7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca

Analysis

max time kernel
151s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Size

1.4MB
MD5

2566b387db10c44815241f0952889dc9
SHA1

39a3a96a2e533769fd7dc97135201874b4baa896
SHA256

7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca
SHA512

b46d61dcf0339b03c7f6d9bde580189af0e65e8cadcb23214650d36c9f944b209421e3ba04ea8215cc7ef8e863362eab1baa70bb66dc925288498cdedff60e6a
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\D7lVxs5cYWw9WxEYVWv4WPoFX85hlx8fbwjuuRPSB9mqedBgB2FyKBLwti7Ho.exe\" O"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\vJCjgbgQygunH.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\FXymk9GKBYpTbSibyq2gfCiKFcKyP1zPY8BVp.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\R7t86JnZovOe4Gi8FJBoR2z3O0ydT6PJSZRJRgz99x1H5v2Enqvp.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe

Executes dropped EXE 1 IoCs

Processes:

dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe

pid process

820 dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe

pid	process
820	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1872 gpscript.exe
1872 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1872	gpscript.exe
1872	gpscript.exe

Modifies data under HKEY_USERS 56 IoCs

Processes:

7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exedHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\UYv0VaBnSzxxiSEFNFnLiVPe0a0uUAjWF5bV7pUJ1zCjWWfqAzwhDOtX.exe\" O 2>NUL"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Mail\\YoJwL1J6yKnmaJsj8PKrqq4KLp5hvNPCqFvvNtBR7L7urbkHRG5wfww7TNic.exe\" O 2>NUL"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\wVxxgywP58oRNne6Gj5S500fQibsJMxDE1QbFAq3ZKlwhRHxoitdJTHnf1K1L.exe\" O 2>NUL"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Subresource Filter\\58ARDZS27VoTXrRUBnFaqEKQWjDQeD2DbXP5bbFD56W3u2t.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\JesAMYqocR1pFlldmqyhuWpB6EMqgYlZ4x8q4J4TfH8HcqdUwkhRYM8.exe\" O"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WbxFjySsjEze9sMdZUJuZnWKoOiuzwNpN4lI8wWlgA3Y4dy5LIvu55s.exe\" O 2>NUL"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\2ror5yvg7VD9JK6WbHOLPySB9zQO9w5KFIe92Piy.exe\" O 2>NUL"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Recorded TV\\OysIkID2I32K9voa0l9TCHyYejY1uiqM64e.exe\" O"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\ubWsa3RJ07q37OoYPiTYOopmwzZ8sfjtU1pPItZztJWNgdtY1tE0fcJQ4gqZnRx0A.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d0449fbcea00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\obaKJ0QAHu5h14fQXTZbbpwPPZQShNwlKkZAlqx4QP4bZYDoP.exe\" O"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\jlW8I5R0LrTf5bNmWSXafy1ARR9S5ohUZVlT.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\6Py4QWDNHnYWRBgj1Yow9h.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\eMwynZmwajoh3GfcCirLSJIYvphK5DR.exe\" O"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\653FJzpT5mqTkQC.exe\" O"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\I1VkGgj6Zq8mPoVhGsP0eBqxkZ2gw3lk5.exe\" O 2>NUL"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\dozshqpt.default-release\\crashes\\events\\n2mfEY1sqSxIKsBUF3DSt2VGi95QfdUemCGG8qhMj09HpKxiWj6Oioc4UB.exe\" O 2>NUL"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\hyphen-data\\wCxVHgQfByKH0ooXwkkKuL.exe\" O 2>NUL"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\ifCYM4ag7ryFEWCLrjY9Ug4uLN1zyBiPmzSmBsbzTN5QBWxUFX5CxsvUcn7kIwi31s50.exe\" O 2>NUL"	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe

Modifies registry class 12 IoCs

Processes:

7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\o3JIdWGblIM9z4hnYQh.exe\" O 2>NUL"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\dozshqpt.default-release\\RxWIgqoj4EANPinUstYlALSgUKx0le2GLWDltIbwMUzSqoCF.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Command Processor	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exeAUDIODG.EXEdHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe

description	pid	process
Token: SeBackupPrivilege	1324	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Token: SeRestorePrivilege	1324	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Token: SeShutdownPrivilege	1324	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Token: 33	888	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	888	AUDIODG.EXE
Token: 33	888	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	888	AUDIODG.EXE
Token: SeDebugPrivilege	820	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Token: SeRestorePrivilege	820	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1872 wrote to memory of 820	1872	gpscript.exe	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
PID 1872 wrote to memory of 820	1872	gpscript.exe	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
PID 1872 wrote to memory of 820	1872	gpscript.exe	dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe

C:\Users\Admin\AppData\Local\Temp\7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
"C:\Users\Admin\AppData\Local\Temp\7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1504

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:844

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
"C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:820

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\DRM\Server\zgz3Xz8eysUjYJQTq0wKbmog.exe
Filesize
2.6MB

MD5
6fb2436eeb755b07143197004c17afab

SHA1
6d1be773b304721bc5a2ee7de4e9ddef90de5c96

SHA256
75dd83c5800f8a4930fb536dc668e46eb3a3348b5d85962d1af3f5a8a8a6a181

SHA512
f5d6ecbfec925649ae779cb8392b884e89dcc376a70a2419d37b2baa099fdf8d8a981308b0adbf32d53d934a6d8556eafe1941377ca0c19feff826a387b3e8c1

Download Submit
C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\UYv0VaBnSzxxiSEFNFnLiVPe0a0uUAjWF5bV7pUJ1zCjWWfqAzwhDOtX.exe
Filesize
1.9MB

MD5
5d4e28db2aa0c1e899faf80aca8bfa41

SHA1
d7d9fe32598079b51720f2d10028ef2ab15747e6

SHA256
9f6bc4f95ba70e8441703876578dac52391b2f81d9ee58ccb3766dafe99db067

SHA512
a161aa2c0137aea37c72d1c95a505b89c092df8a312f932e00cab6f345f1ef56ede8702af80114ce4b3a95603c81f6059f4a6347350f11d109d9a18f9eb72a79

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\FXymk9GKBYpTbSibyq2gfCiKFcKyP1zPY8BVp.exe
Filesize
2.4MB

MD5
96a62159c958e727cc4426eac34a6ab6

SHA1
bead9b89118353458a6816312134bc3ef5d037df

SHA256
19bc58a37940ede2698cfc7347c3142522886773df0d7a8c398ba559ef892d45

SHA512
06979c78e67253caa465020da6dd0760c3ced3ed26dde1c6d894409c54e28941d11affc81a622c071b34f4fcc7c12e24b9ebe933a43eb40b651c99fe862b932c

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Filesize
2.6MB

MD5
49f0ea51f10e88866ad0a27b1dafcc1e

SHA1
efee8a02963e62fd43b973933b88d5c56d920de5

SHA256
6c170ae404921b7419b1fd42f0b73b054a935b73596cfd6c0eaa42214e1ef25e

SHA512
a3ab2e1df2832bce3b0fffefca6152819f9d583fa6531b516a5297ce8362603bb7f9d61874d3bd20fa9eab140a49e131044c14b295905d02dccfb6ac30322942

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Filesize
2.6MB

MD5
49f0ea51f10e88866ad0a27b1dafcc1e

SHA1
efee8a02963e62fd43b973933b88d5c56d920de5

SHA256
6c170ae404921b7419b1fd42f0b73b054a935b73596cfd6c0eaa42214e1ef25e

SHA512
a3ab2e1df2832bce3b0fffefca6152819f9d583fa6531b516a5297ce8362603bb7f9d61874d3bd20fa9eab140a49e131044c14b295905d02dccfb6ac30322942

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\58ARDZS27VoTXrRUBnFaqEKQWjDQeD2DbXP5bbFD56W3u2t.exe
Filesize
1.5MB

MD5
f4b1e9a61bc1a1ef3540abda415f3e55

SHA1
b86baa5f9d4c08aacb37e2c0eadd7fea7d80ad90

SHA256
ce4aa3d00aaf2382043397074ed089c8ea94a7ba5b53c0f46ec82a43fe1589cf

SHA512
358b1fdb4440ba41510d6b253242ed41d0091005ab1df74954082d11edf8bbaf351bb3b9302cb164808c6558ef2e3f5071f4e4fbb1b32c75ee23af46d20bcba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\hyphen-data\wCxVHgQfByKH0ooXwkkKuL.exe
Filesize
1.7MB

MD5
9507b415c1baa7ff8883d61f91908897

SHA1
b48741456cda3ddf62a1f2ace391e81434b6f1c1

SHA256
f4e199ede00b94b11adb87f7debf491379313b50e3efc91d1da4884ff492888d

SHA512
a87e8a093a27500febdd083c001bc397a620a3d56431e8d7518284a282cfba850c631a7060ed2deb67c078230f68fefc95c392565b52b4da3184c82a8b40e5f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\wVxxgywP58oRNne6Gj5S500fQibsJMxDE1QbFAq3ZKlwhRHxoitdJTHnf1K1L.exe
Filesize
2.1MB

MD5
147fe4a264dda51314333cbc2e41aa86

SHA1
987817ad0726fd2b2d88f0c1fc74f830ac881655

SHA256
51e7b52d2ae4241c099f0735f6baadef85d23b836d9d809c111dc81dc672b151

SHA512
7ef227deb8b7dfac1e20199398cca1c5c38c1fc41f5e8ce3366116c7442be3356a605c5d2c3c39db7b331b7ff4a9037d2cd81e35ab2eb22814649996af01d68e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Py4QWDNHnYWRBgj1Yow9h.exe
Filesize
1.7MB

MD5
8f43e0d349054a2762f86bcc774e8ad6

SHA1
4d381806e989e1fdc4744f1ec7579811b28d3e38

SHA256
b948d691c7d38cf0b062c97cbc89d7588efbe8246036c39228820d0110abbd8b

SHA512
5e047a02fafc0cf11fe73c46ba79f5eccca4f4dd5bdf73af6d72ffae11ae670f1e18b772779a5582cb8d28ba3ced9e433215ac9fb00753a5dc79fc549f01773d

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\ubWsa3RJ07q37OoYPiTYOopmwzZ8sfjtU1pPItZztJWNgdtY1tE0fcJQ4gqZnRx0A.exe
Filesize
1.4MB

MD5
d48dc91cbdf9b80de39e9c355d02f9f5

SHA1
0f7138c653e751f352bab4b34b7c85bd9b5be066

SHA256
79266ff34b97233c27fc77615225fbf1ad39c488d726571da748b53da4960c30

SHA512
d3521fffbcc241a95e9e587382dc2343cfc27ab7a7ba280afeec3096d0fdc4a595be8590b0e69717734062a4ab04aab165ede5d13091f19ad11b2b7941cd8b50

Download Submit
\Users\Admin\AppData\Local\Adobe\Color\Profiles\dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Filesize
2.6MB

MD5
49f0ea51f10e88866ad0a27b1dafcc1e

SHA1
efee8a02963e62fd43b973933b88d5c56d920de5

SHA256
6c170ae404921b7419b1fd42f0b73b054a935b73596cfd6c0eaa42214e1ef25e

SHA512
a3ab2e1df2832bce3b0fffefca6152819f9d583fa6531b516a5297ce8362603bb7f9d61874d3bd20fa9eab140a49e131044c14b295905d02dccfb6ac30322942

Download Submit
\Users\Admin\AppData\Local\Adobe\Color\Profiles\dHn2lJXR9zE7oMoYTbYNIokD2WEMDKUQkGkXL5LCXlp7FsGwFV4t9q.exe
Filesize
2.6MB

MD5
49f0ea51f10e88866ad0a27b1dafcc1e

SHA1
efee8a02963e62fd43b973933b88d5c56d920de5

SHA256
6c170ae404921b7419b1fd42f0b73b054a935b73596cfd6c0eaa42214e1ef25e

SHA512
a3ab2e1df2832bce3b0fffefca6152819f9d583fa6531b516a5297ce8362603bb7f9d61874d3bd20fa9eab140a49e131044c14b295905d02dccfb6ac30322942

Download Submit
memory/820-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/820-63-0x0000000000000000-mapping.dmp

Download
memory/820-69-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1324-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1324-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1324-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1504-57-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/1872-67-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1872-77-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1872-78-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1872-68-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads