0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8

Analysis

max time kernel
178s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Size

515KB
MD5

52b63db08080ad73be76914a7b93d795
SHA1

534e983d73ecec65ff8b8e4ef7337292b7070a9a
SHA256

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8
SHA512

1df366278c8a12c1b4b9b9d00f2849771966f2972cbfba86b0c99a0cc6e73a9dd4332ca9eea536c56545fc42d3d0ee022e22c06beb4a22619635b99e8e49b0c8
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Videos\\Sample Videos\\cjMpTYk6FwLHk.exe\" O"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Indexer\\CiFiles\\CP4W6YvqtMoNMIEdjzvzOaRS156MaDrj.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\6SseQ9tncmt9euMQ2xBH7u3ABI87ISTBMEh1Kstii6Q3DoT.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Saved Games\\wHxEbvGHJaUtD6o4dXNXmerT28heP4vKPfUXjxEBrQnYS8lVdTDJHyKAhwZBlw6dA.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe

Executes dropped EXE 1 IoCs

Processes:

jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe

pid process

1496 jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe

pid	process
1496	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1760 gpscript.exe
1760 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1760	gpscript.exe
1760	gpscript.exe

Modifies data under HKEY_USERS 58 IoCs

Processes:

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exejhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Pictures\\ZpkrSVN3Yw4q4hRT9x8dRFm3ms.exe\" O"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\.DEFAULT	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\29\\niMj076el7NGVF2nUh9C7wQ7L5ejJmu4tg5S2sPoDMDtk1MKtnV9UhIvByneKhXkkAffyF6.exe\" O"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\GHGNlEcjpQ8YjLShQRJa.exe\" O"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Saved Games\\9AWbniH1LEWzNDeRXZlpbnBFdiuQ1wEXKXqvDi3M8NS9ofbuKR.exe\" O 2>NUL"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Desktop\\425ec9VDzzN18k1CTbI8yiZLUZwWq3yvBkYtHe0PPzjGddOIgSvR8qG5WwcGG5.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\packages\\rCizm7TTssQZ9jLaatJH4Dqm7ECY.exe\" O"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\SdpyYcN1CK2H4ZdutDaSowFrJRwTansv2KsscgwsxyIFvhC2DC5R4dmS1.exe\" O 2>NUL"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\2NdH94gzuEXv0ELvnvPuzx3X5FfjzaiSZhyrHzu4Wdsu.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000070f87b07e800d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\GrShaderCache\\XnPstSD20j1kwuqdFRIc0LdP9d7pWCD8CQjyGT3NPHIO04yBsbcmTNRLFdq0qkMW.exe\" O 2>NUL"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\es-ES\\VHjvaocad8giXIj5D4TjcUaGmTN5FdbvwgXgEqMg169O6P8JDtb6hEg1xkytEuo3SPIKRo.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\46\\NiijJGoJowNp3pD705gcycdEl5PzbF3w9HivFhsTmyAWcQTisW3r6CnaxrFCH8pdCFox.exe\" O"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\ckQqQ6enp1tXvCGbiIAVnZFSB1yj6Woqd.exe\" O 2>NUL"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\LZLYL77D\\BpS7V1aIkEb7NRMye7jXwvq95M2krCOWDVdLRvHLJrqdlKuRmHEV36AtXLv.exe\" O 2>NUL"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\xPPFsqHoSxGhS68wNGWLhobvaxvlyDSfz7BNPFqbbHC5vaIZgZPyfPmClf4Q.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\6\\ACveMnJgtk32rAemywGYJNDmfn6EwUzDKAlKDGTw7muaioMQTSi4Tw.exe\" O 2>NUL"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\storage\\permanent\\chrome\\idb\\1451318868ntouromlalnodry--epcr.files\\SyS2qnt8nLfyc.exe\" O 2>NUL"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0dbc72ae800d901	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\xrtHy8jyha0sWLYqMhy1NLDp4bnWv7y5ccxdAknhcYdAdbhtzwy.exe\" O 2>NUL"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Last Active\\hKFVsr3wDU5.exe\" O 2>NUL"	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe

Modifies registry class 12 IoCs

Processes:

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\15\\ERMAnVAPNOSbRp.exe\" O 2>NUL"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\BP1zzvha00sUzgwf7NIS176kiekCxBJ.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exeAUDIODG.EXEjhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe

description	pid	process
Token: SeBackupPrivilege	892	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Token: SeRestorePrivilege	892	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Token: SeShutdownPrivilege	892	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Token: 33	1436	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1436	AUDIODG.EXE
Token: 33	1436	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1436	AUDIODG.EXE
Token: SeDebugPrivilege	1496	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Token: SeRestorePrivilege	1496	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1760 wrote to memory of 1496	1760	gpscript.exe	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
PID 1760 wrote to memory of 1496	1760	gpscript.exe	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
PID 1760 wrote to memory of 1496	1760	gpscript.exe	jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe

C:\Users\Admin\AppData\Local\Temp\0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
"C:\Users\Admin\AppData\Local\Temp\0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:756

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1760

C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
"C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1496

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\VHjvaocad8giXIj5D4TjcUaGmTN5FdbvwgXgEqMg169O6P8JDtb6hEg1xkytEuo3SPIKRo.exe
Filesize
962KB

MD5
08131eb2dfc102da76b5f0da0fb8b79d

SHA1
48c445334c6cc5e7b9ecb63d43dbce29b61ccdba

SHA256
fda6ffbc10e44bd043f0e579cfd5f2d803e7eb8d8ce7384a14a22689f225cda0

SHA512
647abda2523297bfb084b3efea357afee8fda271053332b1be27dcf641f9e235c8ee505faeba82c5a23e50d51a6f690978c6569c530e97bf257303ef2b107eeb

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Filesize
720KB

MD5
3850aacc96033e6e0cb1f1aa381b8f70

SHA1
8397bc4645cc8fda2da710c8f53f5d0587ade5ee

SHA256
3bc564454a97116dee66255e3fe4fde455f77f302e64eaae7e0b70c48d080cf2

SHA512
a3e01f709a6ebad897d33783a99bd2fbcbd596ab74bb47f899de8ca1566180775bb23bd21fb46078751f72f1741674c89d9b83af9aada40779a72fde03ddcee4

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Filesize
720KB

MD5
3850aacc96033e6e0cb1f1aa381b8f70

SHA1
8397bc4645cc8fda2da710c8f53f5d0587ade5ee

SHA256
3bc564454a97116dee66255e3fe4fde455f77f302e64eaae7e0b70c48d080cf2

SHA512
a3e01f709a6ebad897d33783a99bd2fbcbd596ab74bb47f899de8ca1566180775bb23bd21fb46078751f72f1741674c89d9b83af9aada40779a72fde03ddcee4

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\6SseQ9tncmt9euMQ2xBH7u3ABI87ISTBMEh1Kstii6Q3DoT.exe
Filesize
940KB

MD5
ecb490ee429937d4cf88451fee56e788

SHA1
f2bfd9538bda94e60f711b4a22edaa414cd42144

SHA256
06a8ac64411b08b37f85fe3335684ebae1ed1c7f738eceba59f5dbefa571d361

SHA512
d75e3de929e117318e4675d0b857010afe9d248bae72b81a1d9413b9ce34f1b5cdfc596d6135b15c32e3c9bef7c3c295a8c1eff17359db3cc7007b1cb11f631e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\ckQqQ6enp1tXvCGbiIAVnZFSB1yj6Woqd.exe
Filesize
654KB

MD5
6ef5196817fe16050991fd73370e1593

SHA1
3d7156809c0ff50e3ecdfc6bc738884c5f8151a6

SHA256
1f62db9eecefa1b84d6d3e6d986e2af86d85e2d0d48c1360defc8384f6d55be1

SHA512
51ed486a67d04075e156128cb24440a7a9948fab22af9ad2b75131d92fa87330abefe4a7ebb6f3dc4fd19bca2dfcc2181397ef9cd9d35762f9d8f7fc56ef83c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LZLYL77D\BpS7V1aIkEb7NRMye7jXwvq95M2krCOWDVdLRvHLJrqdlKuRmHEV36AtXLv.exe
Filesize
890KB

MD5
e55ea85aad67d23a081897ee24a0cf32

SHA1
f81003e381b6edb0cea3a59c3ebe00bcf3f5c109

SHA256
96bf69da75b7933b0860f4376bfbb76801fc74931c455478192a573495dbe4be

SHA512
437a8d537e7b4a6d3e9a74e517bf188aa79aca81b6f9e6e4a1e81afee95ba5783adc7d3c06328ec14dc010bc7f9251c4ea917881b8e4d40cf96c855c1251a102

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\2NdH94gzuEXv0ELvnvPuzx3X5FfjzaiSZhyrHzu4Wdsu.exe
Filesize
1022KB

MD5
79de48dd6443cef23db3d3545ca44e30

SHA1
45d8589ef3150c0d6354b5a7ee3ce629c0909102

SHA256
7ddeed15f85b6d818a6d29b79ec6b98eff5ca99b64fb05a4ad03373d44493b18

SHA512
1579bf5210489b649b26a073aa47fb34326addacd636a60c5cabd01860a8aa61aafd343ecad28979ce389c5616156a36bcea1e4e79cd863bcdda9f0233fbdec3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\8ruHecwNd06JZMKmTi2XgEyDlDEGQ2mEw1sUIoKzCYbeRRHuNZ0jOg0W11t.exe
Filesize
804KB

MD5
249826118405114eaf213c81b2551303

SHA1
2d909462e2d891d31edc44fafc9295fe529f8a11

SHA256
bfb232819e998704905f30db90f6e5fbee978768d01b18b86df89c6126ebe2af

SHA512
73b639eee07fe4fd6f21ea4bd9fc693970dd783aee69c3502c4fa1ebfcdeb2be04e1905ccd144afb058a16e6b07328e3f95f83db96e63db321276c84eab89828

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\SyS2qnt8nLfyc.exe
Filesize
549KB

MD5
2b0114ea157d5eb453cd3539457b4789

SHA1
89a434752877c7d21f4123b4a0138671789df410

SHA256
bcc779927197a4051083803a9d3196b1f62fc4e5f332db0c60ae5b9892c58444

SHA512
0b4fa0ec5ee0c7ca446bef8695f75c6b362c6e343fb2b53106431a527e79edce1f0bf4103f8869aeba309d7f23311be4e8201082fcab60e4bfb91a4652c745af

Download Submit
C:\Users\Default\Desktop\425ec9VDzzN18k1CTbI8yiZLUZwWq3yvBkYtHe0PPzjGddOIgSvR8qG5WwcGG5.exe
Filesize
919KB

MD5
fa73a79f839c41603db44b462b835ec6

SHA1
a780e0b5968eedf285eea2c5813549f3d6c6f3af

SHA256
841f3b104780e25c47bf5714154267bdecefa3ad182ab131f08c029d32537a2f

SHA512
0c0dbf777015f736f83c1fae5ebe6477d64e838ee7eecb06eab31a17c9a44755411c0416b5fd14d74587940fa28a8ea583ae202f5c079fc6592bc06bbb45c228

Download Submit
\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Filesize
720KB

MD5
3850aacc96033e6e0cb1f1aa381b8f70

SHA1
8397bc4645cc8fda2da710c8f53f5d0587ade5ee

SHA256
3bc564454a97116dee66255e3fe4fde455f77f302e64eaae7e0b70c48d080cf2

SHA512
a3e01f709a6ebad897d33783a99bd2fbcbd596ab74bb47f899de8ca1566180775bb23bd21fb46078751f72f1741674c89d9b83af9aada40779a72fde03ddcee4

Download Submit
\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\jhJKoDgmRoRaC0iCqk4SAtbgXA9cINjTLykjjcsQEVtcCHeJsJGocPVXxDe2gr.exe
Filesize
720KB

MD5
3850aacc96033e6e0cb1f1aa381b8f70

SHA1
8397bc4645cc8fda2da710c8f53f5d0587ade5ee

SHA256
3bc564454a97116dee66255e3fe4fde455f77f302e64eaae7e0b70c48d080cf2

SHA512
a3e01f709a6ebad897d33783a99bd2fbcbd596ab74bb47f899de8ca1566180775bb23bd21fb46078751f72f1741674c89d9b83af9aada40779a72fde03ddcee4

Download Submit
memory/892-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/892-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-55-0x000007FEFC201000-0x000007FEFC203000-memory.dmp

Filesize
8KB

Download
memory/1496-62-0x0000000000000000-mapping.dmp

Download
memory/1496-68-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1496-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1760-67-0x0000000000D40000-0x0000000000D6D000-memory.dmp

Filesize
180KB

Download
memory/1760-66-0x0000000000D40000-0x0000000000D6D000-memory.dmp

Filesize
180KB

Download
memory/1760-76-0x0000000000D40000-0x0000000000D6D000-memory.dmp

Filesize
180KB

Download
memory/1760-77-0x0000000000D40000-0x0000000000D6D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads