9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438

Analysis

max time kernel
178s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Size

600KB
MD5

ca563e2e6a35f7bb7b309c9320cf5a53
SHA1

253e393db83e34ecea7143600846f74740dd3d6d
SHA256

9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438
SHA512

4347c100530e97e524678abc5779f793c0d9bdc16e898d790711dfa461f4d6ac0f76fd1abda86c02552ccd01fd2f14fc9bd467d795a125aabe5fa5de6982ba91
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataStore\\pxALM4Xo9PTDsA72EKBbOwaqsG0meSdAK5ulAwfscQfkHoRBHiDtvymHtsBp6iRBFFsJxOY.exe\" O"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\RAC\\Outbound\\JdUGg5djjvYf7O2akDYJnmsga57W4MIa1Po7nFrhXK4exeip6.exe\" O"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\1Tp8Hz7jif3HU.exe\" O"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\RSA\\uWicB5n8VFCl4WjbY.exe\" O"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe

Executes dropped EXE 1 IoCs

Processes:

vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd

pid process

1812 vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd

pid	process
1812	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1268 gpscript.exe
1268 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1268	gpscript.exe
1268	gpscript.exe

Modifies data under HKEY_USERS 56 IoCs

Processes:

9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exevqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-19	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\g8xeSzUbZm5oexU8P6NJD05GD1xXW8JJrca1irhnYqsna3r41INSFmhJnPu8Vqahgr7z7D.exe\" O 2>NUL"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\H9zzXSXoNfexPDSlGNigORgJ42pCfi6.exe\" O 2>NUL"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Indexer\\6fflt0fRG9UlZgHAafTBR4arSkeUMDPEispxlf9iFjtvKcY4JrUGbrGaE9iWC.exe\" O"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Device\\jb1NbJOFaR8xfo7ivvP85LR4SUgWzLV0.exe\" O"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\2WZE2OQ2\\71nsuAa1kc2p6rxmSoQ.exe\" O"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\uXwrY2QEJfTmVGFYzkhTig.exe\" O"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\it-IT\\tNLIcbntAyOYUzMEhnErWTf5OxgXIOgJPUponZx7.exe\" O 2>NUL"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\5vDqMjoT4FVUV4vJn9hrkXxRQFO5EgXzkc9ytjSdRQXJGryRmVzzr.exe\" O"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\22\\SmsiFYZfqllaxZybl3rEIUlQuRL1czN9daDNLXgiF8MFDDpZpMkw.exe\" O 2>NUL"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\qkLv0WAPO2oKQVDlhUZPRSu5n8Lwn5hIHuNTeQ0OuVglQ1xOcEOFe145F6JY5VJYi.exe\" O 2>NUL"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d06b5d71ec00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\RAC\\Temp\\S9zupRd3uuN3sdp5Oei4UfoZyPj.exe\" O"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\.DEFAULT	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-20	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\NmjsWn3tit6abE3xmHfhI0QDVkvYul3YGW0yMvkJkC5TkAriwoL3TOzu9.exe\" O"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\storage\\Bl6h8Gxn6Khj5Hf1IDDezhQvCyAmY5jrtWp.exe\" O 2>NUL"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\1T2mfazgLVaIvlaEDIJjbR5tSfbhItS0YorJaswhhO6pcxOF5xsiEpC9.exe\" O 2>NUL"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\it-IT\\5u1lNY5mcOSl9InMU5Qxiv5GVk8hbsYdG8A9EHUDPNV34mNFQvtJ0P6o.exe\" O"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\28\\a6HQuupgWmF.exe\" O 2>NUL"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\UViKabQGJlWHhRaUeGx25FBiyZ07Kz.exe\" O"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\kTcO919eRR3Iqg7ikZ2sLRV0ofyrOb7.exe\" O 2>NUL"	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd

Modifies registry class 12 IoCs

Processes:

9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\de-DE\\2msB1BV5pGZj2hohjIyGXlZUzyqMAn3Xiw240iNdpZXtiNISbLQrDqqf.exe\" O"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\User Account Pictures\\jQrsgkaCPguFBewmOT6yFGpijes.exe\" O 2>NUL"	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exeAUDIODG.EXEvqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd

description	pid	process
Token: SeBackupPrivilege	1996	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Token: SeRestorePrivilege	1996	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Token: SeShutdownPrivilege	1996	9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
Token: 33	1260	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1260	AUDIODG.EXE
Token: 33	1260	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1260	AUDIODG.EXE
Token: SeDebugPrivilege	1812	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Token: SeRestorePrivilege	1812	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1268 wrote to memory of 1812	1268	gpscript.exe	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
PID 1268 wrote to memory of 1812	1268	gpscript.exe	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
PID 1268 wrote to memory of 1812	1268	gpscript.exe	vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd

C:\Users\Admin\AppData\Local\Temp\9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe
"C:\Users\Admin\AppData\Local\Temp\9f24db6c13f60a52c639eafa21a00529c7bb48470412bfac5f30eb63938b2438.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1204

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1812

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\y6XAgN11Y20NeCfdWfJRRzGFbI4iSe9pG1E1uh0RNl1V3YzGRT1Oj5C.exe
Filesize
704KB

MD5
bc39027f3fb9f6bda387b7c13acf96e3

SHA1
4f0b8fd7c33e4606d469cc4866cabcb150d90ee9

SHA256
9b531155fb3a02cfbf50bd738a70f5eb4a964c5bd0c8cad844f71df1146057fb

SHA512
3b5fa4066e2895273d2e7684241993cc268ac96e7949e9073fd4493b386703d8ee13e29d5b953038e90ccab35490d7e3e5256b4dc8803c0ce58e90de60c00a5d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\jb1NbJOFaR8xfo7ivvP85LR4SUgWzLV0.exe
Filesize
1.2MB

MD5
68dd7d68ceb25b4ec1123ca84a1a7519

SHA1
801c8c6026bd6a60ebf05d556eb6711405d6f9af

SHA256
e56ddcf018d1d630f21ba450783e3d8148b4bd124cefc5682f064899446e89e1

SHA512
494a316768dbeb0c883a08cad97f17557363510076606e2417260dd0c0d0e50a9d44df6125c3a58b9262d6ecdb25f8f5e0e961021297912761824b48f7560a13

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\it-IT\tNLIcbntAyOYUzMEhnErWTf5OxgXIOgJPUponZx7.exe
Filesize
635KB

MD5
455e75e140edb5b9d4999cb04e7316c5

SHA1
b0041a20f4e1a1fabc9ce424960e8af203492273

SHA256
f333858659e9ad5551679590918e2ea15e10c9d18dec7f00911cfa0fe331c12e

SHA512
c722d8a912bdd445c1c63fca36001c74c77f604dd9071cb6a9ad84c37ffcfaa9ca9fdfa1d12462c2306c9c08a66f71a0d4c5990ee05b912bde06d02e1183f1f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\SmsiFYZfqllaxZybl3rEIUlQuRL1czN9daDNLXgiF8MFDDpZpMkw.exe
Filesize
697KB

MD5
32c953da51a8c5e434cb71a52875ff20

SHA1
07fd6d198ead9efe1f2d70346c22a031d5a5265c

SHA256
d2c984412f738ee0024933b3622b835480a9ade74127e8ac317fd19b1e5ca5b0

SHA512
57d20c3ba83b1d8908609ab385fe5b7af3c2d72642e6836b5fc4a27bd37318847d9fdec9f7ac069a0274a8999ead114b1204c5e75516c68abcb05ca0f5b5141d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Filesize
1.1MB

MD5
473078da03b9c47662a430e1b8ba992c

SHA1
7a1bc42798c82c44c72b991338d53b409d873b29

SHA256
de86aa3ec4cbfa3839bbd48ffa67fbbbfdedb44e1c494c6f69bfac1a68dc71b9

SHA512
b9fec4724a29f9517e973434a07181675acaef0eaaefbf156a11da5f42f3104e4248964aa1a2162b96256f242a4480217caf3ccbc2771b44e485493935e173ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Filesize
1.1MB

MD5
473078da03b9c47662a430e1b8ba992c

SHA1
7a1bc42798c82c44c72b991338d53b409d873b29

SHA256
de86aa3ec4cbfa3839bbd48ffa67fbbbfdedb44e1c494c6f69bfac1a68dc71b9

SHA512
b9fec4724a29f9517e973434a07181675acaef0eaaefbf156a11da5f42f3104e4248964aa1a2162b96256f242a4480217caf3ccbc2771b44e485493935e173ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2WZE2OQ2\71nsuAa1kc2p6rxmSoQ.exe
Filesize
1.1MB

MD5
2e43ff847726ba6919774ef314cbf406

SHA1
57f9533169debddf47ba84bb29b95a042d3636de

SHA256
53d5ada99614b612245fa21fe17e5ed59bfcdcd314ea6bf0051c25fc88a0f008

SHA512
d5335877f5e621ad28efdf8c68a57d078cb61f102c03cf1d282f93bbf59277f9dc267a1b570c5b921760e5abde07908fe8de6ab3598711da4553cb89cc249650

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\1Tp8Hz7jif3HU.exe
Filesize
777KB

MD5
66da50cca81a860256c1841f52adfd9d

SHA1
02a6e81abc42eb505b0866b556785d74886a37fc

SHA256
deb887de09448794b1ca6e6dcd3c86a3a4629072b15b254126eeca1258f8f35c

SHA512
8b9f1e5fe29238b4cfc1afc411474c8e5104471d32a589041e6bb49e3a73d02d72e99aae06969d47981419faa4a7bb63de2c8e9a2b25cfec26c3a823af2d405d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\storage\Bl6h8Gxn6Khj5Hf1IDDezhQvCyAmY5jrtWp.exe
Filesize
1.1MB

MD5
4018b850e61b3a09728e1f95343a0e75

SHA1
418918ba3f2b9431c92b60a2150f18239511fba5

SHA256
62a89684e445917af7f17b824bb3c9abde51201fb2f03b696606c0bb619e0900

SHA512
582a3b82c75bc5eb47b64825decd778bb39433e12fc1983e0a905ba544da1c97b96234250a0cf48ea042ce4c60384162006a9639141f09ec10794d818092f4c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\UViKabQGJlWHhRaUeGx25FBiyZ07Kz.exe
Filesize
1019KB

MD5
7a6c97f8414aa744851abf4aea9eb881

SHA1
384eb98990a935161cdc89954d10b4238fa1b3b7

SHA256
6b1e24ab35fdfbd5b35e65b8f6b014a3f2b7708de3248a1bf67453d825fd92e7

SHA512
8322ed5c7de429ce7fe52fd216a4910dbc645a51c6909784f5d34b2edeeb84bc146a55a80ce65923a1d0c62af851e68cddf1b77b5d989cc6bcdfd50d11ee834a

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Filesize
1.1MB

MD5
473078da03b9c47662a430e1b8ba992c

SHA1
7a1bc42798c82c44c72b991338d53b409d873b29

SHA256
de86aa3ec4cbfa3839bbd48ffa67fbbbfdedb44e1c494c6f69bfac1a68dc71b9

SHA512
b9fec4724a29f9517e973434a07181675acaef0eaaefbf156a11da5f42f3104e4248964aa1a2162b96256f242a4480217caf3ccbc2771b44e485493935e173ba

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\vqs5vAACh0TbgiFJv8A8QGA1gEzvTHEx22fWfwGPwS.cmd
Filesize
1.1MB

MD5
473078da03b9c47662a430e1b8ba992c

SHA1
7a1bc42798c82c44c72b991338d53b409d873b29

SHA256
de86aa3ec4cbfa3839bbd48ffa67fbbbfdedb44e1c494c6f69bfac1a68dc71b9

SHA512
b9fec4724a29f9517e973434a07181675acaef0eaaefbf156a11da5f42f3104e4248964aa1a2162b96256f242a4480217caf3ccbc2771b44e485493935e173ba

Download Submit
memory/1268-65-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1268-66-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1268-77-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1268-78-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1296-56-0x000007FEFB5F1000-0x000007FEFB5F3000-memory.dmp

Filesize
8KB

Download
memory/1812-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1812-63-0x0000000000000000-mapping.dmp

Download
memory/1812-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1996-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1996-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1996-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads