dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250

Analysis

max time kernel
151s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Size

790KB
MD5

b82073aecf721f857155606431727831
SHA1

ba007a8a1394009a231e5a2d1e25c4a4bfd81359
SHA256

dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250
SHA512

4f50665f2c2c2bf4ae9112019cb70bf02ab65c30145e8bc2d87fd4f76e12603cf7de265e6c80ff1ad8420649d8b4f7b7f0f8449d6705b51ab58e6744524230bd
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exedc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\LWt9FABC4NwBcBEeeCYBy00551Q1b4Y.exe\" O"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Sy3JBQZ9KK2WfjXHUbZkHiCQFL72AwN2eNwJSptHZ4mrZu.exe\" O"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\C3HYMVKZ\\AL3Lz9tbulQ2.exe\" O"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Videos\\Sample Videos\\K4oVZkZnJ1Yhv.exe\" O"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe

Executes dropped EXE 1 IoCs

Processes:

8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe

pid process

1668 8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe

pid	process
1668	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1924 gpscript.exe
1924 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1924	gpscript.exe
1924	gpscript.exe

Modifies data under HKEY_USERS 58 IoCs

Processes:

dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\xMgclAezVPeOZmZg5mviMBEhcb7sn8ml5.exe\" O"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\SbE155uZnJLWCEqxAEKHibGOKazAaTH9JXqp3r73iskMqLv6fDcGWB.exe\" O"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\tM2LNYwepoVweB7SfCOWVuXnIpdMUHCdo.exe\" O"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\qEGsyaR8MtYmg7KZUoRQ6cJTiuxEwKmj2EAloMb7zKvldURkKIQHMD.exe\" O"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000502d8f5de700d901	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Favorites\\F6TxnM8DwTtjNSCM.exe\" O"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-19	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Downloads\\4brHTRLvJpdpRXhp5sQQbmXeP90HimDVgFv6yUnMV1OdUrg.exe\" O"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\3BK4Cjj4L4Qurw25VaUoX0jXS9woYXdG7aBAC7SEx37uzd8lFnNByBkFQJ8BWTMtUPLv.exe\" O"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\hBgttSNtg8QrGHrPruodoql6up01VK5OYZ1Id.exe\" O"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\bBlnMPpGwjgam3XWCEY7VrKtEaJpppcL.exe\" O 2>NUL"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\tsKTf1Xd425pKq98MByxdB9geKy8Yc3pWuTNAZuNMSCaxOYOeaQnjykbj3hynHJLSZwrpQ.exe\" O 2>NUL"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\iz3NhYwOrLMfrlm2aNSSnFUTCvhlm7HaPkEaHBmUkUk.exe\" O"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\18\\K8PGaZBckwfNMXqhu.exe\" O 2>NUL"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-20	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\RqTBkZP8dnUamvAYJcDF9xPDV93hDSjSV8VPhvDvsf8n7AKd.exe\" O 2>NUL"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\26\\bpCNGvmC21zaf5zbzj1Pdx2nLwQBuCdr6SATrTztAZo.exe\" O 2>NUL"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\.DEFAULT	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\LmilCef62SPgO7BRVKzpTRZFazccmxTpiLAP7gO2Di0q.exe\" O 2>NUL"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\53\\nyP0y2HtyizeJsRJBf3tDGWuxDm85gGuGcRBQ0An.exe\" O 2>NUL"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000070dd6499e700d901	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Session Storage\\nkB6XZZIQ3jxO7u7grxDpZOa.exe\" O 2>NUL"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\gU8UTRUFOfLBFuRm5p86xZ5AJbuSXVV5AIIRP6qkpUkL665Uis7wP1gx.exe\" O 2>NUL"	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe

Modifies registry class 12 IoCs

Processes:

dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\0SfivJyIbUwjwuwRNjSvoLXIA6Of2tiN0.exe\" O"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\VXulDpZXbssbwv8b22xEMNjN8P61pmr5uvw7ucIlD8mwFtWvFUsiY0tk.exe\" O 2>NUL"	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Command Processor	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exeAUDIODG.EXE8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe

description	pid	process
Token: SeBackupPrivilege	1276	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Token: SeRestorePrivilege	1276	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Token: SeShutdownPrivilege	1276	dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
Token: 33	468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	468	AUDIODG.EXE
Token: 33	468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	468	AUDIODG.EXE
Token: SeDebugPrivilege	1668	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Token: SeRestorePrivilege	1668	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1924 wrote to memory of 1668	1924	gpscript.exe	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
PID 1924 wrote to memory of 1668	1924	gpscript.exe	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
PID 1924 wrote to memory of 1668	1924	gpscript.exe	8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe

C:\Users\Admin\AppData\Local\Temp\dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
"C:\Users\Admin\AppData\Local\Temp\dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x54c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1808

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1924

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
"C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1668

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Filesize
1.5MB

MD5
770feb40be79cae37f01ec57999016fc

SHA1
278e19e9db2299a8a952a4e612b5be8675162078

SHA256
0eb557362470f16e6b6a5b4fa04c5bba65c6efde87c2168bbc5380582ba3c569

SHA512
f76f82920b185d26609b52e327af703b01d02d6dbb8db50f2a0eb1ef3dcc97655bba0dbf48ab92d0ca269a6f163b0625ae70d9f7c8821ab95e6e5f5c08b1c936

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Filesize
1.5MB

MD5
770feb40be79cae37f01ec57999016fc

SHA1
278e19e9db2299a8a952a4e612b5be8675162078

SHA256
0eb557362470f16e6b6a5b4fa04c5bba65c6efde87c2168bbc5380582ba3c569

SHA512
f76f82920b185d26609b52e327af703b01d02d6dbb8db50f2a0eb1ef3dcc97655bba0dbf48ab92d0ca269a6f163b0625ae70d9f7c8821ab95e6e5f5c08b1c936

Download Submit
C:\ProgramData\Microsoft\Search\Data\xMgclAezVPeOZmZg5mviMBEhcb7sn8ml5.exe
Filesize
1.2MB

MD5
9e859f0dd88e95aa410827f449a0b847

SHA1
0e1d74a28091edd7c7214a8b87c9225ce1fe8fdb

SHA256
873feaf6ffa5945d63dab55efe11febf2f587125317da2e8aece057913b7c8d8

SHA512
9510f30d0a1d09412cff1c21ec7b296dd2fd840a84d45345700f0677e5c0261d265c2df589092c67b8ed67cc99efca6474767065365cd65e8f8ff244026c902e

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\qEGsyaR8MtYmg7KZUoRQ6cJTiuxEwKmj2EAloMb7zKvldURkKIQHMD.exe
Filesize
1.2MB

MD5
a35b6c4bfbbf5fb3fd45f9411649321b

SHA1
745bff722128de70f68da62a2b78629017e3a162

SHA256
e0a4655f22de7622d5fe5a552237e3d6b05683d0d2582aee0557fe2c77ba1b26

SHA512
98239cc428bb60d07a67712cf432ea7d0788ddb279d83ed31d739c3b060b152f9dbfa26a0fa3638feae89329bdd5f6c8c03ddc8666b9810489ddc5eb7e0ca8a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\K8PGaZBckwfNMXqhu.exe
Filesize
1.3MB

MD5
3a4a6d0594d55de35667096562117974

SHA1
3c1be5ac7fa865409f8759ad58bf3e03ee5d42e5

SHA256
5514ebd892603c6c2bdf472fdc4bea8d735af1ce742706361393512dcaf39aa6

SHA512
82d8350094b75699e8eab9b553d12ecfe86016fe6d0beaf13c571dc856ae3069e0594ce524a198f84685d8cc0793da81bfbeb9671d2b2689b50007e9e61c8956

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\bpCNGvmC21zaf5zbzj1Pdx2nLwQBuCdr6SATrTztAZo.exe
Filesize
913KB

MD5
bd7192a72638a1fceb269c60b6b73142

SHA1
7a8c28215b45ecc14d8e742db1f7646a3ce7b896

SHA256
2f9072f3fc65dd74c9b1ebc31234739aa020a98e8643e0a40b4bdf094c751428

SHA512
2d926642eec56c76a01200bd577ae442cb44b349582719cf82f1d557336ab879249ea2098bac7e487db9a197871cedc43e20eb8cd7ee1445b234c97f76bc1310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\nkB6XZZIQ3jxO7u7grxDpZOa.exe
Filesize
1.0MB

MD5
7ce7398aea031a873a6cf18c8e55047b

SHA1
223f02f9df9ad2ddf35502f700770e15a730c2c5

SHA256
a9db48187a13addcc77b88a453ec472a73130537ec823b44087f76d4987385c3

SHA512
6f8d95c2063c3c4985b98a7177a361399d7eafc8c1cc432f9f93c4f2d8e859b44941508439e90cb41d916ac7423c2fe1d0650f0d7de946672f57c64db6560b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C3HYMVKZ\AL3Lz9tbulQ2.exe
Filesize
923KB

MD5
bf31f569c094bfb0f5a0845d914686ae

SHA1
18caeeca50ebd52b2a1e969e997fac6e163fa290

SHA256
c58658f9b5faed71f128b90efa199dfb0458ef7319d411b6a2d937e42679c3da

SHA512
3bb6464fca52b30a96ef5667c9ea5a6d7846663d487fc879b5acb67e0ec6ea29881b170978ea058a0e57fc2a61defc0f6ae486cc162ca40750c00391b355653e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C3HYMVKZ\NpbfYSn9D2BhIPf3jhP81VuIhP2gRColMevZiLfAeT.exe
Filesize
1.0MB

MD5
9c53625a7e38bcc12455aeea4a9fbdbf

SHA1
46dd74835e36fd0ab1e186e7a2547e6ae2b64f1b

SHA256
b4473ef3bd4c0af58a14fdb9ad389198e58a46da4e444c2335b085b4e0bc3699

SHA512
47f8295586d70e302588e827b19ce638b4f438cdcf0a348489bfecc88b0cd452f9c7b3f1cc28bff4695159045f08e1a5e546e96bce0c70b44f426477d2bbd1f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\3BK4Cjj4L4Qurw25VaUoX0jXS9woYXdG7aBAC7SEx37uzd8lFnNByBkFQJ8BWTMtUPLv.exe
Filesize
1.1MB

MD5
2cc70cd848a83ee6213684864239cdc1

SHA1
59ec37725e025fad2dc43930d10b6c6255418600

SHA256
2fc1da6b9c1a0848b90d80ea5e101164e28edec4c297c36e32207bbdba60c739

SHA512
7e4a03e8b86cc70f8970835e5d826e020f35fff1908a67a143cf1cff9595310594d2ff3a187bb6ff43cd5ebff41b57ff32be314eabebc4a492586c85f17ef04c

Download Submit
\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Filesize
1.5MB

MD5
770feb40be79cae37f01ec57999016fc

SHA1
278e19e9db2299a8a952a4e612b5be8675162078

SHA256
0eb557362470f16e6b6a5b4fa04c5bba65c6efde87c2168bbc5380582ba3c569

SHA512
f76f82920b185d26609b52e327af703b01d02d6dbb8db50f2a0eb1ef3dcc97655bba0dbf48ab92d0ca269a6f163b0625ae70d9f7c8821ab95e6e5f5c08b1c936

Download Submit
\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\8BQU7CpRqm8gUvnj0DxG0tCmU0fQReZ2C5cWgv.exe
Filesize
1.5MB

MD5
770feb40be79cae37f01ec57999016fc

SHA1
278e19e9db2299a8a952a4e612b5be8675162078

SHA256
0eb557362470f16e6b6a5b4fa04c5bba65c6efde87c2168bbc5380582ba3c569

SHA512
f76f82920b185d26609b52e327af703b01d02d6dbb8db50f2a0eb1ef3dcc97655bba0dbf48ab92d0ca269a6f163b0625ae70d9f7c8821ab95e6e5f5c08b1c936

Download Submit
memory/900-55-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/1276-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1276-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1668-62-0x0000000000000000-mapping.dmp

Download
memory/1668-74-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1668-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1924-72-0x0000000000C20000-0x0000000000C4D000-memory.dmp

Filesize
180KB

Download
memory/1924-73-0x0000000000C20000-0x0000000000C4D000-memory.dmp

Filesize
180KB

Download
memory/1924-76-0x0000000000C20000-0x0000000000C4D000-memory.dmp

Filesize
180KB

Download
memory/1924-77-0x0000000000C20000-0x0000000000C4D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads