308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e

Analysis

max time kernel
160s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Size

1.0MB
MD5

9f9940b01e991e803c79db9fff110780
SHA1

cd4bdc0337108c5c4b2452f3711de2a7324ced0c
SHA256

308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e
SHA512

60a1504072c8f543059673d271296e342c83540ac2dbce2f51cb33cbdf42364926205bc025562caf116367c006d942c7ff486e3a9655e492306dd1a73d845e84
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\0\\eygesz0vopzx0wddQRaNsaqJEEOHKcBvh3KLiQIGmFWOm3dVdj7s.exe\" O"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\7TQU6SHT\\GCDjC1n0f4MW84KFqmvjwzhiTleKnZ5lGWy1PrM47YhI.exe\" O"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.Admin\\bZpR8zp84CbsuRWfHlywnq9bkcrUnt5vDZJHSYEln6.exe\" O"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\es-ES\\4MY2AxS8jN4Wqi9PwgIMaLzRQv7XiR2r6tLWX0DDseGYrH2GXMVZcEj.exe\" O"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat

Executes dropped EXE 1 IoCs

Processes:

5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat

pid process

1052 5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat

pid	process
1052	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1640 gpscript.exe
1640 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1640	gpscript.exe
1640	gpscript.exe

Modifies data under HKEY_USERS 56 IoCs

Processes:

5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\YULVUB3G\\DE9rhWMbmJuMAcsLmj4.exe\" O 2>NUL"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\R7XbQY4xXOrTSqeCGOnZvThEcMZ5qaamjDUeiHaw4WC.exe\" O 2>NUL"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\hnDAej15UuSWgS3yE76cOF.exe\" O 2>NUL"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000080c3ad29e600d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Adobe\\Updater6\\YhYEDgpdxe0Qdf6TbWGfFZjIObTvRlUr6.exe\" O"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\.DEFAULT	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\qhZq5apP.exe\" O"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\storage\\default\\moz-extension+++06812acc-30fe-4c25-b511-11cb8bde5334^userContextId=4294967295\\J9N3xOEZhJPEOS1QEBTt9NMd88YKT6xB.exe\" O 2>NUL"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\OFFICE\\f1K9rgPBmEbY8uM.exe\" O 2>NUL"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\MltLDfrrdveNwW1xzvqjd1mFbe2dnLhEEvv2e4x6ht7UJ4Ojm0UqHCBcUsNAcZtW.exe\" O 2>NUL"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\S-1-5-19	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Videos\\MkZvKAPyOtFwBuRK3Bk1Ey1vHzt8Tn9IBpnafQr.exe\" O"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-20	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hsperfdata_Admin\\Z6PgXV7fvSxLvYTa5RXUGyoxqnkGCRDmmHmxf3.exe\" O"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Adobe\\Acrobat\\kDalKfvCClbBwKkcxJmC.exe\" O 2>NUL"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\PropMap\\LKkRIAJAe5l5dQfyJrnHdY3Ibw76Nb4QB5u.exe\" O"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Acrobat\\9.0\\J6JyU2vEwLuxXsCa7gxf16X5jllCrWCbaJrtdq6rvmNNqpctKAtJGYK9VpZoykmReIvQKDY.exe\" O"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\58DFrj01HOWHdVtzDzHSrPPgw0YceAVqSbbIhI1AAnzKLxZ.exe\" O 2>NUL"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\YB33FE3E\\NYL6Gdcp06.exe\" O"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\7WsltPaOl0f3rxnCuJggoI3PCsLq9fXslmSZSBYMLzp996ylpAkAwU5kaiRpGb6wKyyGy3o.exe\" O 2>NUL"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Desktop\\9SzASNL72nkwQxzfaAuLbuZQHsFg.exe\" O"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft Help\\TLV4o0MaWXGnrDggzC0kXS9aE79nRgYB6PIvYokrf.exe\" O"	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat

Modifies registry class 12 IoCs

Processes:

308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Media Player\\Vl4LBUvFJzDpiZpphv9WPgO.exe\" O 2>NUL"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\js\\mHNnRtJMSWdfawwpO9.exe\" O"	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exeAUDIODG.EXE5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat

description	pid	process
Token: SeBackupPrivilege	1256	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Token: SeRestorePrivilege	1256	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Token: SeShutdownPrivilege	1256	308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
Token: 33	1156	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1156	AUDIODG.EXE
Token: 33	1156	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1156	AUDIODG.EXE
Token: SeDebugPrivilege	1052	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Token: SeRestorePrivilege	1052	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1640 wrote to memory of 1052	1640	gpscript.exe	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
PID 1640 wrote to memory of 1052	1640	gpscript.exe	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
PID 1640 wrote to memory of 1052	1640	gpscript.exe	5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat

C:\Users\Admin\AppData\Local\Temp\308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe
"C:\Users\Admin\AppData\Local\Temp\308f3418dd7bd880268626b76da38ac27c1d1a63eb38876d5146140e8eef910e.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:980

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1052

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\OFFICE\f1K9rgPBmEbY8uM.exe
Filesize
1.3MB

MD5
63ea442b08ec7476a131a062a66e4fc9

SHA1
5334eb5fb70176fc0b5a62fa60a796282dd0ed58

SHA256
f1c699a9afc7ac7661bb85ee2ee5920631a341b24bfeb6188709bbf57ba8721c

SHA512
0532858c026579fd8fb27fcad67e73713d2981a43059986a2b3025e0b77ace654ed4a50d8ceb969b582c113d581aafe4da81f32117a0c374c18f96e30ae19120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\hnDAej15UuSWgS3yE76cOF.exe
Filesize
1.1MB

MD5
ed1be8764e893024c8242b43dfaadee7

SHA1
4131f8f60edabc58cda617e6f9891a60d8cbed9f

SHA256
bf2a06a108f15daf6f25b258475d98361e0f001c1760a65ca00d661e4628524d

SHA512
31cc0f524a5dd8ecd0b3ed5187362b995581c79c5c4f7e403da800a8cdc0b3b3f17e6af4375e8b33494063d6652999d63b4a8689db0866f3e2531e3577e57fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\Z6PgXV7fvSxLvYTa5RXUGyoxqnkGCRDmmHmxf3.exe
Filesize
1.4MB

MD5
3cf073f1c601d13c83efadd96bdada04

SHA1
8bbd5439ad3fc2ec969502eaec02e0e2e16975f9

SHA256
a5c1c0c8fa987639d39cda6072c4003bf8e89ec399a4aa085ea14764a1ef87ea

SHA512
60dd8050913f9f03dc404f7fdaee7e1935e67f70c8939c4475b4d9e49b0cde1e7b2a872c82b4bec565028229f0bd10776e7b94be4a12cff22b3c1243a3f4512a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.Admin\bZpR8zp84CbsuRWfHlywnq9bkcrUnt5vDZJHSYEln6.exe
Filesize
1.8MB

MD5
bb008650d999dc6c13cc20723d34cf8b

SHA1
b5d19407e8a7c49460d5a28841b9cd47f4c0c499

SHA256
4a4f399ced4c727a1d11ee9d1ddbec3d23a82a1a7b6159d7b3e40761d7df5e3d

SHA512
673f23572b15ebef954714be6987eeb2ff1e3f36d25063c8af267b6abbb3ccbaaab5470b1069f4d83dcb96bd32d378778a8d6a4e634c7ca0728c1ecc55be9574

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Filesize
1.3MB

MD5
fb64c23389286cd7350f8296da333397

SHA1
0d8e0a419e054ccda6ecb4085fa813c0a81b8603

SHA256
962d2b4b71ea036b2006339e9612dcf7a31d2ef96a818fb1851e3be431fa7267

SHA512
b8958b1916763189ae1519e72070af49b1ab141ab6770dbfe8c0857db1c1e5210d747a43966a774c5d5c6a2801f3d4d3fc4c4cf7238deca5f12ed4a9d1943906

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Filesize
1.3MB

MD5
fb64c23389286cd7350f8296da333397

SHA1
0d8e0a419e054ccda6ecb4085fa813c0a81b8603

SHA256
962d2b4b71ea036b2006339e9612dcf7a31d2ef96a818fb1851e3be431fa7267

SHA512
b8958b1916763189ae1519e72070af49b1ab141ab6770dbfe8c0857db1c1e5210d747a43966a774c5d5c6a2801f3d4d3fc4c4cf7238deca5f12ed4a9d1943906

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\storage\default\moz-extension+++06812acc-30fe-4c25-b511-11cb8bde5334^userContextId=4294967295\J9N3xOEZhJPEOS1QEBTt9NMd88YKT6xB.exe
Filesize
1.3MB

MD5
80328aa8843764483930ae09fad42d03

SHA1
0b0d0677b9ca9b1aa3b2ecc23bf2bc95cde68592

SHA256
d9bc78256cf1b5f3befb69b56e88ea7c4f6f0ea7d638028aedbbda57018c1873

SHA512
2dd0262f4267967a9a5e14a1ed4defbb60b9d839c077930be08ed2a0626354b131a1c3b65334e3a80cd7d9911ff9d805b0c6d3054bab1140974662c8eef91b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\cUYRxBS28ofjQ2PvKn5xw85uYnNq0y7fM9KKv1oO0RjnMtCZxhT.exe
Filesize
1.1MB

MD5
4e513b76884c07b4377e0035fd6154a2

SHA1
81973c44bfeb3f4d11148b733632b87694a4a3c1

SHA256
e5805ecef80bd6cb178c0752ff2a4c1187b2c9a0560980389da794ddfdf49c89

SHA512
fa46f354d48a3abfe9eb2f9ceaf2fba497a3214af35cb17334ea7176e88493136b160ed81eebb7299f93fe4eb0ed23450679666e2d44b0ad046090d9a41bd9cf

Download Submit
C:\Users\Public\Desktop\9SzASNL72nkwQxzfaAuLbuZQHsFg.exe
Filesize
1.4MB

MD5
e8589016f73db4601b7ac6a49dadcdf6

SHA1
68535344edf0af983fe750b2e99c6029ce445ee0

SHA256
9f8629f2aaeaed19c6f2a79d4872e893bb2eacff1e3a260c7136d0d1a7aa2d1f

SHA512
3d9bb569ea479fa5b68885b3c2206df48ca7fea847ecf0d56ccf26e1b7dcef193af7b22ce2b42d871cbe44c26b1b0f0ff241bdea29149db8b95f6538d2cbde31

Download Submit
C:\Users\Public\Videos\MkZvKAPyOtFwBuRK3Bk1Ey1vHzt8Tn9IBpnafQr.exe
Filesize
1.9MB

MD5
24fc2f0b2a02bf7feb7f10eac597fd6a

SHA1
7e21e90615d946371bd07b8f179f1ba980884715

SHA256
2d377d3b13833d503a482447eb55941b4e56db20cab235bcf23504e7045b3074

SHA512
776b1c0d90d6fff0d4016328d6d336945228ab5d4fbfad6a4db39957d8639dbd4c136df019cda5d36910cb4e6200f3226f870fd04c1d7458b276095616d604b7

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Filesize
1.3MB

MD5
fb64c23389286cd7350f8296da333397

SHA1
0d8e0a419e054ccda6ecb4085fa813c0a81b8603

SHA256
962d2b4b71ea036b2006339e9612dcf7a31d2ef96a818fb1851e3be431fa7267

SHA512
b8958b1916763189ae1519e72070af49b1ab141ab6770dbfe8c0857db1c1e5210d747a43966a774c5d5c6a2801f3d4d3fc4c4cf7238deca5f12ed4a9d1943906

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\5tZkC5DmKxsrVz5ywXuzVH7pvmzuQXxy.bat
Filesize
1.3MB

MD5
fb64c23389286cd7350f8296da333397

SHA1
0d8e0a419e054ccda6ecb4085fa813c0a81b8603

SHA256
962d2b4b71ea036b2006339e9612dcf7a31d2ef96a818fb1851e3be431fa7267

SHA512
b8958b1916763189ae1519e72070af49b1ab141ab6770dbfe8c0857db1c1e5210d747a43966a774c5d5c6a2801f3d4d3fc4c4cf7238deca5f12ed4a9d1943906

Download Submit
memory/1052-62-0x0000000000000000-mapping.dmp

Download
memory/1052-72-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1256-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1256-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1640-70-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download
memory/1640-71-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download
memory/1640-73-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download
memory/1640-74-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download
memory/1768-56-0x000007FEFB971000-0x000007FEFB973000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads