73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c

Analysis

max time kernel
141s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Size

1.1MB
MD5

839f58325e233294f39cd8a96d28dc80
SHA1

39a28db538a38e8e2ab74e9fd8ea146b3c1ec69b
SHA256

73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c
SHA512

75de04069eabe3faef1c768c5464b59516846f31aff7d60e64eecc2c8181935f6c031bb8a97f8accde4552a2c8223758eb957c3e1933baa768b10edfeee0230e
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Subresource Filter\\9XJzINQMFwdxZmVVui77.exe\" O"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Ty4bZAMdE2eRGcGyTibwSirhIyHSV2osNU0QPbry.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Device\\f5teZjKUTcsJYYq7hF5dnX6unEIxluFxao6ia.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\dozshqpt.Admin\\wlUTovMnwVXzB3qiAXRFflqTjy4hlYr05aOs0xORo5M6.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe

Executes dropped EXE 1 IoCs

pid	Process
240	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd

Loads dropped DLL 2 IoCs

pid	Process
1700	gpscript.exe
1700	gpscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\vZup8B4Ru.exe\" O"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Favorites\\MSN Websites\\By8GI38R0k7Wu87jRl27hlnvI6rIL0FImZa.exe\" O"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\Music\\tw7zBAcAVA6Ofr7aArTbp7KxN9A2MW5ZNOgSV7.exe\" O 2>NUL"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\dozshqpt.default-release\\storage\\default\\moz-extension+++e8667aac-59dd-48c1-8320-51811c820f4a^userContextId=4294967295\\G8GP1gLJhdPY0XjaUVrCejtMq.exe\" O 2>NUL"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\HEeRv8uPASVvWnj93pPjclGMerb1l1E.exe\" O"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\jG2ovelDF3Ff0sskQrsQi447djMWOUKqCJRls30tXsHc7273MXxu1bVQsFcZelhLP.exe\" O"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Mozilla\\updates\\74xh7cKk9l7jx0cDwzR4feKNPSHqLu1PpLGiVDqvHZCD8RGIB1vC.exe\" O 2>NUL"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\WnS250K1jsFB2SKxuKDZxjQlhAuXtNFCiejhTUfpFYZOdpzHpmn6uqX68DKCsLUEzeAKC2T.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\EmGTnBD1n4rtsEztzmdIQICuISpmIVWQCFXsu.exe\" O 2>NUL"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\BVQMzrIdkqbW1prG.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\js\\eW0Ug2X3gcoOGUV5zgjMpEZ9MyfR5TLchkQmDV.exe\" O 2>NUL"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\pEYoKf6E7u650sSW1oo7dHi4buPn3ViXpkOT6AcGpZcMGhGzr.exe\" O 2>NUL"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\02T2Y1LA\\9f42VmKfvLIPlFeGm9gxXBvP75mwMt30Eg7MtU3z28crrpKxbSTYgJcUcxyZ81fGNegfux.exe\" O 2>NUL"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\C3HYMVKZ\\sl7kt0i8yf1VfMzaZjJW2r7Gk5PyprdaX2nHmL.exe\" O"	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\eHome\\logs\\K9fe8duOpbncqNecFaVMlbigjW5MVORDb3lbVhLYTkJgzQTm1Ce6JQNUFG.exe\" O 2>NUL"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e0bc61aee500d901	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\dozshqpt.default-release\\thumbnails\\pzWQ9vtxsTYcoQN6VfXmOVTV1NKVcE0utTt1yPk1j.exe\" O 2>NUL"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\js\\index-dir\\mUgeRT6CNdqb71lAjuvVHN0JyQpxB1xody4B3xqRwcH3X7MaxUnmldo0rNJII6uqOW2.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\QJJEAroQzS9QlFmGXNS5aTJknWfwClNEwuPCeuVrbVUirmr7d6Ez3UqJKfRaripPrCjvr.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000040169099e500d901	gpscript.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Music\\Sample Music\\SQAoWasaPxslerZ5l1wIJI0wqrE1lv.exe\" O 2>NUL"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\VR2jkSP6sSUwCX8qPjofFIEfoTeoI212GgXkfWkJdCYXLMcrNqDLjBhMRL.exe\" O"	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Command Processor	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeBackupPrivilege	1808	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Token: SeRestorePrivilege	1808	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Token: SeShutdownPrivilege	1808	73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
Token: 33	1112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1112	AUDIODG.EXE
Token: 33	1112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1112	AUDIODG.EXE
Token: SeDebugPrivilege	240	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
Token: SeRestorePrivilege	240	HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 240	1700	gpscript.exe	32
PID 1700 wrote to memory of 240	1700	gpscript.exe	32
PID 1700 wrote to memory of 240	1700	gpscript.exe	32

C:\Users\Admin\AppData\Local\Temp\73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe
"C:\Users\Admin\AppData\Local\Temp\73e3808a65aa8820099144e05cdb94012c7c909227a01bfff36bea0321d9dc7c.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1520

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd
  "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd" 1
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Sets file execution options in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\f5teZjKUTcsJYYq7hF5dnX6unEIxluFxao6ia.exe

Filesize
2.0MB

MD5
3521a4e3ed8483c4345557584c1b298f

SHA1
fddbca92cbf7e82819bd3a79fe3c67528115be14

SHA256
6dcf44dc12c06ce312c257caae1cf003343f51834eb384c6913b2e09f675cece

SHA512
9e85bbbbc6771854be240dc1a1141f7717799cbf9686921dc4ff855b2ff564e2af16c639793cdefe01d4b854552c006fb72d2b26c54a35fd0c84a1d6d266fa92

Download Submit
C:\ProgramData\Microsoft\Windows\WER\WnS250K1jsFB2SKxuKDZxjQlhAuXtNFCiejhTUfpFYZOdpzHpmn6uqX68DKCsLUEzeAKC2T.exe

Filesize
1.5MB

MD5
c3bb2c28547d594ddc2d6d6ac591eb8c

SHA1
9b186c891b9c89640553c238d864603e8eb09b2f

SHA256
0fad23ea980bf7b60f8ef157cd3a3ab91ad1f341ea7201277e725c802b5c580a

SHA512
300c15741458263ad0bcd283923f09811ef964430081d4773856fab58c82cc247518256aab86b40b2e932653b3104beb2a75dfe7e3c88d6d83c7300475331608

Download Submit
C:\ProgramData\Microsoft\eHome\logs\K9fe8duOpbncqNecFaVMlbigjW5MVORDb3lbVhLYTkJgzQTm1Ce6JQNUFG.exe

Filesize
1.3MB

MD5
3462da697993e5df0b1d05d7025101c0

SHA1
e54eeda9706b51a134e17bf1146c019a6cd7b3a1

SHA256
ab7016a3855ac52fdb1dd7e6ea7b033220d383b588ee4ebb1d80f0ec71f8e819

SHA512
e6390eeb198ccef7d35f87c5206924dfbbad7ac382f91edb304142919bf71a3fa55e8c2ebde340469edcd905c3f55cf63fbccad58f2c171632d520733b9da621

Download Submit
C:\ProgramData\Mozilla\updates\74xh7cKk9l7jx0cDwzR4feKNPSHqLu1PpLGiVDqvHZCD8RGIB1vC.exe

Filesize
1.4MB

MD5
455f2ef2f52147ea1503a6092b22ddc7

SHA1
988c72149d1ed4d8a90aa7e4966ebcb2f8788f7b

SHA256
bf9ae59dae40ee83231cfd8d65ee0c0dc74fb14434826806dd58bc54b2b9cf86

SHA512
1a63407852b50edddcb54b9098ae2b83cd3c14dfe5820530bddde141056e495dc43ea1fd9e96c9dd0d63f45ec70ad8bb2350b0645f086d7e39ad9cdcfe0927b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\mUgeRT6CNdqb71lAjuvVHN0JyQpxB1xody4B3xqRwcH3X7MaxUnmldo0rNJII6uqOW2.exe

Filesize
1.9MB

MD5
bc86a5a192c7b5b2a0402eb1edbeef6d

SHA1
7039c7a383d097ca8e85b9d81b4a4f3df74898fb

SHA256
aa50a48e8c073f44b35f5528b55f2faecb1f99cc84b8036d8c021ff5bb492225

SHA512
6d830e72a140e2da2bd0d96580071d340510180f7375290c5773bf59752d0b77328fd11cca5886ec4f43730f146317320dd74de0a8ebb2fc62f3cd842883bc49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dozshqpt.default-release\thumbnails\pzWQ9vtxsTYcoQN6VfXmOVTV1NKVcE0utTt1yPk1j.exe

Filesize
1.3MB

MD5
70a160c80a36df9039c0a8b532934551

SHA1
092c9e185a4e7d80adda58aaa58e9d77b2955957

SHA256
cf98399da33e14523036c2d125cc562aa4d0b31044d38795335d364f7d631dac

SHA512
cd1a48820a7e0b6eb32949982d4811bf62e37e95f4ae4f01a81d9e05cd291fdccbe8e6d1436e458a64e5994acae9c8b3bfbc22b2f1fbbad862b0bfdc4eb205a0

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd

Filesize
1.6MB

MD5
02daf6dedec532a7f84984c7991a07ac

SHA1
d92e027c6389fdd0443943ada8932109f47cb7df

SHA256
14adfb84c0a8064d8930a0279c4d8cac20700351ae5d696d50573b5a30a12b8d

SHA512
4f38f932e67f5793986baad1a628315b43ac1ee205ca80f69d217b3e123f0db8fb2d8af578a24d07931d46be1fac57771b286dacef8e8088644f540830973e0b

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd

Filesize
1.6MB

MD5
02daf6dedec532a7f84984c7991a07ac

SHA1
d92e027c6389fdd0443943ada8932109f47cb7df

SHA256
14adfb84c0a8064d8930a0279c4d8cac20700351ae5d696d50573b5a30a12b8d

SHA512
4f38f932e67f5793986baad1a628315b43ac1ee205ca80f69d217b3e123f0db8fb2d8af578a24d07931d46be1fac57771b286dacef8e8088644f540830973e0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\eqBU8hv8aPffbRo22fPqblnGfahRJzmvqJsKYaEYPS.exe

Filesize
2.2MB

MD5
748751a236d579ef7b0dd6be679984d4

SHA1
177b8710a2369afc1e8e498ce6eeb8c589eb2d92

SHA256
4f652d9113caa49c6a30e7cc13906551d21abb7f40821511117f073f768339eb

SHA512
9f893ac465da2ae6769767ac3ce53e0f99b6cabc6591baea7853895a1bcef3229750f26a4ebbadc562d5dfc55de7505b54d7738e2062ab30ba82d8b9832148d6

Download Submit
C:\Users\Public\QJJEAroQzS9QlFmGXNS5aTJknWfwClNEwuPCeuVrbVUirmr7d6Ez3UqJKfRaripPrCjvr.exe

Filesize
1.2MB

MD5
dbcf7f88ecac397105f13c4dedbfbe70

SHA1
e4038c4ede003ee992d7ca2588b14a64d5bc9578

SHA256
cfbdbbcb1de7c97bea55e60c3b96e3115486e5867bffd353aaf29691732d2139

SHA512
6657246ccfbf7247d2d6e362b3889e9a80829ebd6df9be89da8fc06fd2160c7dd74058df71a71dc685b037170ab18db50efadb0dce36fe0f154b4c3d4afd0fd9

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd

Filesize
1.6MB

MD5
02daf6dedec532a7f84984c7991a07ac

SHA1
d92e027c6389fdd0443943ada8932109f47cb7df

SHA256
14adfb84c0a8064d8930a0279c4d8cac20700351ae5d696d50573b5a30a12b8d

SHA512
4f38f932e67f5793986baad1a628315b43ac1ee205ca80f69d217b3e123f0db8fb2d8af578a24d07931d46be1fac57771b286dacef8e8088644f540830973e0b

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\HCuUfRSu52b67dCmwzwvaW4Y6mMidcaBApQPzbid954BtDjHNdtIy2QEf2drRIzhdWaw.cmd

Filesize
1.6MB

MD5
02daf6dedec532a7f84984c7991a07ac

SHA1
d92e027c6389fdd0443943ada8932109f47cb7df

SHA256
14adfb84c0a8064d8930a0279c4d8cac20700351ae5d696d50573b5a30a12b8d

SHA512
4f38f932e67f5793986baad1a628315b43ac1ee205ca80f69d217b3e123f0db8fb2d8af578a24d07931d46be1fac57771b286dacef8e8088644f540830973e0b

Download Submit
memory/240-69-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/240-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/240-62-0x0000000000000000-mapping.dmp

Download
memory/820-55-0x000007FEFB7C1000-0x000007FEFB7C3000-memory.dmp

Filesize
8KB

Download
memory/1700-68-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1700-67-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1700-65-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1700-64-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1808-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1808-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads