bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Size

513KB
MD5

31681db687988505003bec3f1455e0d9
SHA1

0e6f1e93b18bd1a1e2391b80e44f4548671c23a9
SHA256

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f
SHA512

bc5e65f1a5542d211a35f60fabdacf46d92dd1b7de27427d3ae8995d3aa86de29c550840965c0f5dc81b358a83adc3cb6105675e2667fefce26e8181f6ddce31
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exeEf0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\fqt7oYRIQRRMdioWhyojF4cVngO7iooybeNjb8gJFfLcJjlFjRk9PHbMdNO2EOzp4gWH1yw.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Media Center Programs\\l2HkoM3NAnAfW53nV988ylStfJ78fID6W3mer6eBKB0lun8H5gtE4WZ.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\eHome\\kYesBnXtdYkpQGA.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\uoNpjFjIpNBLiHMBwYjpo5EN1vuCkJujtwHfDCCttURctWKqmmkFY5U83h.exe\" O"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

Executes dropped EXE 1 IoCs

Processes:

Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

pid process

616 Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

pid	process
616	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1132 gpscript.exe
1132 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1132	gpscript.exe
1132	gpscript.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exeEf0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmdgpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft Help\\OK8Ka8BD3boKPvJpz8284s8Q7Lu5K5Bnzbb7Cxj7tFgJtXxXqAXw.exe\" O 2>NUL"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Vault\\AnKKKKpdUaeK5pHwv8DpHeZH7QkEGElpfVeSbcfUaXOq9gWDjWlBq.exe\" O 2>NUL"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\RAC\\Temp\\oBqChgOqq5hIECNyrjTeqzpSP008ERrRadI9EjhMUL6nN5luyRRpCxeTZX.exe\" O 2>NUL"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Pictures\\1U5lRr97yo02KcPlAtj2YIsI5RGF6Q9eezkoccmh8O3l9RrU.exe\" O 2>NUL"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\xkBySucDLfUwy6HTCZ5rQIv8qskII2XHaXelfCLhpOKmmKZvo0bbE.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Unp4FPN9ehbqn933lDcQ3pWmeRVOKeoLMMOdghz99LRJ7sXERYHqcVBdivcGatasuaFhfs.exe\" O"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\fjvnfg6v.Admin\\T0jnabsNN6V03LEvvECAd7TzXmfDHySDAAzU6C8uqUYPA7WKlpgDNLx1t.exe\" O"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\GIS3pufEGF4uo8FPZ9aLRBRijDmxYmnY1KF4fT7YjtizOQCJqRGB8O32pYUIOI9.exe\" O"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\vgDc9jVNjeOL73Y.exe\" O"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\5wqV2Ip6yE0Snx5rxhnUiRm49lw0yhSSm3TICdpt8WLNH8.exe\" O 2>NUL"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\fr-FR\\ZkdwIMtwcpUQHlFtZJcuOO0C8yTpMQ2wEX.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\6Nl5RS0YWgT5gj7YOWNiceAZtnR6oVNNPX5Spvahebno0YQSrtjBISK0t0w.exe\" O 2>NUL"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\fwhlzMaYk9TkprshlDPlChsY01gNx.exe\" O 2>NUL"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Sessions\\SYTmpVGhdKB4.exe\" O 2>NUL"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\OL7sj7xyQKTv1THDKTWSGvkmCa9Xaq.exe\" O"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Indexer\\CiFiles\\qXO6oL639MQtejej8VBCxgNbjou2vzf9TB2V79ytava6ur94y0GEZD8Ujv.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000009071d4b2eb00d901	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\16\\xxX6sOeOQmR6kbaA4p.exe\" O 2>NUL"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\.DEFAULT	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\13\\AcLWkADvKioGQq1oT.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b0663aa1eb00d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

Modifies registry class 12 IoCs

Processes:

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\80QHmlY4YcGjxRs655Mg4CUBbvPQhDCM75kOxaae5jAlWHhBcwjEz9dq.exe\" O 2>NUL"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\js\\index-dir\\8GQagI5N6MqNcOlXnpxdsyeaIQ5b6RR1t5j.exe\" O"	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Command Processor	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exeAUDIODG.EXEEf0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

description	pid	process
Token: SeBackupPrivilege	1980	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Token: SeRestorePrivilege	1980	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Token: SeShutdownPrivilege	1980	bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
Token: 33	1428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1428	AUDIODG.EXE
Token: 33	1428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1428	AUDIODG.EXE
Token: SeDebugPrivilege	616	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Token: SeRestorePrivilege	616	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1132 wrote to memory of 616	1132	gpscript.exe	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
PID 1132 wrote to memory of 616	1132	gpscript.exe	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
PID 1132 wrote to memory of 616	1132	gpscript.exe	Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd

C:\Users\Admin\AppData\Local\Temp\bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe
"C:\Users\Admin\AppData\Local\Temp\bc50af8f23c741b3345302b198d51e292b3f6b8d87a0d4e195eca072c0c1860f.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:324

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1132

C:\ProgramData\Microsoft\Windows Defender\Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
"C:\ProgramData\Microsoft\Windows Defender\Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:616

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\ZkdwIMtwcpUQHlFtZJcuOO0C8yTpMQ2wEX.exe
Filesize
686KB

MD5
144e3e92dab3b003cc7d08a989b349b7

SHA1
f0f128e14e566aac00975b740aa78420f0737177

SHA256
05f78104baf469c02c2ab5a5ac61d2c31ca23a53a072bb37790ff9157b7ea5de

SHA512
43a6ba062a280f669f729bc68e5f5c4d0f9c5541f1250be3d1b19f4b44efabfac54cb8dfa234b60de110d592796be385c5e6508e38494fa9643f2922988cf472

Download Submit
C:\ProgramData\Microsoft\RAC\Temp\oBqChgOqq5hIECNyrjTeqzpSP008ERrRadI9EjhMUL6nN5luyRRpCxeTZX.exe
Filesize
715KB

MD5
85be7b179fcf426105daef708c96f788

SHA1
9edb6fae4330c2ca453a449c3bd488e4a03fe4da

SHA256
88cdb83dc9004c0690faab6b6071efe8bea69b2ed542c1d99f85227cf13426eb

SHA512
e829e8d9dbb31a724c0de2b0feda2b3d9106a74b01fa38dcdeb2f224fbe4f41daee48c7bd6308fe318fe1a8b42736168414ac856219c1de1ad13f864f8556190

Download Submit
C:\ProgramData\Microsoft\Vault\AnKKKKpdUaeK5pHwv8DpHeZH7QkEGElpfVeSbcfUaXOq9gWDjWlBq.exe
Filesize
793KB

MD5
d6942087bb49bd85f13a6b3f4d84a5b7

SHA1
00ec2ca5d7876c3970b0ebbf58a71d052c9bed97

SHA256
2c39c18522bf9471d2e3961b9d0306e0b1d595cee3ee2b45d24456e50726c320

SHA512
6f2fa624df3bc4cfd680cc189d27deca64a3a5ef423aa7388b0d69a78b077d3e425a15fd8b8d91af0035c213269870f3668e6b0674ff3b18b0cd8a0a9c8c5ddb

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Filesize
895KB

MD5
f5da9a9bd5099725459c45afe175ed01

SHA1
f751d21d1605a150035ef575f0336ec6f5bd427a

SHA256
dc1f44015ef0534aa8deb739313f0593c14d2a210b05fd3f86ac6d442cd67297

SHA512
a67097c3e0e3e8ba80efb65bd3a64913be6e8ba78d3546e0397492a298406834212edb330d3cae0b039f9ad84f702682bc780ae1a879be8869621628b8f77e5f

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Filesize
895KB

MD5
f5da9a9bd5099725459c45afe175ed01

SHA1
f751d21d1605a150035ef575f0336ec6f5bd427a

SHA256
dc1f44015ef0534aa8deb739313f0593c14d2a210b05fd3f86ac6d442cd67297

SHA512
a67097c3e0e3e8ba80efb65bd3a64913be6e8ba78d3546e0397492a298406834212edb330d3cae0b039f9ad84f702682bc780ae1a879be8869621628b8f77e5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\AcLWkADvKioGQq1oT.exe
Filesize
968KB

MD5
e144e9a95a387ab3c262ddbefd7b2014

SHA1
9a7d7eceee57fcc2e2243cdc8225543b2919fb19

SHA256
a415d79741c7549b6c8401eda9a03c1fc97e308325226140c62e3ffd84ff6a69

SHA512
5904fb6640c83cc18c613b89ec1670b2f916cd54f03974c6af5a03638a548a2a5cee1bf21928a68be996271cfe69ff354b4a9332a84954dc0561e36f413f2a63

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\2x6eIIDmJKhndRlS3IFLTdjl0JZe07X7.exe
Filesize
525KB

MD5
644945a44bf4f324ad7cad8ad9f8addc

SHA1
cfac822b7ed613cba249dbc4a56cfdbd85ab2279

SHA256
6daf1ab3390475cfc91c1a58d023e218e0f438d4a2d6875cab6cb5914c565c60

SHA512
d157e606e716a233c179d1a8dfdcc5927da5d32b1a11a6a120fdd76e1e8c64ebbc609c7f00296bcb9d7fee7b25c9425d8ffe2c006ced5f64bc7fc76f1c483061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft Help\OK8Ka8BD3boKPvJpz8284s8Q7Lu5K5Bnzbb7Cxj7tFgJtXxXqAXw.exe
Filesize
555KB

MD5
a17e2e0cb611976bd8cee8538b40722f

SHA1
472794102543cd80caf5b8af822d141380f6be00

SHA256
1fc9d5434c1001f0852857a31e3742c29bb47b1ae20020b271378bab84db64cd

SHA512
d3cdd9aa0eef437d7a8b56cb466ecc6fb6ce39a433003078005e9e71af4d55b116df9c3ebc9419e6aa80f23fba5d03167322a0478b990f1c78a46310f6aeea17

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\xkBySucDLfUwy6HTCZ5rQIv8qskII2XHaXelfCLhpOKmmKZvo0bbE.exe
Filesize
715KB

MD5
ab90c7f8b867b6252e720e5476f38ff5

SHA1
fcd8b63d056b962078f6a037c344a7f4fcef00da

SHA256
99b1d7200891097b94d7e3cefc4296b63187e603905017eed053c16ed57724c5

SHA512
0eec896b3f8bcc49e29828765dac76890c4651f90affe062590373af9a0cc43fe6d45edd052686586f54532758fcf9aa4ba71d571540a671f24c98a27660d383

Download Submit
C:\Users\Admin\AppData\Roaming\Media Center Programs\l2HkoM3NAnAfW53nV988ylStfJ78fID6W3mer6eBKB0lun8H5gtE4WZ.exe
Filesize
866KB

MD5
9eab3550f7e448f8ff9fca456b84eca1

SHA1
b2e2d8cc864be1e0a2ff3cb86ce99a357b82772e

SHA256
e8c7c927f82efc49c7c2e374f5471d8133d96e030e5eeb35844aded5d44cca84

SHA512
ddda2bd1f9c336729b8a65ebd1b23f42badecda0797cd69b67f8a98ea9116b0e0e26c709c6deabd32dcf3af85eb881b8820dd444066e3942068f748f918820be

Download Submit
\ProgramData\Microsoft\Windows Defender\Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Filesize
895KB

MD5
f5da9a9bd5099725459c45afe175ed01

SHA1
f751d21d1605a150035ef575f0336ec6f5bd427a

SHA256
dc1f44015ef0534aa8deb739313f0593c14d2a210b05fd3f86ac6d442cd67297

SHA512
a67097c3e0e3e8ba80efb65bd3a64913be6e8ba78d3546e0397492a298406834212edb330d3cae0b039f9ad84f702682bc780ae1a879be8869621628b8f77e5f

Download Submit
\ProgramData\Microsoft\Windows Defender\Ef0QZussqT1By24PZXR6QaqXYKTZNAT8R3hFIyqVHkRK21iBbWT.cmd
Filesize
895KB

MD5
f5da9a9bd5099725459c45afe175ed01

SHA1
f751d21d1605a150035ef575f0336ec6f5bd427a

SHA256
dc1f44015ef0534aa8deb739313f0593c14d2a210b05fd3f86ac6d442cd67297

SHA512
a67097c3e0e3e8ba80efb65bd3a64913be6e8ba78d3546e0397492a298406834212edb330d3cae0b039f9ad84f702682bc780ae1a879be8869621628b8f77e5f

Download Submit
memory/616-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/616-62-0x0000000000000000-mapping.dmp

Download
memory/616-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/952-55-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1132-65-0x00000000010E0000-0x000000000110D000-memory.dmp

Filesize
180KB

Download
memory/1132-64-0x00000000010E0000-0x000000000110D000-memory.dmp

Filesize
180KB

Download
memory/1132-76-0x00000000010E0000-0x000000000110D000-memory.dmp

Filesize
180KB

Download
memory/1132-77-0x00000000010E0000-0x000000000110D000-memory.dmp

Filesize
180KB

Download
memory/1980-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1980-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads