d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d

Analysis

max time kernel
160s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Size

619KB
MD5

1f61487ea788c82aaaf84f58459275e3
SHA1

651f788ada298e9d87bcd044325465af0f6ccc0e
SHA256

d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d
SHA512

848b0c99fe14e7968c8b7724d31412c1303690b69bb93b8036cf72ebfd9b65ef9b19ee7f61640295fd8b4b77dedda81f67c57c0b032d501e2eb220901428ecbf
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Recorded TV\\QkuhXwSlohQvNatNcT.exe\" O"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\DeqCRrPY7Tjicsff7iU0EGjBBBs.exe\" O"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\rWCMffiNBkTnYKurHaFbThrMa22O5qaDbRpsktpz7kKitKXuhq9fkPUOO.exe\" O"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\DRM\\tAiPuVYZ.exe\" O"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe

Executes dropped EXE 1 IoCs

Processes:

11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd

pid process

1936 11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd

pid	process
1936	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1732 gpscript.exe
1732 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1732	gpscript.exe
1732	gpscript.exe

Modifies data under HKEY_USERS 58 IoCs

Processes:

11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmdd46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\sXRZRqmxcWM7APIRcenGaVRRs8wiJ5DaTKN2.exe\" O"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\RhtUJ9WJJ1ln9TtvpuL.exe\" O"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\wasm\\n6sCljOs7BDFhxloMeUK9KtjesBds9hYLysQTvffLUNFwjfIFRCrtf93ZSLKJmXnKssmZxE.exe\" O"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{9B0948E8-2CE5-431A-AAAB-90C1B2B12791}\\Er9SrbAsOkrUJ.exe\" O 2>NUL"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Vault\\AR2iqsiE1ZHBLAnYGQ7jgQdKwE6Zy4nWRIJYJSeOwU4L5D.exe\" O"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-20	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\RqCUc1tul3cFnMAaAoI99A0ZNEwZxFBz.exe\" O 2>NUL"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft Help\\Ud9bL4L2rT67fCt9Yn72hC1cKlxZZJPMXWIC7UYWTV10GSSElpfgptDqWjcHNWqMHhM8.exe\" O"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-19	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\wasm\\index-dir\\poMCsTDu08CPJrJ25tmDk9DixAtF0z2ZKnMF7gftVVqNuyoAcrYlS7jjYWkUIOzvvOQert.exe\" O 2>NUL"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Local\\eFx3808MAIxNaHzg48as9RwdsDX.exe\" O 2>NUL"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\Z8RC7kjhAqYdEqkbAXemNbsFr.exe\" O 2>NUL"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\O5hMS7CYK2lpVOUQk0WOazHnaLu.exe\" O 2>NUL"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\.DEFAULT	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\8\\nwRR9eKJ.exe\" O"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000004b5791eb00d901	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\SecStore\\IR7xuRPlB8OwlF0HFjKro3avWduERMcN6ork08aJ9cMUNs3zSYcNO3up0u.exe\" O"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\dozshqpt.default-release\\datareporting\\archived\\uemJBARDQy784BIln2mzPLGfHvHmqoopkB0mdL1PU4SCu0jBROceygbA.exe\" O 2>NUL"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\Pictures\\8RzpN5L5taBvC4Wj8xcZbtkowMFjRKwHuNxswb.exe\" O 2>NUL"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Favorites\\MSN Websites\\ySYSz1k5fAJFdjVc2uYkHVwNjmUgSQHJuua4msEveJt2lvUDrGG3IiCDWF.exe\" O 2>NUL"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\es-ES\\RPWOsmIFY.exe\" O"	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Libraries\\1d1JjB62F6siQ4XnALUlSzM5ij0nZWYMIw4wUtaKro9stC6HN57unFI8jaM8wToJX29u.exe\" O"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000080fecb70eb00d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd

Modifies registry class 12 IoCs

Processes:

d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Indexer\\hybpzN5tiioo8gKr4fsJA8E4DPjKVmTPTy1OslObBeIwHttrcwAQJpgQf7CfW1mDbYXS7W.exe\" O"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Command Processor	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Upload\\o0swTfFYNFXnmVrH1vTMOvM6X.exe\" O 2>NUL"	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exeAUDIODG.EXE11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd

description	pid	process
Token: SeBackupPrivilege	1372	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Token: SeRestorePrivilege	1372	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Token: SeShutdownPrivilege	1372	d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
Token: 33	860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	860	AUDIODG.EXE
Token: 33	860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	860	AUDIODG.EXE
Token: SeDebugPrivilege	1936	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Token: SeRestorePrivilege	1936	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1732 wrote to memory of 1936	1732	gpscript.exe	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
PID 1732 wrote to memory of 1936	1732	gpscript.exe	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
PID 1732 wrote to memory of 1936	1732	gpscript.exe	11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd

C:\Users\Admin\AppData\Local\Temp\d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
"C:\Users\Admin\AppData\Local\Temp\d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1584

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1936

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\Z8RC7kjhAqYdEqkbAXemNbsFr.exe
Filesize
732KB

MD5
37e002a0c9c2aea20255ddcd8e108675

SHA1
d6882997b48a3804eebaf406746ac2d599247bb6

SHA256
3db2f6c3f61335cac0ba347e8582980321ecd8f4ed5b981293e93ca0a2cefaf3

SHA512
39d3a1d0eeaf6a67b7217923a06c6b8b79639bf288f9068b4e0bbb49bcda8e0f76f4e77b2e7e22483c8d9ceb0480c33c94f5299feb0dce737a3ffbe677ad2a4b

Download Submit
C:\ProgramData\Microsoft\DRM\tAiPuVYZ.exe
Filesize
818KB

MD5
12b308b2e18a6004ec9424532b5ae53d

SHA1
f941b7009593ba7623f0851f9a226256b9f123dc

SHA256
83555a494ade79172aead09b899cb1b8c5dbf2de3358228f24b85bf15d0670ab

SHA512
6f147382d3a3b511c3b2c692ea9b6befa0870c80cf2174143b4c10f3ffed94e036dc8d6ff096ffc15b4d9a22ff0ba111463570ad146ab6840743c5a62f1ad306

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\A6Np634rjXSwGxV69FGVhBa0PylwSgvNuwOQr328vNrz.exe
Filesize
1.2MB

MD5
0b0bb3c7a521c2c0180612937dc48194

SHA1
4a391bd06f7f1077ca95bbfe3c0f8990ea74868b

SHA256
4157990669cff1d815c3cd7a16b12b0abc8594c2454dc6f11fd18d26da00b79b

SHA512
03271d344d0d8b165f469a13f289d9f2b896abd2fc1aaaeb9630b155564c5d992c73e34bd47c6a741d0291041f49580fa5d72a26b66b03f2dd199ee18df905ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Filesize
1.1MB

MD5
c83c5d4fe5a43b7bdf9b8825fcddec5c

SHA1
992f34755ad2246a3ae65ca6734d9d930911f14c

SHA256
3eda891e437d6987d34278b230a99ed0444f886cf89ae00f8780de8f175eccd9

SHA512
f76a1a9b12b463ac611797abb93eae0a933e32de59fc012800f8146493c60692b8762e242c0252a1c2fda6a35d29c42ac76df1eb9ef0d2c8858d4c143b43c131

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Filesize
1.1MB

MD5
c83c5d4fe5a43b7bdf9b8825fcddec5c

SHA1
992f34755ad2246a3ae65ca6734d9d930911f14c

SHA256
3eda891e437d6987d34278b230a99ed0444f886cf89ae00f8780de8f175eccd9

SHA512
f76a1a9b12b463ac611797abb93eae0a933e32de59fc012800f8146493c60692b8762e242c0252a1c2fda6a35d29c42ac76df1eb9ef0d2c8858d4c143b43c131

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\n6sCljOs7BDFhxloMeUK9KtjesBds9hYLysQTvffLUNFwjfIFRCrtf93ZSLKJmXnKssmZxE.exe
Filesize
998KB

MD5
9e204b4354df353f6032dc08a43ef5e2

SHA1
e398204402d616ab5c42e789204abea6c9dee723

SHA256
990c3b8ddc86b391d5231cab9be0a30ecfb83e7c18820c35f22f1c4bbe2886b7

SHA512
a331d996b608e4176e49ff5bd45185dd52e5bcba295c4ab253c3e68ec22afba6ee62dd238bf255e58260cf8a770e2fa689275be63f39ed991a717e24190f36d9

Download Submit
C:\Users\Default\AppData\Local\eFx3808MAIxNaHzg48as9RwdsDX.exe
Filesize
1.1MB

MD5
045f1674802bf499ea3c475856c79c45

SHA1
1b2ba5eeae558af1a9c3f155a668ff4633870c53

SHA256
f8e7c7256919f7ae1bf1b4c9352e70ebd70b0c01cbffaa26ca75e8dc18b8880e

SHA512
1898d5a20aa87cbc96c6983a3aff0f3041e965c1735e50bf206652027bdbd1f019802b2372f2211f501a1b09e489f1a5229c08116738339f28df05711181d21f

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\O5hMS7CYK2lpVOUQk0WOazHnaLu.exe
Filesize
1.1MB

MD5
30bb0d747154ea93cc6ac3fadcbf4a3f

SHA1
f8cd4de50815101737e2bc7faf7f2a84ab0502c4

SHA256
bef5b36e73d4866b02682381798276a39fa564e1129123f451b22589ecd0516b

SHA512
44251fe318ae17240df737b4f43c06fba1e1278a1f8ee0537fe02bb7178e0cbed14a9374c043c625da83f8e3f22fb48139be184896b18e8b55cef18e61f1a4d9

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\RhtUJ9WJJ1ln9TtvpuL.exe
Filesize
863KB

MD5
7d945675606a837aecf178e11a7edf7a

SHA1
918a2970f3289a61f52eb21852a82b412ec3f76b

SHA256
c3861f2a356ce220944188051fe7eeb6984ecfc2abfa6cfee2bfe5e832ea2148

SHA512
80294b04feddd2c6eb08134d71a530c6c385ae699b34dcdb69a00ec81fb66ac9f03242c7ab42df592b3cf11fad917646daea9229c5f7f7bfd7a86cf9c0fa872e

Download Submit
C:\Users\Public\Libraries\1d1JjB62F6siQ4XnALUlSzM5ij0nZWYMIw4wUtaKro9stC6HN57unFI8jaM8wToJX29u.exe
Filesize
1.2MB

MD5
354aa454ba8b27ca28ee04baabbdc3d4

SHA1
cfe0da85d58b0b79edfd38c5db71440fd9f3a70e

SHA256
828d9ae1023e4372793e399bcb19142baa2eebe9ebf369c31ef9c37a31836ca6

SHA512
310bd87534aa17b0e9b0a88fcfbc20b746aaeb08616c13107a27f98129c669d07b202c01ebd0ecdd9fbb0328c1f35dea5d329c4a425282039d2e3cd63b2b7fc4

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Filesize
1.1MB

MD5
c83c5d4fe5a43b7bdf9b8825fcddec5c

SHA1
992f34755ad2246a3ae65ca6734d9d930911f14c

SHA256
3eda891e437d6987d34278b230a99ed0444f886cf89ae00f8780de8f175eccd9

SHA512
f76a1a9b12b463ac611797abb93eae0a933e32de59fc012800f8146493c60692b8762e242c0252a1c2fda6a35d29c42ac76df1eb9ef0d2c8858d4c143b43c131

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\11ak0N21mgrr5bjyZaSY9mdTOqIuPcMBHIhv470HJNHirodkdH.cmd
Filesize
1.1MB

MD5
c83c5d4fe5a43b7bdf9b8825fcddec5c

SHA1
992f34755ad2246a3ae65ca6734d9d930911f14c

SHA256
3eda891e437d6987d34278b230a99ed0444f886cf89ae00f8780de8f175eccd9

SHA512
f76a1a9b12b463ac611797abb93eae0a933e32de59fc012800f8146493c60692b8762e242c0252a1c2fda6a35d29c42ac76df1eb9ef0d2c8858d4c143b43c131

Download Submit
memory/1064-56-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/1372-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1372-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1372-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1732-69-0x0000000000FB0000-0x0000000000FDD000-memory.dmp

Filesize
180KB

Download
memory/1732-70-0x0000000000FB0000-0x0000000000FDD000-memory.dmp

Filesize
180KB

Download
memory/1732-77-0x0000000000FB0000-0x0000000000FDD000-memory.dmp

Filesize
180KB

Download
memory/1732-78-0x0000000000FB0000-0x0000000000FDD000-memory.dmp

Filesize
180KB

Download
memory/1936-71-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1936-63-0x0000000000000000-mapping.dmp

Download
memory/1936-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads