43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f

Analysis

max time kernel
176s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Size

790KB
MD5

5578387f06f400080bde5edffb916326
SHA1

e7314811b374b84b703fbd13bfed773c2f122c48
SHA256

43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f
SHA512

3694a0a8315e854f9bea7fc4f2641087f8a84981b1b68e3088fa63ebec76c85e2df67d634af97796315b87c108a3f898ea73dba1116bf45f8d6403fd9c24a7fe
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\RAC\\Outbound\\OGLkCM80La7EO24SOREWCkb5EvVBHByk31xIsefPoLLqeT2zRv7AgdMy5q3Z1vK.exe\" O"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\neBinVqTgyKw6P6oO2xy7ic09KHlC23m7VaCte9DfoU9EdyRcernSSSD2EtsgWW2OrEWPq.exe\" O"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\8230B49q6bNv7TQaz6CJRrB6MhJhRcKWGE.exe\" O"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Saved Games\\y9ymJC6hVZTUwHPbQe.exe\" O"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe

Executes dropped EXE 1 IoCs

pid	Process
856	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat

Loads dropped DLL 2 IoCs

pid	Process
1312	gpscript.exe
1312	gpscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Config\\OForm5Iw.exe\" O"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataStore\\1tEFa2RTHnXNiMNzhbLdyBZ3O04jLbobP4Wf0rddGlr8Pnd34QINS.exe\" O 2>NUL"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\rs1djmHJdzVgsqrRPNyRZLtDG2yPdqgNxIpNvZM7JY8MkYoctzkp.exe\" O"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-19	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\lIIA1kZZw1lQAxu5CKM1Is7dJtjRJaJWku7P4uSyUsvojrNu42w.exe\" O 2>NUL"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\es-ES\\d4PbN0LC85Pp2FTQwXsOis3srk4cevIXvBVaDW2uixkE6COy1Mg.exe\" O"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\bmCCdJ0OuoM9kMSFufu69sH5qIxuZHJnw4bzGQ9xj1yHahXoZbXhX.exe\" O 2>NUL"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000304879b8f200d901	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataStore\\BwYhyCRv6oowZ8XhJaqe53vg.exe\" O"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\40\\igQjttAjaBAFOTk2itcISKhtYZiwloho246QugxCIIEtvBhdeZ7o7IQr2ntrripwv6A7.exe\" O"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\20\\OB5qwydRIO6n1bvPflrwRevrnN9EJ2eU3okis.exe\" O"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-20	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sj8nsBS6lBsUl9wr6mbqaF8KSr.exe\" O 2>NUL"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java Development Kit\\Kx7fQu7npy2v1CzvggOiq0cMG7b0Rqw426dZjOLHgkro4ipAaBP3wbGiKG8u82C0J.exe\" O 2>NUL"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\js\\index-dir\\PApGCiMlxYmndgM9hw7t86VFxd3gvNRmG32wOPGBYJMch9VTeex1lR.exe\" O 2>NUL"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Sidebar\\LgySdWzN95QlIO8lMz0O0uAdIQ7hqlaivfkyjeNOagNL6RRrxBdeD1HyBoyt1ZzDNM.exe\" O"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\tMqhD1jjFzVkHrFWkoJN6XTRyvri6TVe.exe\" O 2>NUL"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\F4lYb2m5QbtsvRM0IdqFbIDsKqnOCPHHxj7Y50Nt7.exe\" O 2>NUL"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Crypto\\RSA\\AGrndIgv4uCPTfBKnNrOe46W1MuZ6qdBl22sB6nPSm7aZ.exe\" O 2>NUL"	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\de-DE\\5W5vk7t3SyLrF3v.exe\" O"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Key created	\REGISTRY\USER\.DEFAULT	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000050ebfbdbf200d901	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Nf7sBYbM3XC8u8py5ibyCREq41j7XQVcVilC3x8TjoSfsgXBoTqThluhY27uI8XbhZnB.exe\" O"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\packages\\vcRuntimeMinimum_x86\\JUmRDnbHTxIjVQLs1Aju3h7aqFo6yOnugBFPcez7jKPRneSH87D4yufu1SWEujjtMeWK.exe\" O"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\DRM\\Z8ST61Ll6CLrB5xf1e1ylMstA4ZFYlVzlOBDArXhwf1etb.exe\" O 2>NUL"	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeBackupPrivilege	1596	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Token: SeRestorePrivilege	1596	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Token: SeShutdownPrivilege	1596	43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
Token: 33	1852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1852	AUDIODG.EXE
Token: 33	1852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1852	AUDIODG.EXE
Token: SeDebugPrivilege	856	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
Token: SeRestorePrivilege	856	En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 856	1312	gpscript.exe	32
PID 1312 wrote to memory of 856	1312	gpscript.exe	32
PID 1312 wrote to memory of 856	1312	gpscript.exe	32

C:\Users\Admin\AppData\Local\Temp\43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
"C:\Users\Admin\AppData\Local\Temp\43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1812

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\Contacts\En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat
  "C:\Users\Admin\Contacts\En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat" 1
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Sets file execution options in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\de-DE\5W5vk7t3SyLrF3v.exe

Filesize
1.3MB

MD5
27250dfddbad3f98b17ccfff6b99a2aa

SHA1
d1995aca070248833c4f02907cae9c28d6af96ab

SHA256
0e87aa23b01dd316ee73cb8bc001837889472376cb288e60bfe15e92a1f4fca7

SHA512
008224090c19361c60eefa7357300ee821ad0192a720d19a7aefd6e4cb89e8e8ba6b3d403d0d1bdc0030be0487caa77d0be3300155f75e38d749453192b9140b

Download Submit
C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\1tEFa2RTHnXNiMNzhbLdyBZ3O04jLbobP4Wf0rddGlr8Pnd34QINS.exe

Filesize
965KB

MD5
39224f4f4f7aa89262c10f13064a66a2

SHA1
ebf0de7bb86aa3dee0b8a79756a620b4b637e950

SHA256
2be1519b6096a5962977ca668e7a675d69519b6d149a7498f3132ab7b578bb73

SHA512
c3ce89ba6fedb82ac3a081be101b29eea4b6605303fc7b7cf438b0bced6968000cc8ae443c51e8807f15b8d9b09c60da36de88cc0c5744b6a723259902808144

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\rs1djmHJdzVgsqrRPNyRZLtDG2yPdqgNxIpNvZM7JY8MkYoctzkp.exe

Filesize
1.5MB

MD5
b283600ea0f6e6a6132f4308d14250b4

SHA1
cd0abe3010db44613cd065ed8058b6802a635255

SHA256
feaf9226bfca49379dbeee709f46bb08ed9ebb167e6e5e49b560a48ef5a28fc6

SHA512
669d7430b7a26c874a92f2cdf482d13246b57aef031c674f4057eb7dd547d5dea7c180f6c31201ee34fd78f52bac58109a2c03dab0cabdba99d6beb3d07b6eb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Nf7sBYbM3XC8u8py5ibyCREq41j7XQVcVilC3x8TjoSfsgXBoTqThluhY27uI8XbhZnB.exe

Filesize
922KB

MD5
2bf6d6e64affbb8ef1b3660890b33776

SHA1
daf1d6f67edeae311604c257f98840b71ac4e766

SHA256
9c7a12410621c1dfdd7048f1b1c963d81d31b12c36fd272a49839bdb412d88e7

SHA512
72d36cb840af13ce09b0644b62e3229c182c70690a261ca181d65e538a8dcf1267b2950f514b500bd0de40de6a1107c85eb75368759254aa0b4a9a280dda1d0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\F4lYb2m5QbtsvRM0IdqFbIDsKqnOCPHHxj7Y50Nt7.exe

Filesize
1.5MB

MD5
83dfef05a3dcef77c806a93b244f6585

SHA1
3ed7cd2aeac111e927fb0a3a9e74bf215a70225a

SHA256
53dbed25cf73325ebbea9dc3176fa2a8f8860ee9a5126cd0282b7f6122ce6b25

SHA512
691f9a9b5bfd1c237206ea31d7bd273a3477748eca10b5e13424d1ac2d5bf1bb0a3691d1834747fae57421225378fe76932f501cf29c46bae2164b4b521891c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir\PApGCiMlxYmndgM9hw7t86VFxd3gvNRmG32wOPGBYJMch9VTeex1lR.exe

Filesize
1.2MB

MD5
0e9f6eb89719793f528f5b4f640466a5

SHA1
f1ff98c6043e1f32df4562893e36820e5b157a9f

SHA256
86dbdcbc380766c90bd0adc975d5ef5c27147ccc11afed0cb4d02ec81ee2dc87

SHA512
89e8c77d0bf0c8c0cca42bd84cfb5870d0be618b0f3d8d4f301a252c553b3466778fe5e23d3bd04bf3bd9c4fea1c6ff119b995952bdf9f0005cecf2e2e788cbf

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\8230B49q6bNv7TQaz6CJRrB6MhJhRcKWGE.exe

Filesize
929KB

MD5
f12e0b77388b5ebd548f63605336c32b

SHA1
a0ceabaa6985023e6f3e7a126c43eb7f1990eeb9

SHA256
ba830b3d82a5043ddb09e52a029a13acde95dba866eab333cd7d3c06e030dc55

SHA512
05bf8a03836554436ac32910820364befcaf823dea9953ce22e12c4174d82a57dcdba4f5bb96e3d3c4d3d6c113b3d3c8950d172a5920299fd3b5a88373f090ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\iBqTN788gE1y5nDEKhn0GLw3WTulCBxH34VVA0jJTVqvqnd1gGhOyITbu29LEj.exe

Filesize
1.5MB

MD5
f37bca799172e3a0fa784dc15855afc6

SHA1
e2a5c1b6109a7abc0fb6cfa82eade5e1cea8cfd2

SHA256
abef7c96b1044f16a890a65de9e060d7763cbbd616bd0e2c0a5f0cb8816d2b7a

SHA512
cc3860b94c6f20ffa73d2cb436fe8f57e1580602d82ce253ce0fafccb8da5042870a48f9343246c66ecbdf1e8fa5ca051af8d35c61ae30754bc1472927852a41

Download Submit
C:\Users\Admin\Contacts\En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat

Filesize
1.4MB

MD5
ad9a57751fb85cdaa91d4fbf95519f30

SHA1
0fb1e53fc58583cc1527adb8389d421b926cc093

SHA256
ddf192a554989f0092aea6c891ea420b11672e422076655059239a33be437e41

SHA512
092572f2c4771732dc7f5c76a9329159c5bcfb826b798e7ceb10cc209b8a499c8a77719f3a1c738557b2f1bb243ceb95db2efeecbda5369171caeb690edca2b4

Download Submit
C:\Users\Admin\Contacts\En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat

Filesize
1.4MB

MD5
ad9a57751fb85cdaa91d4fbf95519f30

SHA1
0fb1e53fc58583cc1527adb8389d421b926cc093

SHA256
ddf192a554989f0092aea6c891ea420b11672e422076655059239a33be437e41

SHA512
092572f2c4771732dc7f5c76a9329159c5bcfb826b798e7ceb10cc209b8a499c8a77719f3a1c738557b2f1bb243ceb95db2efeecbda5369171caeb690edca2b4

Download Submit
\Users\Admin\Contacts\En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat

Filesize
1.4MB

MD5
ad9a57751fb85cdaa91d4fbf95519f30

SHA1
0fb1e53fc58583cc1527adb8389d421b926cc093

SHA256
ddf192a554989f0092aea6c891ea420b11672e422076655059239a33be437e41

SHA512
092572f2c4771732dc7f5c76a9329159c5bcfb826b798e7ceb10cc209b8a499c8a77719f3a1c738557b2f1bb243ceb95db2efeecbda5369171caeb690edca2b4

Download Submit
\Users\Admin\Contacts\En5RWQRXyM3IZ50R5A77HdMM3ZcOncZ.bat

Filesize
1.4MB

MD5
ad9a57751fb85cdaa91d4fbf95519f30

SHA1
0fb1e53fc58583cc1527adb8389d421b926cc093

SHA256
ddf192a554989f0092aea6c891ea420b11672e422076655059239a33be437e41

SHA512
092572f2c4771732dc7f5c76a9329159c5bcfb826b798e7ceb10cc209b8a499c8a77719f3a1c738557b2f1bb243ceb95db2efeecbda5369171caeb690edca2b4

Download Submit
memory/856-71-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/856-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1112-56-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

Filesize
8KB

Download
memory/1312-69-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1312-70-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1312-76-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1312-77-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/1596-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1596-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads