6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0

Analysis

max time kernel
164s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Size

744KB
MD5

12449cb6eb1885a425461bf6a3ab5189
SHA1

6feb175c444823f44804f32f8718052f23dac9ba
SHA256

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0
SHA512

e69948aa5bd5b172aea9fbbd8569f34f600899061781062138ab8c6d2bd8dbe85208090d4059c689a7e5d96da248c1fb22e3c829aecd26288bbddaf620be7841
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\User Account Pictures\\32mrx1NPEnetF2.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\2LlEnqWaIkMaXaU9uRyu3UCxYYeh3YnfPDZfbwz5a9z73HZSbbtejrgV5Tt9ugTeI.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\iC2ukSi3Kd5UHJZanXXmcryh7ndcbj8YNGNLV4Y6rAaXWJr1iXP2pYDRCk66r26w.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\4sAB4wyZcj9wwjJYAzIJ9r8xjkKHSxs1ixq3GX2G9EKieF0JGvCOkas4SJgTaGQkEMhIL.exe\" O"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe

Executes dropped EXE 1 IoCs

Processes:

7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe

pid process

1960 7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe

pid	process
1960	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1964 gpscript.exe
1964 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1964	gpscript.exe
1964	gpscript.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Links\\B4uCI7OBPc1p9.exe\" O"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing\\BkTMqXQg5H6eoDCukvhjCDYwwypsMOtpMAZc.exe\" O"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Sessions\\OaEh5HEyXayEXz3gYoGujQ0d.exe\" O 2>NUL"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\9XNRFMOH\\Wsv7WoMI4oCnLRI10gU7Lel7DNcawVDIyQLltKpewysl17yo.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000708fbd9eeb00d901	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\fRDut4HZXTSy91Ou1oaOPLciTDNWlhcfldUyW21J7NzuFj6q1Xorq.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b061449ceb00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Searches\\aOzPWYS0kiWMPP8G2BIrnKR.exe\" O"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\38\\9gQSM7AY3nsIERWK.exe\" O 2>NUL"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\wNTmO3lsGbJ24GkZWU4uAZx.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\js\\index-dir\\8YoUf9Edzga30kSwKYMdKdSzp9TxT9gEVCOwQsYJcAZfa0HsZmw4XFGwruai0S.exe\" O"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\NonCritical_x64_14581a24ae3cd03160d66be822236893de867_cab_066c4dd1\\T9SVMNRGyofmrZv69wbz735r.exe\" O 2>NUL"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{61087a79-ac85-455c-934d-1fa22cc64f36}\\a3g9YO0oo20yJgMZJGOrskMtl7Dt5woZfsVRb865VxQbFojwe75F5s4gDWJ2RizeAfVLHs4.exe\" O 2>NUL"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\ae6vytmk.default-release\\startupCache\\8ouP1ZyBA6JQiyK6b.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Media Player\\UiM4epBnQ0q0gKwBdyBD9E4vIN1GMRSGkZ7VS88a7g9o4mBfQ5IZPNfqDGsaI1LfRjprRqx.exe\" O 2>NUL"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\e4FwQdzVBQbR8aaSN5IJcfAgDIwWmlit5tpvYVqKpaYNb.exe\" O"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0fea09eeb00d901	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\hn4zNhkwUR5zP5Cenwh8k6myzE5Dk47W9ZNjsEHeG4.exe\" O 2>NUL"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\RAC\\LUmZCYaHmICDSd.exe\" O 2>NUL"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000070a5e39eeb00d901	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\wasm\\index-dir\\dWBuvNDtw6UOaQLGjqNbzSHS9EwMCnFRYizSLzO5KLRtfLxMhE2TrvuMGC4fzrtbiN.exe\" O 2>NUL"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\MKRjlZp48Cb7WN78pjl6pZ5mWEzWvOppwgoPkklJRDGMXOmC.exe\" O 2>NUL"	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe

Modifies registry class 12 IoCs

Processes:

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\AutofillStates\\RSWmNnXTv2eaVgy98xxYoO57BXTa5WyohgM9RJfcOtKXrAsC7qZqWW9kuIuZDuBvhuTr3.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Command Processor	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\7\\XD8bQjfB8nOW6X.exe\" O 2>NUL"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exeAUDIODG.EXE7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe

description	pid	process
Token: SeBackupPrivilege	948	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Token: SeRestorePrivilege	948	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Token: SeShutdownPrivilege	948	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Token: 33	1516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1516	AUDIODG.EXE
Token: 33	1516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1516	AUDIODG.EXE
Token: SeDebugPrivilege	1960	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Token: SeRestorePrivilege	1960	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1964 wrote to memory of 1960	1964	gpscript.exe	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
PID 1964 wrote to memory of 1960	1964	gpscript.exe	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
PID 1964 wrote to memory of 1960	1964	gpscript.exe	7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe

C:\Users\Admin\AppData\Local\Temp\6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
"C:\Users\Admin\AppData\Local\Temp\6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:604

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1964

C:\ProgramData\Microsoft\Windows\Templates\7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
"C:\ProgramData\Microsoft\Windows\Templates\7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1960

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Sqm\Sessions\OaEh5HEyXayEXz3gYoGujQ0d.exe
Filesize
1.0MB

MD5
dd2c3836e5782c92512091b4cf4c808c

SHA1
ee0054ae5df8771a41b899db0a84d3f84a7ddb94

SHA256
95a54953fdd3055e6cf7610a0b99386278266805eb484258de11c433f32a1986

SHA512
b3e2ecae74273200433a16390252599bc67ebbdb0382f9116475166b0789ae2006c712f91cd749907081a3f92be9e963359ae745ee503665e850407dd2302aa6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tablet PC\hn4zNhkwUR5zP5Cenwh8k6myzE5Dk47W9ZNjsEHeG4.exe
Filesize
1.3MB

MD5
28adad4eaa71ccb90f336fd329599f37

SHA1
531b1619b285365e8a2e5f1c05a727cbf2c6384d

SHA256
ffa9e4996b4f1f3a39e2f40bb609dac21a40c2ceea83459207e5df4f00f76d77

SHA512
b7b3a700b851def39df4106007c8749f7fbaee58b5c3925965f721dac348b19680d92e6f39c98205bce322ea114803ec1afe61d7655f5fc5891002c0971017be

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Filesize
985KB

MD5
c58c744dae36beb090e0d9b614b08cbf

SHA1
42fdcc968c1ceaa450a2e95f1d5a81537747bb59

SHA256
f5a138b8e66423a2d7958842e2aab1ad0828bcf801287e74f1aa1afb001d198b

SHA512
dd5c5ac3cea100a131a9774eadb2f5aadc10708d988ca114cdb5dda3a34b27805acfc075e2f2d51b00162db5f25e49da9ce7acff05cc4a6593eedf5ec1356bc0

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Filesize
985KB

MD5
c58c744dae36beb090e0d9b614b08cbf

SHA1
42fdcc968c1ceaa450a2e95f1d5a81537747bb59

SHA256
f5a138b8e66423a2d7958842e2aab1ad0828bcf801287e74f1aa1afb001d198b

SHA512
dd5c5ac3cea100a131a9774eadb2f5aadc10708d988ca114cdb5dda3a34b27805acfc075e2f2d51b00162db5f25e49da9ce7acff05cc4a6593eedf5ec1356bc0

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\a3g9YO0oo20yJgMZJGOrskMtl7Dt5woZfsVRb865VxQbFojwe75F5s4gDWJ2RizeAfVLHs4.exe
Filesize
1.1MB

MD5
5627bcc133369e8e5554705e749083e8

SHA1
9946fdd3e047965a835370362e7787edd992402a

SHA256
a1cdce727a876bb932759e3c01479d1ec941ec27d2e29dfca5a043a570196636

SHA512
f8fcbbf166bfb3cee37427dda4bdefc3699dfbb58ddaa9545f012896fa374f888a0ecedef401f19fbbb668f44b88c7c1c589b36e037bdbf785ce275445a446ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\fRDut4HZXTSy91Ou1oaOPLciTDNWlhcfldUyW21J7NzuFj6q1Xorq.exe
Filesize
932KB

MD5
6e0a618443296f2800edbceb9a02a8cd

SHA1
e91e551d1f42641a6ac26124ce2e6a0d3f062361

SHA256
b34672cb59ccdffa237fa7c1c13d3d9d5a76aab73887ee0d1c7d722792e2a8fc

SHA512
4bfe6084513146d428acae294e4514df81ff71b49e5c876660bb12ad592cb375c4e9da45117b599557a9207689f484563f4576350fc6e80a2a3aaefde9a327ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9XNRFMOH\Wsv7WoMI4oCnLRI10gU7Lel7DNcawVDIyQLltKpewysl17yo.exe
Filesize
842KB

MD5
1bcdd1c8394aeaa1a398d469e588a2f6

SHA1
1ab3e4e13045a89b25f7b70bae7a7cc7f9390338

SHA256
0ecf5b2fa5ce36fab8ab85c5813b035394c6ac3cb799fea7231bc517665cfd69

SHA512
c5a120bbabe27fd769756d03082ebbff4abc600613f59799d6b644c6f2811df2c04337885052721417175aaf7e49484a47b23ed8de9f27f202dc62fb8a1ac994

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ae6vytmk.default-release\startupCache\8ouP1ZyBA6JQiyK6b.exe
Filesize
1.2MB

MD5
8030776793b99281bc00589f7b9a6151

SHA1
a286366504b0c95a0af745ab983cb59610f03d9d

SHA256
511f0332a3d6fa9b55d5c0322be26fffcef0bcc9fc422f475a7701588057c9b2

SHA512
09b022c700d6d101344faf3d555cd7261bc4d6511bb4275e1c9f058d54026dbeeec65f2520d72e6305c5706271b737f045c13da711c36e0096505e5ffb468012

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ae6vytmk.default-release\thumbnails\rnN7HUt5q5xuMGx9JGqHXlDreSYlRe.exe
Filesize
1.3MB

MD5
5864a93a10a9605ccb902aa4f1b3fd2f

SHA1
c69561f0d7ce0dcbd12ad2ff614423da93c7aa80

SHA256
a6f56dc296e495e3221533d50d5768d63e2e4cde3e497d18fd1d7216bf3cceeb

SHA512
c2deeb7904fe2a1c77252961e0749211a6e0517c45d3f8124307fb13bef77d0f02f2673eb27027f122753c0839563f2698a082bff3956ab7069bd400a1a285ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\2LlEnqWaIkMaXaU9uRyu3UCxYYeh3YnfPDZfbwz5a9z73HZSbbtejrgV5Tt9ugTeI.exe
Filesize
1.2MB

MD5
26802da0ba7259f1aa33142041dff44c

SHA1
82eb24f9cad51468414da9b0caab593ec583f877

SHA256
6c33d91510d2201c114c33dea4c9915ea098b24ab722fc4e5d70e202f32fa1e7

SHA512
022b98858a5d4dfaa19695bf4b850c6b955e24b4b1135f0e5f329b1bc09ee443068935225e454a67dbaf85799b75e7e663319b58f1a8b5c73d4f1cdc78833cbc

Download Submit
\ProgramData\Microsoft\Windows\Templates\7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Filesize
985KB

MD5
c58c744dae36beb090e0d9b614b08cbf

SHA1
42fdcc968c1ceaa450a2e95f1d5a81537747bb59

SHA256
f5a138b8e66423a2d7958842e2aab1ad0828bcf801287e74f1aa1afb001d198b

SHA512
dd5c5ac3cea100a131a9774eadb2f5aadc10708d988ca114cdb5dda3a34b27805acfc075e2f2d51b00162db5f25e49da9ce7acff05cc4a6593eedf5ec1356bc0

Download Submit
\ProgramData\Microsoft\Windows\Templates\7F23W0HWv16EbH42zynvFnfmZGqjgZjJ18CSYn5tJPe81ey.exe
Filesize
985KB

MD5
c58c744dae36beb090e0d9b614b08cbf

SHA1
42fdcc968c1ceaa450a2e95f1d5a81537747bb59

SHA256
f5a138b8e66423a2d7958842e2aab1ad0828bcf801287e74f1aa1afb001d198b

SHA512
dd5c5ac3cea100a131a9774eadb2f5aadc10708d988ca114cdb5dda3a34b27805acfc075e2f2d51b00162db5f25e49da9ce7acff05cc4a6593eedf5ec1356bc0

Download Submit
memory/268-56-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download
memory/948-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/948-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/948-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1960-63-0x0000000000000000-mapping.dmp

Download
memory/1960-76-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1960-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1964-73-0x0000000000F20000-0x0000000000F4D000-memory.dmp

Filesize
180KB

Download
memory/1964-74-0x0000000000F20000-0x0000000000F4D000-memory.dmp

Filesize
180KB

Download
memory/1964-77-0x0000000000F20000-0x0000000000F4D000-memory.dmp

Filesize
180KB

Download
memory/1964-78-0x0000000000F20000-0x0000000000F4D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads