fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6

Analysis

max time kernel
155s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Size

518KB
MD5

25e285099137741bcf79b1f1d856642d
SHA1

93b9532d874aeca9211066c6cc726d062eb092b3
SHA256

fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6
SHA512

14d1a10fa565c94964213fe908b256e385ac8b9ba8f18e8b150338e1fccffe21b640f30a7f9189c72d070b6c8fb84dbfe767dab834b20b533ea51baa0cecb584
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.batfa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\RrgqDdfksGXLf9Milak5dTI5ujkfybcUjnmXpooegBIPN03mwhf0McLnV2Gc.exe\" O"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\7yL84a83HtfPWrS6MrVnx2zlay0Zz2K7fbM4gZm.exe\" O"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\q6TeCNTZ30QDlvocTA1ky1lRBmJ8KRprWbjVmTYkf.exe\" O"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\xgEAj76D1wHW0ZWDET6.exe\" O"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat

Executes dropped EXE 1 IoCs

Processes:

x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat

pid process

1068 x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat

pid	process
1068	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1660 gpscript.exe
1660 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1660	gpscript.exe
1660	gpscript.exe

Modifies data under HKEY_USERS 58 IoCs

Processes:

fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exex51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.batgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\1zB20g3dkKRAv1dSVt37j6ex0NZhqEMu.exe\" O 2>NUL"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\16jzCs1gu2XPSHPaeIBYizWwBoMEMcbdoiqecraRBnOhT9N40vors.exe\" O 2>NUL"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\DRM\\Cache\\9zDiQC40xLVaMRFR.exe\" O 2>NUL"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\packages\\vcRuntimeMinimum_x86\\NnQKSDXjlIUlJ6UwPQaRtl.exe\" O 2>NUL"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\4Un5um2C14fhtnOuprfhl8C2.exe\" O"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\MF\\Hx4FYbSBaKHRYO0HM4N.exe\" O 2>NUL"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-19	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\.DEFAULT	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\iS5oT0G9PyPJgU5kbb5u9qADubF8kAYfPbvx872ABdrgs1JltSiRha5ztgGt6IUCsa1L.exe\" O 2>NUL"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-20	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\de-DE\\MAK7fO6CnVbCxkyRMmCuZNVSS6sXwB6B7uNFqRkaGz.exe\" O"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\muffin\\UQJKVP0QYXzLsNhoFPZiXXUT.exe\" O"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c033f211e600d901	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\fr-FR\\cTek7vEbN7PM82Z7QjMXNSu.exe\" O"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\O9VqckgIIHw7hSATwKWOAJaiOVLGtDGy.exe\" O"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\cXBP54Z0gl8JW7kMChQ4abM5i4jc4SXxe.exe\" O 2>NUL"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\RecoveryImproved\\MxkGnBHJoG7ymzJl.exe\" O 2>NUL"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\d7JaWoI3gyPWmfHhXMiWqq.exe\" O"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\dozshqpt.default-release\\crashes\\events\\pnAJ2vc0th226yny4HRdnI8s4.exe\" O"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\M4LKLrEnb7N4woqa1LqxrJCef4SmQhzRr1z9fOvr60ZynZn9SKy8uEEdKh6TcZ.exe\" O"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e023c3d6e500d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\AutofillStates\\ZLbtKEpPjla2EmZk99eyvk6LnJMQzmNvNye2nZEeJO6dXdMgq8.exe\" O 2>NUL"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\ureWKvhOliKbZO2XhbW9pzVwFpozC8HkHl1x4TQjMeQNti6T.exe\" O"	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat

Modifies registry class 12 IoCs

Processes:

fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Command Processor	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\\fNJxgiFQozvPDZMuXDCAvmqPh.exe\" O 2>NUL"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Downloads\\Bl11zJCCZgRYC7Z8pmsz740Frw2h8o3SmcgbOOZKiVYA71fXVorUxXQKM74.exe\" O"	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exeAUDIODG.EXEx51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat

description	pid	process
Token: SeBackupPrivilege	1272	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Token: SeRestorePrivilege	1272	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Token: SeShutdownPrivilege	1272	fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
Token: 33	1504	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1504	AUDIODG.EXE
Token: 33	1504	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1504	AUDIODG.EXE
Token: SeDebugPrivilege	1068	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Token: SeRestorePrivilege	1068	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1660 wrote to memory of 1068	1660	gpscript.exe	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
PID 1660 wrote to memory of 1068	1660	gpscript.exe	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
PID 1660 wrote to memory of 1068	1660	gpscript.exe	x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat

C:\Users\Admin\AppData\Local\Temp\fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
"C:\Users\Admin\AppData\Local\Temp\fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1972

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1068

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\M4LKLrEnb7N4woqa1LqxrJCef4SmQhzRr1z9fOvr60ZynZn9SKy8uEEdKh6TcZ.exe
Filesize
665KB

MD5
780d4a2adedf553bb463b2edce39758f

SHA1
42b123d865f705d43a871b3505e813f463ca772c

SHA256
7dba15c9e124cd66a2f5f84a64e6ba06f48003d8c4c6466cabc02445ee1b5259

SHA512
3f72840c0e26e4f670c06a7493f6b7893f0fae35c6f0ae01db3ded667432bd7f93c6059fd715d62d04f6e43179e35e494d609ef05cdfc1b148ddd7341ce4d10d

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\MAK7fO6CnVbCxkyRMmCuZNVSS6sXwB6B7uNFqRkaGz.exe
Filesize
947KB

MD5
4feebc706127ffe5499b22b5d7be4eca

SHA1
bb2f4412cb8920ea1e02e3c73f98e3ea3d4d141b

SHA256
ca86d125185364f966d6271e447deda512f69c554f02bde9338071ee019ccdf8

SHA512
1384b49501b776d185c69ff8e78add9c2c86364e55b0ff60c42f9d3a552a09761c7bdd3831702dc0361cb4e9fd5a343429192a7b4bc028f2e9a71d9451e4fde2

Download Submit
C:\ProgramData\Microsoft\Windows\DRM\Cache\9zDiQC40xLVaMRFR.exe
Filesize
975KB

MD5
8751a61aa5887b2d1a031f2a5f40c2fa

SHA1
d5efa1ebddd373d125b3de0b88b25e5a3071a26c

SHA256
821392911c659b48bd1c48bfbefacdc109af1a65936d60ad2946cfc3ca98644b

SHA512
a03e302a75016c3091108d9073a06c1629af7e3d2e6c26a26fbf62e944e2c52cb2416549edafcae8e3d718635f08b89405285d127de51629b1a22fbb36cde3b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Filesize
985KB

MD5
84685197e442cd03d2c5d64fbaf99f02

SHA1
360eb40ccea878ddbcffc060358ce7f251b14987

SHA256
7a5d24d774e26a9446efefe50ece163af9f0677fd17a4e37e238c7381e8e18b9

SHA512
15ef87d92a67a44ba62f531a05af4e7ec9ccd2dca3bbd488d8476435060376fe2999b1fb2bd5145dda3b2b6b9fa08328eb90555b4d796dcbf656be7b18b5396c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Filesize
985KB

MD5
84685197e442cd03d2c5d64fbaf99f02

SHA1
360eb40ccea878ddbcffc060358ce7f251b14987

SHA256
7a5d24d774e26a9446efefe50ece163af9f0677fd17a4e37e238c7381e8e18b9

SHA512
15ef87d92a67a44ba62f531a05af4e7ec9ccd2dca3bbd488d8476435060376fe2999b1fb2bd5145dda3b2b6b9fa08328eb90555b4d796dcbf656be7b18b5396c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin\UQJKVP0QYXzLsNhoFPZiXXUT.exe
Filesize
683KB

MD5
9abd663aad24739b8bb04c982a4246e7

SHA1
1a6c570d3c8a8389c3c3ed32690cc4bd5a73a64f

SHA256
b993e94ff3c27d176b4fa61143284a6842ab5fddcad9eba3c0e5b0b97854c8d3

SHA512
ed1f8f5ebead26f1d8e89cfcea1eceb1142c7677f4d4364008b768082640b568904696a94e22de8e3f85570e54d26cdf1fe508f2e3f8ad1b5c474dd3775de668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\iS5oT0G9PyPJgU5kbb5u9qADubF8kAYfPbvx872ABdrgs1JltSiRha5ztgGt6IUCsa1L.exe
Filesize
619KB

MD5
1849b6c52ef38d5ea801d604bdc60d09

SHA1
157ca8661010677ec8a755723ef087771bf7411d

SHA256
0a5538cbcdf94b41a0cb74a4e1fa5cadc2651206b0eeaf9ab6249ca0b752f255

SHA512
73d19be8071c2186ddb02b5aacadff4e567f0b2d0dd63c2f4cb6c515b28e5afe99af3edaeab8bb3a062e93148af230f93770c02061a43a5b17305466398c69d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\System\WQkiAc7l7wub7rMGz9nZy7b2HXzdfo5ueFmCoFu4kM9MeErM.exe
Filesize
964KB

MD5
8b9b89587dc96cf50c37f7ab0bdeff7d

SHA1
04455e923da965646088f0dbc20d5893c1c4fa17

SHA256
603cf59ed4e3c8551ed6bd5fcd0f10fcb80e844d7ed81ebb6cd3092856a60e52

SHA512
7d8dd643a9657dcdbed008e1975e92c629e9ccbe3cd83663a1d8b9feedfdcfd53d5f3d7bf72b697ed9c10b07665ba92de669b1ce7172ed4aab02583411805431

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\q6TeCNTZ30QDlvocTA1ky1lRBmJ8KRprWbjVmTYkf.exe
Filesize
522KB

MD5
611b3d5f104ef3e805271abbf8b16b2a

SHA1
1380f3f0b10d46c00729446497bf2eb9ceb3176c

SHA256
81ea4fb1626494fbe621a72a874e44e25511bba326b7242e472346d52d4a3dda

SHA512
9827a9b194585b2fa2451f24d3d3fcb2515e120402a0e11c76e43e434d0dd29e919ad8b6b9fa343a719fe66c43ab864bfbbf65c0fd0783ffcc23159ab4f99a5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\16jzCs1gu2XPSHPaeIBYizWwBoMEMcbdoiqecraRBnOhT9N40vors.exe
Filesize
663KB

MD5
bb755a8eae89b1c5fbcb2947650685fb

SHA1
83a887a67dea7f8b2e149f7842bb6be61b319a43

SHA256
69c1abaa8a36593c7781bfacbeb74e050a2d7da5f811387485f6b9897102866e

SHA512
722bb135409488818f0b1e7ea4e90510de48a0d11cbda26c4cefd56f540b31f8e9dcc962dbacf4e2f14d5da8e87cf34b3063974e21301c2ff75349c3cd273686

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Filesize
985KB

MD5
84685197e442cd03d2c5d64fbaf99f02

SHA1
360eb40ccea878ddbcffc060358ce7f251b14987

SHA256
7a5d24d774e26a9446efefe50ece163af9f0677fd17a4e37e238c7381e8e18b9

SHA512
15ef87d92a67a44ba62f531a05af4e7ec9ccd2dca3bbd488d8476435060376fe2999b1fb2bd5145dda3b2b6b9fa08328eb90555b4d796dcbf656be7b18b5396c

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\x51qjcNJqhm9Ait1eAVJCIvpAALweBgk48q.bat
Filesize
985KB

MD5
84685197e442cd03d2c5d64fbaf99f02

SHA1
360eb40ccea878ddbcffc060358ce7f251b14987

SHA256
7a5d24d774e26a9446efefe50ece163af9f0677fd17a4e37e238c7381e8e18b9

SHA512
15ef87d92a67a44ba62f531a05af4e7ec9ccd2dca3bbd488d8476435060376fe2999b1fb2bd5145dda3b2b6b9fa08328eb90555b4d796dcbf656be7b18b5396c

Download Submit
memory/1052-55-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1068-62-0x0000000000000000-mapping.dmp

Download
memory/1068-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1068-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1272-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1272-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1660-65-0x0000000001050000-0x000000000107D000-memory.dmp

Filesize
180KB

Download
memory/1660-64-0x0000000001050000-0x000000000107D000-memory.dmp

Filesize
180KB

Download
memory/1660-76-0x0000000001050000-0x000000000107D000-memory.dmp

Filesize
180KB

Download
memory/1660-77-0x0000000001050000-0x000000000107D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads