521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81

Analysis

max time kernel
56s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Size

271KB
MD5

e8d3f1d4567b2f01eb55a21b68396219
SHA1

a7189a5028ca89b0d6ddaba49c777a3f39af47ee
SHA256

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81
SHA512

9bff54120573e779efa2a4d0d6c146ff0becd7e579a9733c01bfa1c0bcb4d5f0e00e4a87efd0f7a5b6ee038c4e21aa19daf0a22a7a214eaaf33e6a4956168b13
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

h06sHEZpCQg6Y53psh4r6EKZ.cmd

description pid process target process

PID 1224 created 588 1224 h06sHEZpCQg6Y53psh4r6EKZ.cmd svchost.exe

description	pid	process	target process
PID 1224 created 588	1224	h06sHEZpCQg6Y53psh4r6EKZ.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exeh06sHEZpCQg6Y53psh4r6EKZ.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\nCSUh3Sx01PQnIpDKiZHJrv2Ud6VSgK2iul3hW9VUUIBahclVqxgwaRM3X.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\yAv8ZkK7rdyrazdWyeIPpr5M1ikciRGP5.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\kUzKieIZ3JiPYe3z.exe\" O"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\6ZX2CYhRwOqnJp7XJmdo1bVhnLy2bLRDGee6SCq22Dlqk1rw4yVeGsNmuLtjx5kyi3eFc2.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe

Executes dropped EXE 2 IoCs

Processes:

h06sHEZpCQg6Y53psh4r6EKZ.cmdh06sHEZpCQg6Y53psh4r6EKZ.cmd

pid process

1224 h06sHEZpCQg6Y53psh4r6EKZ.cmd
560 h06sHEZpCQg6Y53psh4r6EKZ.cmd

pid	process
1224	h06sHEZpCQg6Y53psh4r6EKZ.cmd
560	h06sHEZpCQg6Y53psh4r6EKZ.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

h06sHEZpCQg6Y53psh4r6EKZ.cmdh06sHEZpCQg6Y53psh4r6EKZ.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	h06sHEZpCQg6Y53psh4r6EKZ.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeh06sHEZpCQg6Y53psh4r6EKZ.cmd

pid process

364 gpscript.exe
364 gpscript.exe
1224 h06sHEZpCQg6Y53psh4r6EKZ.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
364	gpscript.exe
364	gpscript.exe
1224	h06sHEZpCQg6Y53psh4r6EKZ.cmd

Modifies data under HKEY_USERS 64 IoCs

Processes:

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exeh06sHEZpCQg6Y53psh4r6EKZ.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\DSS\\WHlo5o2rKFNtB9EQdYcufFTMONjmqbQF78KoFmyGSH3XEDR6h.exe\" O"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\JitMdtOepuC.exe\" O"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\6Kl4dorqNSF6fOOytB22fCt73VnvFoodrdwx6tgrWaIlqdOJ1f83zTpdEgnk.exe\" O"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000e02f9afdea00d901	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\DWVRO87Jjwv14LJym1C33.exe\" O 2>NUL"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\S-1-5-20	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\NlMFlLLQvu1Pvm6Au645u1xvZ502p.exe\" O"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\QU68Aw5i3n5hwofUsI8rmdLRICQB9qyWqS.exe\" O 2>NUL"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\S-1-5-18	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\fHGaL95w4T.exe\" O"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Local Storage\\leveldb\\1kaZuyF2frRrCIrnpFPtKahw4VBkBS0tPIEsTGOLsPOMy.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\18\\defLJannqT6f8fvu2LJfOSzbc2tpTBiIOHpS0NXxolPmA.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\LVHuwRZaRGpZzPP3R1gzRJKjynkaZr5Q92gD7PnuXP7z3JT7gMG1LuIcz5Cg0qKne4nt.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\50\\vylTPF51hu5k60ZtNgGnLcHxDijVd5SD.exe\" O 2>NUL"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000206d95fdea00d901	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\13\\MAkgiKDbFp3GVWqUFigkJttMwKHYCLcC.exe\" O 2>NUL"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\52\\qgfdFCLC0nwz6bv3w4CGUoHzsMUxKPUd1IOEqi6EEHBCHkYVpajQMIKPHKajfW9NNS.exe\" O 2>NUL"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\packages\\1RMUBndQJGrxg.exe\" O 2>NUL"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\P9hWn3iRcpRQ78ejciTwguR4sE.exe\" O 2>NUL"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000080ce97fdea00d901	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\dvQtSfICdX0ul5pxUyaW9YmB2zL.exe\" O 2>NUL"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-20	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000602c40f9ea00d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\.DEFAULT	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Subresource Filter\\6p3vhn0oXSD913fsKU8ZukWY2BYI1aPVoH.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe

Modifies registry class 12 IoCs

Processes:

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Command Processor	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\n23IRM4dwhMANGuLO9gK7r8NglVTtYnDyj4fLN9hEwV88YE5wl.exe\" O"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\GVr2LbIi1A4tN6VDkFJZ72PdvCy83w21Nd.exe\" O 2>NUL"	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

h06sHEZpCQg6Y53psh4r6EKZ.cmd

pid process

560 h06sHEZpCQg6Y53psh4r6EKZ.cmd
560 h06sHEZpCQg6Y53psh4r6EKZ.cmd

pid	process
560	h06sHEZpCQg6Y53psh4r6EKZ.cmd
560	h06sHEZpCQg6Y53psh4r6EKZ.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exeAUDIODG.EXEh06sHEZpCQg6Y53psh4r6EKZ.cmdh06sHEZpCQg6Y53psh4r6EKZ.cmd

description	pid	process
Token: SeBackupPrivilege	1976	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Token: SeRestorePrivilege	1976	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Token: SeShutdownPrivilege	1976	521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
Token: 33	1992	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1992	AUDIODG.EXE
Token: 33	1992	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1992	AUDIODG.EXE
Token: SeDebugPrivilege	1224	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Token: SeRestorePrivilege	1224	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Token: SeDebugPrivilege	560	h06sHEZpCQg6Y53psh4r6EKZ.cmd
Token: SeRestorePrivilege	560	h06sHEZpCQg6Y53psh4r6EKZ.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeh06sHEZpCQg6Y53psh4r6EKZ.cmd

description	pid	process	target process
PID 364 wrote to memory of 1224	364	gpscript.exe	h06sHEZpCQg6Y53psh4r6EKZ.cmd
PID 364 wrote to memory of 1224	364	gpscript.exe	h06sHEZpCQg6Y53psh4r6EKZ.cmd
PID 364 wrote to memory of 1224	364	gpscript.exe	h06sHEZpCQg6Y53psh4r6EKZ.cmd
PID 1224 wrote to memory of 560	1224	h06sHEZpCQg6Y53psh4r6EKZ.cmd	h06sHEZpCQg6Y53psh4r6EKZ.cmd
PID 1224 wrote to memory of 560	1224	h06sHEZpCQg6Y53psh4r6EKZ.cmd	h06sHEZpCQg6Y53psh4r6EKZ.cmd
PID 1224 wrote to memory of 560	1224	h06sHEZpCQg6Y53psh4r6EKZ.cmd	h06sHEZpCQg6Y53psh4r6EKZ.cmd

C:\Users\Admin\AppData\Local\Temp\521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe
"C:\Users\Admin\AppData\Local\Temp\521f1427e5905de3694213d1ceb8daefb1da9d1eb8e186895c17bff9271e2f81.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:588

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\h06sHEZpCQg6Y53psh4r6EKZ.cmd
"C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\h06sHEZpCQg6Y53psh4r6EKZ.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1676

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1620

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\h06sHEZpCQg6Y53psh4r6EKZ.cmd
"C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\h06sHEZpCQg6Y53psh4r6EKZ.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\dvQtSfICdX0ul5pxUyaW9YmB2zL.exe
Filesize
458KB

MD5
41bea1d92516f0bfa1b435ead4ecfdcc

SHA1
1637204a01ad7ad51bbfdedaa915e2ae9c719b5b

SHA256
a69ad7756617efc7150946a6e20e0619cdcfbc3b3f41daf714cc77af35571145

SHA512
fa1352e83480db844e2bbc969bc964aa9b6f8c42412e58de6243ef8f425c9b4f0b4115b950c884da3e10d45ee296d5b28153170352087d495f7f1a4f27e64425

Download Submit
C:\ProgramData\Microsoft\IdentityCRL\qrXw8cI9kG1LoBDlg6DxGMHxtdzsMtdfUHILLZf8bmXKplBxgX36KD0W4F07vt1AqgbxzW.exe
Filesize
324KB

MD5
1f81f3e04e7701ffd934a3b58558cbea

SHA1
257e99a96461d28bb2839a8f329ad2910674efe3

SHA256
7eda185bb0984a9bda5226b69473af3c41ab3959116d503a9e901871ab0ca1f0

SHA512
495d601fb82c0733443e1f6f98f9c162b16c2b8cb708317a845709f2e072358c047bf81841c1c4321434be6047f17bc24d4bf59be543d2ebbcc14906d1f6029d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\P9hWn3iRcpRQ78ejciTwguR4sE.exe
Filesize
509KB

MD5
e5899feddf1cc47d35b203832bfb3638

SHA1
315c4476519923b7b7c021cfc0628aad37c74362

SHA256
8f02e932fbdfe9f6c173c8c6a8f68a6af95f5aa56382949f4d8a4ca3d291ea18

SHA512
6633dec6c2a9a026ee2018d3b4638bafa7dcad11032b29a2d236ef1c34389e799fae3f1a45565535fa77e63c30791a2906d44cbef7a2932cf14eb4d271523557

Download Submit
C:\ProgramData\Microsoft\nCSUh3Sx01PQnIpDKiZHJrv2Ud6VSgK2iul3hW9VUUIBahclVqxgwaRM3X.exe
Filesize
392KB

MD5
15f8ec9e78193f881378389e9f4d97c2

SHA1
8b3c286217945e7fb3406a5484789d561a63f2d8

SHA256
19e56e39ea5333bfd9935649db43a67dac7d3a0c9b1b736d42e515b465c4e66e

SHA512
00ba1652cd8e6311bc39d28c94b137e4f9d8d7ff34adad68fe8c3e895cff2d7231a6434f5662b2215b590cf740f3496d663d85a8fe4cc45c8b8731b35cfed2d9

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\1RMUBndQJGrxg.exe
Filesize
482KB

MD5
efa4fc955d692bff9f69fb7c3bf4ad2d

SHA1
614551d12b39dfa55b761f816018ce1b40eccec5

SHA256
7b2bfde0e667d14c33aa188769474780d397b10ab8fdf88fbcad8e0f64a31a39

SHA512
ef915d993259cdcad9709098d230d84f80a1e51fa622eceb8051717f50092f05fedc68d8c9f0ed117fd28f62c52d9673cf1ed9fb138e32e872effa921c40f07c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\defLJannqT6f8fvu2LJfOSzbc2tpTBiIOHpS0NXxolPmA.exe
Filesize
519KB

MD5
8d450036886ee852c279feb8fffdad2a

SHA1
cfe8b5c9c5e7274bf36fcbe30650229b2a60dc88

SHA256
51e59e3089cfe0d698d9dd3e356490b898694f273ceaceee0145fece2dfd2c7b

SHA512
62e62281eba366688ededd940a9a3c138a4ad7da64c497020ce988e640331d1d49edd0cddc8933c1d2da0554f08a5069c049279c95758a08fc2a833fdac3fb1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\1kaZuyF2frRrCIrnpFPtKahw4VBkBS0tPIEsTGOLsPOMy.exe
Filesize
415KB

MD5
bd46aa734726ff7ee0f8709b7a9d8764

SHA1
076a8205f082f03abb269f38d8f3e436e8b5c1fa

SHA256
258ce638620fd9cd8173d3f8c16cca91f3602109984f0c21a68857ad5d22fc41

SHA512
9982b2777606fd92c33aad638b0a91961c7a88b8cc3ae42f2377a2717241859a801ce184094e62d40b63c2f8e9d2061af0383535038822803d4d786b15682704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\h06sHEZpCQg6Y53psh4r6EKZ.cmd
Filesize
283KB

MD5
80528f9c36d4ce15e621ceee07e1627b

SHA1
1d1402e9c33bc6c52778106187219b5006efc17a

SHA256
769d7fe98580a1a88103be11ad1e3f22052d1eaac4ce77a9f10dffeefd1d63d7

SHA512
42f409522681afe4db8738181fff8d745d3df303be0e54cac616eea6dada54fb4cb2d0285f4d240e0ed0cbe364c9879294b379efb0f6f55b3ebc4aa1e1c50c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\h06sHEZpCQg6Y53psh4r6EKZ.cmd
Filesize
283KB

MD5
80528f9c36d4ce15e621ceee07e1627b

SHA1
1d1402e9c33bc6c52778106187219b5006efc17a

SHA256
769d7fe98580a1a88103be11ad1e3f22052d1eaac4ce77a9f10dffeefd1d63d7

SHA512
42f409522681afe4db8738181fff8d745d3df303be0e54cac616eea6dada54fb4cb2d0285f4d240e0ed0cbe364c9879294b379efb0f6f55b3ebc4aa1e1c50c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\h06sHEZpCQg6Y53psh4r6EKZ.cmd
Filesize
283KB

MD5
80528f9c36d4ce15e621ceee07e1627b

SHA1
1d1402e9c33bc6c52778106187219b5006efc17a

SHA256
769d7fe98580a1a88103be11ad1e3f22052d1eaac4ce77a9f10dffeefd1d63d7

SHA512
42f409522681afe4db8738181fff8d745d3df303be0e54cac616eea6dada54fb4cb2d0285f4d240e0ed0cbe364c9879294b379efb0f6f55b3ebc4aa1e1c50c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\LVHuwRZaRGpZzPP3R1gzRJKjynkaZr5Q92gD7PnuXP7z3JT7gMG1LuIcz5Cg0qKne4nt.exe
Filesize
482KB

MD5
f95636c2cc966afc90c3855ca200684b

SHA1
2e2261ad53e424d39320c9c0c3674396b27fa92b

SHA256
4148f40c2eaa839f8f7aa5602423207b406a7f126bb2591851ae666009b5a322

SHA512
db32f82ca81e83fd4ec473cff9e2ae7d93b80b29618f09b194a49c57297ae655124df018cb955e9a1ad135f8a678153b85c539e7fc5a6e781153a25264cb826f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\xqVFvZSviYZZfypdaNH2C0ty9FUCV5tdnES4MJNOKrF68hel3s2QW49CJinVviKDUtmT.cmd
Filesize
316KB

MD5
cd516cde3eea29576b16863f09695240

SHA1
ad8c47e5c11cc147e7ea2cecadb66acc1283022b

SHA256
7f940327f548dae1a0430e05c9d5b54866b3348f2fa5bfe155a873e79c8eb363

SHA512
b281ab8402510988d7769c657de2c20910794f686bc1686eca8893c6c874b454cf4216a186695db7a779c613d17beb6ff45aac55572e55599da108262fb3ecbc

Download Submit
C:\Users\Public\Videos\Sample Videos\VnEnN0KXFhoqEfP.bat
Filesize
363KB

MD5
f914e28c5aa02d9be65ddb18707fda19

SHA1
3eb1c64d2a265f9cec645d97a97daf76186aae04

SHA256
c254054c78ec8024d632686a5c6941cf8ce4acb71c1ca0a94154786d331fe696

SHA512
2743d41a2888010a8a5d07e93f027e72e9bdd9e22d0338f0e51aec1b3aefdc35f958fb3dc837741aa07b7b166d399a20fc69ea6df55817c504bb3a4ad8977644

Download Submit
\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\h06sHEZpCQg6Y53psh4r6EKZ.cmd
Filesize
283KB

MD5
80528f9c36d4ce15e621ceee07e1627b

SHA1
1d1402e9c33bc6c52778106187219b5006efc17a

SHA256
769d7fe98580a1a88103be11ad1e3f22052d1eaac4ce77a9f10dffeefd1d63d7

SHA512
42f409522681afe4db8738181fff8d745d3df303be0e54cac616eea6dada54fb4cb2d0285f4d240e0ed0cbe364c9879294b379efb0f6f55b3ebc4aa1e1c50c27

Download Submit
\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\h06sHEZpCQg6Y53psh4r6EKZ.cmd
Filesize
283KB

MD5
80528f9c36d4ce15e621ceee07e1627b

SHA1
1d1402e9c33bc6c52778106187219b5006efc17a

SHA256
769d7fe98580a1a88103be11ad1e3f22052d1eaac4ce77a9f10dffeefd1d63d7

SHA512
42f409522681afe4db8738181fff8d745d3df303be0e54cac616eea6dada54fb4cb2d0285f4d240e0ed0cbe364c9879294b379efb0f6f55b3ebc4aa1e1c50c27

Download Submit
\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\h06sHEZpCQg6Y53psh4r6EKZ.cmd
Filesize
283KB

MD5
80528f9c36d4ce15e621ceee07e1627b

SHA1
1d1402e9c33bc6c52778106187219b5006efc17a

SHA256
769d7fe98580a1a88103be11ad1e3f22052d1eaac4ce77a9f10dffeefd1d63d7

SHA512
42f409522681afe4db8738181fff8d745d3df303be0e54cac616eea6dada54fb4cb2d0285f4d240e0ed0cbe364c9879294b379efb0f6f55b3ebc4aa1e1c50c27

Download Submit
memory/364-73-0x0000000001030000-0x000000000105D000-memory.dmp

Filesize
180KB

Download
memory/560-76-0x0000000000000000-mapping.dmp

Download
memory/560-81-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/560-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1224-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1224-74-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1224-62-0x0000000000000000-mapping.dmp

Download
memory/1676-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1976-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1976-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads