1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e

General

Target

1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Size

2.8MB
MD5

f45c3bd2de591e0ae079ac04f57abdaf
SHA1

da118768ae0195bfd307df8e31ac647bc275cba9
SHA256

1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e
SHA512

a589b2980cf541dfd877958f2383e04c8731d390060b47572ea7ea35bc02b000121bfb38b62fabc906fd8a710a6c2dca5f5877fb0eaae2751f276486ae08db86
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\25\\MAKUBlcFHGf5LMqI4Zq39F97UXX93l8UsFELk91ea2TbFB.exe\" O"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\QeIooQ9bKqOUqjPtafdqBf3prlz8aQT9a5j2vgbeXluhunTtK78gphk4Bhin.exe\" O"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\oQTXeqOaD2HTxEn5F0D8pF2XFrcxy4B357mq5pYZ5cGrSg7qhwuLIemFJTJCEdmj.exe\" O"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Modifies data under HKEY_USERS 35 IoCs

Processes:

1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Low\\gbrvxxwmgGU5dAdjKgKqPoxXgT83REoeR8YwNeGu55inmfNImMUc2waunZJGY0SZGT.exe\" O 2>NUL"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-19	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\.DEFAULT	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\doRdxNeH49Dra28JXtJiqE.exe\" O"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\7WJNykFIcdbKpipjZ3hUIwd1mmntUgPwuslrO6OIKaziecNDTKaKfqf.exe\" O 2>NUL"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\qdgtxDfnIHskOPeCoUZZ1AOoVOLHEDcoVToYd3LQ2AqdOLW.exe\" O"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\1oVCFIU5sJcFMCzh4eKqpak1Gm.exe\" O"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-20	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\E9xzXSClTa4YOXf9NA8Wlxke.exe\" O 2>NUL"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\CgRvlA0vauoV1KGNdy0C8u7zZIbTaXdZi7NwCiBP2.exe\" O"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn\\0ePn0kLtzcEnY31COFiCywtbYUF5He7QoUjFMmSCNAahe7fqDnSDnJXCh.exe\" O 2>NUL"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe

Modifies registry class 12 IoCs

Processes:

1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\TLSDeprecationConfig\\1Zo7Gp6A7I6lx9nvHEVvvZN1SkGgqkikU2Od7GLBsC2A7.exe\" O"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{B0B1B031-0F6B-42A7-A55F-615AF9E0F397}\\HLLFUh6CAwc4nxBQBae3ae8hh159qYRD5AJucCqSejO0hzdnN4Mo2v4mVW2.exe\" O 2>NUL"	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\SOFTWARE\Microsoft\Command Processor	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	1000	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Token: SeRestorePrivilege	1000	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Token: SeShutdownPrivilege	1000	1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
Token: 33	1188	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1188	AUDIODG.EXE
Token: 33	1188	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1188	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe
"C:\Users\Admin\AppData\Local\Temp\1d82c8b13bb72be2559a4964300349a5e78b4920d190a1e2bbfb5ea4404a0e3e.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1508

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1000-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1000-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1508-57-0x000007FEFC1E1000-0x000007FEFC1E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads