddd6a94764bb211242053ee56d0976

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ByMPHfMquZPKUqgnpMgjr3pYg8Oa.bat
Filesize
1.3MB

MD5
394f7c41e3c4dd72b161b2ecd4774d7d

SHA1
11fe74af15a46e6dc99ba5263b389487a64d7dea

SHA256
99fd2599cc85004be6afc85fad8c0070500daf9d4ff6ac5cd74adb37bfd51985

SHA512
d392ced5ca80d0d4ec7ccde4b37ca315d76dfdbe6a13193bb38deef0ef1561331a7d9c20e848908a1aedaaa5ac22d7bc23ddd6a94764bb211242053ee56d0976

Download Submit
memory/268-56-0x000007FEFC071000-0x000007FEFC073000-memory.dmp

Filesize
8KB

Download
memory/972-78-0x0000000000DA0000-0x0000000000DCD000-memory.dmp

Filesize
180KB

Download
memory/972-70-0x0000000000DA0000-0x0000000000DCD000-memory.dmp

Filesize
180KB

Download
memory/972-77-0x0000000000DA0000-0x0000000000DCD000-memory.dmp

Filesize
180KB

Download
memory/972-69-0x0000000000DA0000-0x0000000000DCD000-memory.dmp

Filesize
180KB

Download
memory/1244-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1244-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1244-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1640-63-0x0000000000000000-mapping.dmp

Download
memory/1640-71-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1640-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads