72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc

Analysis

max time kernel
170s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Size

1.9MB
MD5

f18495573f599858c6c53bd364bebec6
SHA1

6c1ecc079074f39e7691a05db79c15465270d426
SHA256

72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc
SHA512

4f98ad5895306ace1dd1df20bc9f9c5cce7a719eb1aae6972d90b45b326829f168de8096b7d5002f376c1524917b9fc13a736973636a6634c10f38a70c39ecec
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iMqPfGpZ5rWHTo627en9l6yXy.bat72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\es-ES\\fX0Up9ziTLAWZqqwVZgv5aUIbexUdO0Vt6DMFFPMUoFEcyuH3fr30YJSyEaXBIpg.exe\" O"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Flash Player\\ErLuAn0ZJeB4r5m5DavafJdDTLxhbO4wXs94S85Iay0pYd.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\JF7lJxjs7udo8wioLTjdglNfCw9ceP4SlIksNn.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\lmDZD27iEiUfLCQH.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iMqPfGpZ5rWHTo627en9l6yXy.bat

Executes dropped EXE 1 IoCs

Processes:

iMqPfGpZ5rWHTo627en9l6yXy.bat

pid process

1172 iMqPfGpZ5rWHTo627en9l6yXy.bat

pid	process
1172	iMqPfGpZ5rWHTo627en9l6yXy.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iMqPfGpZ5rWHTo627en9l6yXy.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	iMqPfGpZ5rWHTo627en9l6yXy.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	iMqPfGpZ5rWHTo627en9l6yXy.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	iMqPfGpZ5rWHTo627en9l6yXy.bat

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1960 gpscript.exe
1960 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1960	gpscript.exe
1960	gpscript.exe

Modifies data under HKEY_USERS 56 IoCs

Processes:

iMqPfGpZ5rWHTo627en9l6yXy.bat72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iMqPfGpZ5rWHTo627en9l6yXy.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\pkC5nxYfEeyVDf2B5rNbPrL.exe\" O"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\.DEFAULT	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\LcQsNDeyMf9eJZXiFoYpns.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\GvtN5Zhldl6qeghl27glad5AaHi6hos0d2qmjyiXWqIC3blTorZqzifql5w3I98YNf4.exe\" O 2>NUL"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030d51077ec00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	iMqPfGpZ5rWHTo627en9l6yXy.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\qSI3Oo9ZClyhHELCQPKG1KxR8SfkroAyJCPxX3vEoUqTA2M.exe\" O 2>NUL"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\3FmGsvyY4GJ9g1RzLkLs.exe\" O"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\ja-JP\\vedQ7fs65HUkXLMEIaUJWODsZGNcuko1y3R.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\HLiApmoL4y0C9ZSDm1thGkyREyfmirAjfMiTDbO9CEv3Xe8AuRqQFd.exe\" O 2>NUL"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\MR9GAVBQ\\pU6yToIi5J465yLp5Q3BoGfJr.exe\" O 2>NUL"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\ansV0qJDNm8NQaRMwB4eejoytK60l5paJSvWCryGSofOSGZXdMQ6uJ2U.exe\" O"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs\\AscUCPxuJ3ucOH7FpFxGaAwTtGr3N.exe\" O 2>NUL"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\YULVUB3G\\h0iYbMRoSGyiXVC4mwqb7ofNYGccbXaoPP4EiJTHyEIq.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\PropMap\\7lweOMzYPW3iBUJE6NXHSM28Sg.exe\" O"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\en4MaBRJSDKJ3NQ7C8Z15S2i8ymgZ3q6EN2gLzrY9LO.exe\" O 2>NUL"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iMqPfGpZ5rWHTo627en9l6yXy.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hsperfdata_Admin\\BjzUMqM60vOXtMD0P9onlX3dPlc0Wv8nkXBWg0Qu0xC0STZIFRAgvXQlajtXtfi.exe\" O"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\MEIPreload\\eKYhwXvlE.exe\" O 2>NUL"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\41\\Lc5qzWznLzl8SHwWmtNfBMvXlgKzUb.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\packages\\pov9EMrlJEudz9xqGVS5O3L2hrgvc1iznT2D3pgQ8ZqgJwLhhatNgsy.exe\" O 2>NUL"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\WlLyyLyIH2jiH5CZeAIfnNyhYmOxiTxSSEm5Z1.exe\" O 2>NUL"	iMqPfGpZ5rWHTo627en9l6yXy.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iMqPfGpZ5rWHTo627en9l6yXy.bat

Modifies registry class 12 IoCs

Processes:

72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Wwto7YthE9zcfWohpKgfyrU9cqDhIS6wJ6gdjzPhLF6Aw5PgXNJ.exe\" O 2>NUL"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Local Storage\\leveldb\\ZBLg6KhQ5N0zLQ4kC13GMBt4Nbk1.exe\" O"	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exeAUDIODG.EXEiMqPfGpZ5rWHTo627en9l6yXy.bat

description	pid	process
Token: SeBackupPrivilege	1704	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Token: SeRestorePrivilege	1704	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Token: SeShutdownPrivilege	1704	72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
Token: 33	608	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	608	AUDIODG.EXE
Token: 33	608	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	608	AUDIODG.EXE
Token: SeDebugPrivilege	1172	iMqPfGpZ5rWHTo627en9l6yXy.bat
Token: SeRestorePrivilege	1172	iMqPfGpZ5rWHTo627en9l6yXy.bat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1960 wrote to memory of 1172	1960	gpscript.exe	iMqPfGpZ5rWHTo627en9l6yXy.bat
PID 1960 wrote to memory of 1172	1960	gpscript.exe	iMqPfGpZ5rWHTo627en9l6yXy.bat
PID 1960 wrote to memory of 1172	1960	gpscript.exe	iMqPfGpZ5rWHTo627en9l6yXy.bat

C:\Users\Admin\AppData\Local\Temp\72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe
"C:\Users\Admin\AppData\Local\Temp\72edb885636112c372b8036b9adcacb441f9d4af8cbf5b12bc66503f5fab8efc.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1536

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1960

C:\ProgramData\Microsoft\iMqPfGpZ5rWHTo627en9l6yXy.bat
"C:\ProgramData\Microsoft\iMqPfGpZ5rWHTo627en9l6yXy.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1172

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\ja-JP\vedQ7fs65HUkXLMEIaUJWODsZGNcuko1y3R.exe
Filesize
2.7MB

MD5
daa91ced04a1f8a8a395119d486ebecc

SHA1
a95020bb53f0937c8fde20d8760e7ca51c74c058

SHA256
c1426a72fce617e4f221e35f6d6615629aa9e49feec607f72dff1800ab251d23

SHA512
85454ccd8bd71fdc1d130d713fb00cd2127c36aa94d769a1a69b4485c8d68ed6a1ba9493391f356f00be52347272f2e8e689458f85f9a1b09742732e9dba329f

Download Submit
C:\ProgramData\Microsoft\iMqPfGpZ5rWHTo627en9l6yXy.bat
Filesize
3.3MB

MD5
6c0a96bcec466f57c03f172da6eabba6

SHA1
8e3cf6e1c43fc4d1e0452e3dc7a1701f2e2a315f

SHA256
c2fde24545fb6a6337f421b1297d0adfdae43d80278167d56ea5fe900528c23d

SHA512
addccd702923598f9e38214cc254b6e4bf469b1e2f2215f67f659ba3617dada2983cc0f2003d42ff685b87456ec6e25832cbd24cd2da3f0f9828df2e17311e3b

Download Submit
C:\ProgramData\Microsoft\iMqPfGpZ5rWHTo627en9l6yXy.bat
Filesize
3.3MB

MD5
6c0a96bcec466f57c03f172da6eabba6

SHA1
8e3cf6e1c43fc4d1e0452e3dc7a1701f2e2a315f

SHA256
c2fde24545fb6a6337f421b1297d0adfdae43d80278167d56ea5fe900528c23d

SHA512
addccd702923598f9e38214cc254b6e4bf469b1e2f2215f67f659ba3617dada2983cc0f2003d42ff685b87456ec6e25832cbd24cd2da3f0f9828df2e17311e3b

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\LcQsNDeyMf9eJZXiFoYpns.exe
Filesize
2.0MB

MD5
181de0856682e7ebe741d7980f71799c

SHA1
911e9205734574cf843480f7435a7527e93f0ac4

SHA256
c38eb34df547c8b84318c3321d2d19166ccacb3fc90cd5c0fa74164dc2086bb5

SHA512
fd8b30bad3884c8a85e8795ed74c5225d742f929baef8cb8b32da321347072cab9998a02b0537e1807d5d28c07b16ab1ce9b845152c1470874b1f68f1bb5ab17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\JF7lJxjs7udo8wioLTjdglNfCw9ceP4SlIksNn.exe
Filesize
2.6MB

MD5
33b24d800bff80b5484daa4d4919f9d4

SHA1
1600328000c65b323f80256ba511cd74df06e372

SHA256
470d7120040e37253f6176e92b9bb88e7577f954496f5a91ea1c1da9b0ed6f6a

SHA512
b2f7b4b9f838bd32d31cdebfc69b1e7ecff845875f2ea3a34f6f2cd7e9f29d64135e82ffcc3e1c496ddecec7b827f57603ede8408106e9330fecc0d1fd64e93d

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\ZleGw8xqyyu5nMiwkqoFSqNq3buW31jg.exe
Filesize
3.2MB

MD5
d0aca417c2a09b6334c0cfbba7f1cb54

SHA1
20f449bc0d9ad576184fb388f7421e26d02df77b

SHA256
636be485c6a28602e427281846ce327a8a2ccb4b7a24a45c5309b569af320aa3

SHA512
3217702845c3d7f606e81ad5d2abbaf9a0e466689caf0e263f4ac7121cb7af2d31cd41433dd043e62fedb567b1360df04cb8d8d77109cd07afda3b7430522bbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\en4MaBRJSDKJ3NQ7C8Z15S2i8ymgZ3q6EN2gLzrY9LO.exe
Filesize
2.4MB

MD5
dfeb78ee515136aec7ecb03b352ce849

SHA1
3f4e914258cd6e78f4cab8dcdd04e9517c5859c0

SHA256
7dc25501e185dcf5f76f2e48615b2fe92907f012fcbd5e76a703a652b22d0b45

SHA512
8a76e62a58409dedd86d799ef24bf0a0d336261cde2e329136bfb3be762ea88b1579867f31f89d6fe0d31be85480ec45d45a3352e882fe859265302e14540f67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MEIPreload\eKYhwXvlE.exe
Filesize
2.6MB

MD5
1ee1c0a308ed30120a76cf1304cff678

SHA1
c01698cf119ee423076eb98d6f2a8ff066daae5e

SHA256
da340786ca0618dec8a619bb6096f9ef872e04f1a9a35abed2212f07d2a27474

SHA512
226a81e1bb0de47bb2b0cc8b0d38fac5ed834aeedfa8855e703c02199fd53170f62a239cf1e6f46e8567236c686e5ed99eea29f2f66d1f388381a2b60bf911ad

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\YULVUB3G\h0iYbMRoSGyiXVC4mwqb7ofNYGccbXaoPP4EiJTHyEIq.exe
Filesize
2.8MB

MD5
54ca1e7c9177571229d5244a4e5d544d

SHA1
6b62d11e297a35404e9de6119ab045fc7a3d1bbb

SHA256
3a5feff895a94dd84bfd398945b17817097367ef15dd5383bb1102673099848d

SHA512
ee8225a6c540178ce717757329acac3aa879f0a230b87deff855b6761e051c122295ddbf58577dc609521f905fece046c4f5fcb73f740131cd69e89538594aee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\qSI3Oo9ZClyhHELCQPKG1KxR8SfkroAyJCPxX3vEoUqTA2M.exe
Filesize
2.7MB

MD5
9601f85cdfe0294f562bbc2cbed3b1a2

SHA1
97cf3bc55185419b12a83b01960b1d0603639f40

SHA256
b5b3d4a52516681539f124c2f2d6f18b8f7cbb93ef8c31d41b37626227a45f76

SHA512
a601831244907633fd867fb1d3743ba2a68ffedad275f05c47b8747b0e39f1841877451478d712ab042b1114aedd2f505aa9c5e5b173d7408dd23968922a49cf

Download Submit
\ProgramData\Microsoft\iMqPfGpZ5rWHTo627en9l6yXy.bat
Filesize
3.3MB

MD5
6c0a96bcec466f57c03f172da6eabba6

SHA1
8e3cf6e1c43fc4d1e0452e3dc7a1701f2e2a315f

SHA256
c2fde24545fb6a6337f421b1297d0adfdae43d80278167d56ea5fe900528c23d

SHA512
addccd702923598f9e38214cc254b6e4bf469b1e2f2215f67f659ba3617dada2983cc0f2003d42ff685b87456ec6e25832cbd24cd2da3f0f9828df2e17311e3b

Download Submit
\ProgramData\Microsoft\iMqPfGpZ5rWHTo627en9l6yXy.bat
Filesize
3.3MB

MD5
6c0a96bcec466f57c03f172da6eabba6

SHA1
8e3cf6e1c43fc4d1e0452e3dc7a1701f2e2a315f

SHA256
c2fde24545fb6a6337f421b1297d0adfdae43d80278167d56ea5fe900528c23d

SHA512
addccd702923598f9e38214cc254b6e4bf469b1e2f2215f67f659ba3617dada2983cc0f2003d42ff685b87456ec6e25832cbd24cd2da3f0f9828df2e17311e3b

Download Submit
memory/1172-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1172-62-0x0000000000000000-mapping.dmp

Download
memory/1172-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1324-55-0x000007FEFB941000-0x000007FEFB943000-memory.dmp

Filesize
8KB

Download
memory/1704-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1704-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1960-67-0x0000000000FC0000-0x0000000000FED000-memory.dmp

Filesize
180KB

Download
memory/1960-68-0x0000000000FC0000-0x0000000000FED000-memory.dmp

Filesize
180KB

Download
memory/1960-76-0x0000000000FC0000-0x0000000000FED000-memory.dmp

Filesize
180KB

Download
memory/1960-77-0x0000000000FC0000-0x0000000000FED000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads