6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Size

2.1MB
MD5

fb8c5facc879b47e7450bcc02ab51987
SHA1

4c819f1026b5f4960d87c8906f54a66a0e35a037
SHA256

6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3
SHA512

ec061153ba730e83fd176d22e2dc3d01b4ad32793755ca44a1a5b6e345f6673cf39a44e28c93e710f802ee213cbbad8b11a15f9a769b96262b5073157f69bbeb
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exeM3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\17\\okf99I35K97YOxOVYnrC.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Favorites\\Windows Live\\LdWIt2pfZaaV9ufWhLjLukIIFVCsEYpIu4.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\LiR0xRzLv3MGVZrITsh5TZs6VQt0iHb0baooReDS7mXWv.exe\" O"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\SXfxPg299wvmBIFjKaIZhQgVZsZTmJef.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe

Executes dropped EXE 1 IoCs

Processes:

M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd

pid process

1884 M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd

pid	process
1884	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1584 gpscript.exe
1584 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1584	gpscript.exe
1584	gpscript.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\7IqNLSBRDALXAZcyziOcv8ych1AHPQjE71.exe\" O"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\crashes\\events\\xjYTWU3O0lhZ4HqaYeX0Ee8lMVJ.exe\" O 2>NUL"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\Replicate\\6pWoKDRM609JA9CsgwmM5ctJu5Sbr9NlytJAwuas8nQm3SKlYdXw.exe\" O 2>NUL"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Favorites\\WIexkvnIs32UUvsjh4x.exe\" O 2>NUL"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-19	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\3l2Moy3MJrFcalJ.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\wpmvEpE9iAUb9MrAmJtIQ46MBAVW1d1.exe\" O 2>NUL"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\2uAm7t9RdPKp3CHrYpmICR5pGRqD0A3mhqiWvzkXXp.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\qyUMKD4Xz2GF8q3XrXOBEB8n77l1emxJQl8MdTmiIRZ0caxIYGeUUKFGNQUquMi.exe\" O 2>NUL"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\snAYTJN4g6LCaYtowZFyzelTu4MNMdB63roQm6De1AnEv4g.exe\" O"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\HYQeQbiR3VjzA.exe\" O"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\v6VitWKih9D1RUId9tLLaHR6BlJHcWJ1ROKgbR.exe\" O"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000080b53da2eb00d901	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\it-IT\\1XvTTRDU1vTKrYSV02efqYQ8jRDlSuRHMc04BcUeeLqXbRcaIxBmdCybXOPaJa.exe\" O 2>NUL"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Jda6FEGHTF39a.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\84x4XzWv52bquwiheV7Z95YvGanJO.exe\" O"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\extensions\\EOINiwnC4TxvoRtGeIUATzMJXdyPnC8HrsFZpsczMx8K4vilJPqJPXsWl1gzzAsYIk.exe\" O 2>NUL"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\AMG88FUG\\p1l7c0d5OLzVTOMCFUyC7JwfECTt2.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000020258f7deb00d901	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\hpifUXQAbfpeFvdEpDjSnwRgIqQNie0fWzDKfG2AiiJLn0X.exe\" O 2>NUL"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-20	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\i6Fs3LwAYx1VRQbFfFuieCnxK1126sJzQQzbYSMMqXfuzX19Z1fi.exe\" O 2>NUL"	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe

Modifies registry class 12 IoCs

Processes:

6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Command Processor	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Mozilla\\updates\\QAz3sKK0LXn4As2ffB6nQXNUoEVoPgpsPP0ADMTEh8D2fiJKYgsTpI7WLez.exe\" O"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\MRvShIa3MI1F.exe\" O 2>NUL"	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exeAUDIODG.EXEM3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd

description	pid	process
Token: SeBackupPrivilege	1932	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Token: SeRestorePrivilege	1932	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Token: SeShutdownPrivilege	1932	6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
Token: 33	1276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1276	AUDIODG.EXE
Token: 33	1276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1276	AUDIODG.EXE
Token: SeDebugPrivilege	1884	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Token: SeRestorePrivilege	1884	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1584 wrote to memory of 1884	1584	gpscript.exe	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
PID 1584 wrote to memory of 1884	1584	gpscript.exe	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
PID 1584 wrote to memory of 1884	1584	gpscript.exe	M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd

C:\Users\Admin\AppData\Local\Temp\6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe
"C:\Users\Admin\AppData\Local\Temp\6df2c19308473d73c7afbbb839b703840b9edb10282a650bff50e6567764dfc3.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1732

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1584

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
"C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1884

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\6pWoKDRM609JA9CsgwmM5ctJu5Sbr9NlytJAwuas8nQm3SKlYdXw.exe
Filesize
2.3MB

MD5
44d3708d7a5e2c282408df72b598a98e

SHA1
bba5b79dc4bf776ab3e7a277fb0569f843a3914f

SHA256
fe519e2884ca57159f3bbc0d4547349f0ebc3d846eb0006e55ba39fe9aa16232

SHA512
caff5212b9726fc3a0f8c6e413a3bd18e6b4965c598bb5ec6ee0894b5bb30ee565638516c7b1acd809b5a006cd523227af08eebe9ffe2a60dd7b9e099c4ddc68

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Filesize
3.9MB

MD5
332405c8d9585a846f05a061b5a79ba2

SHA1
d0ff516aa6a01076afe48ebb32daa90ae7dc6be7

SHA256
364839c3470b3d749f129ce48a25582e6e135e426768388165194033a83874de

SHA512
174cd010f51c496548104f46c26ad15d8a7e1232d28414c9c8e0866e3bd45b4c4d96e1f874eb812195940b4e71925d704d9aba992ee7e53c7f2bf23941194fd9

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Filesize
3.9MB

MD5
332405c8d9585a846f05a061b5a79ba2

SHA1
d0ff516aa6a01076afe48ebb32daa90ae7dc6be7

SHA256
364839c3470b3d749f129ce48a25582e6e135e426768388165194033a83874de

SHA512
174cd010f51c496548104f46c26ad15d8a7e1232d28414c9c8e0866e3bd45b4c4d96e1f874eb812195940b4e71925d704d9aba992ee7e53c7f2bf23941194fd9

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Support\wpmvEpE9iAUb9MrAmJtIQ46MBAVW1d1.exe
Filesize
2.6MB

MD5
a7b91e898ee07967301254c534f019d9

SHA1
4fd966dd88ac2cae62c8aeedf443113274d9d88b

SHA256
ab05175202b5de42c72f90917dd963d9175724fa1d0e75312127ea60c418b0d0

SHA512
c65b9859c49999bfb87fc8c3a387012485e8e007d6177be364b825f3fe0ef088b19457824b808816c3e4e1ded8f9b916137068c1fd9af4757c0cab47c4a6bd42

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\2uAm7t9RdPKp3CHrYpmICR5pGRqD0A3mhqiWvzkXXp.exe
Filesize
2.5MB

MD5
860b3424e975c4dca92b8ad90c7bace6

SHA1
bbadcb08c7c96c9ea20b548a33a5137077080907

SHA256
4b1ac05a697a166b86e2317d09f66233b82f1f7e2b2747a2dfb356d2c474cad4

SHA512
5975f98765e086a94ac6c752a9f37fa0daa9ca9397ed00786d3fe0700da6da128193d717fcb8b07eea27c1be2d74867778363f5d1680193bc6a45ff9dad63264

Download Submit
C:\ProgramData\Microsoft\Windows\AIT\aswUaAucIuIwMqAH.exe
Filesize
2.8MB

MD5
ac2236c722e869ca1721512a5282e409

SHA1
5888b23a636d09ea329c9a512fdf836677f05965

SHA256
d7171be2fb85bb87e025f4d22985173b97ff69d447a11d659bbe15da78da98d7

SHA512
7377f69666196677b4a68ec0dfcf0e0a6aeda402b9875e15106b6b01106bc80890b96f8b05a12dcb144c36be8f4db6de31eceffe3c4f60f0ff19d0cdea85029c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\okf99I35K97YOxOVYnrC.exe
Filesize
2.1MB

MD5
1bf607ff95ab5301be06eff9fbdb3c90

SHA1
8e6b8a1bce716f951e59737eea971e511a1a76fa

SHA256
d0de9b391866592b898b7c0780b0534afe16f0bafec49d338faf2ae0333c2ac7

SHA512
633a316a7e573328ece7ff249898f89bf013ee49affa7c47583102428f9ac455339600b61775f2dc0c0ef57c3e634784c11727cbbeb0a8122a624ff1f49a832d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\3l2Moy3MJrFcalJ.exe
Filesize
3.7MB

MD5
bf74feddeed67f9ec65b7abd50458220

SHA1
9dd0a5512eb7bd743c5a07df5898c0641928dc2d

SHA256
9e0a688b27e9d498a04fada85ea570bf3a15a2c1717346ecbc88a8f16d23f2bf

SHA512
63f05b854f2d2ffe8cee21c3f536b93b8fef75b8129c2005ba1037a6a135e2dc6c1acda21e6c64f19b6a1b2bc45354c1efd0998093a45b27c20090f2571331bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AMG88FUG\p1l7c0d5OLzVTOMCFUyC7JwfECTt2.exe
Filesize
2.6MB

MD5
740e11202ee3f71d927cdff3c3f42161

SHA1
6a5fad94f06c29173507641bde03ce99ae22ab8f

SHA256
d52e20b8c25e219eff23af34c9f86304f65c582a7e0ccc655d64731e00d106f1

SHA512
8bcc48431e5e5e2bbda2752baef49712c6b76c4a707f0d2bafaa2d02699d0a2d50cfdef1548f02797aac5f70855f90cad79d31bd2459aded04f8fb7d04e75694

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\crashes\events\xjYTWU3O0lhZ4HqaYeX0Ee8lMVJ.exe
Filesize
3.2MB

MD5
8e018d698ab1d217f981a9efc6f50d14

SHA1
48cb7645dfc31bdcb97a7cf6e326d3a620fad1e3

SHA256
ba31b101191c29cc2156b334a8dce83a4d0d294e17c4f16cef9b76eeab70bb0e

SHA512
e2490f9a2e27b8ec74a8b9079c31386714f94228935a92b09544c8468d8009f8eaf9a728e40e55e5dc28fbead4082c9865f9c039722c7b76fa87cbdf01a62f2d

Download Submit
\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Filesize
3.9MB

MD5
332405c8d9585a846f05a061b5a79ba2

SHA1
d0ff516aa6a01076afe48ebb32daa90ae7dc6be7

SHA256
364839c3470b3d749f129ce48a25582e6e135e426768388165194033a83874de

SHA512
174cd010f51c496548104f46c26ad15d8a7e1232d28414c9c8e0866e3bd45b4c4d96e1f874eb812195940b4e71925d704d9aba992ee7e53c7f2bf23941194fd9

Download Submit
\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\M3eziYnL3hz2Z8d13ndXmVJ4ujCXeb3slYkHEj1RLwyZEX1c3OPS0JmLm.cmd
Filesize
3.9MB

MD5
332405c8d9585a846f05a061b5a79ba2

SHA1
d0ff516aa6a01076afe48ebb32daa90ae7dc6be7

SHA256
364839c3470b3d749f129ce48a25582e6e135e426768388165194033a83874de

SHA512
174cd010f51c496548104f46c26ad15d8a7e1232d28414c9c8e0866e3bd45b4c4d96e1f874eb812195940b4e71925d704d9aba992ee7e53c7f2bf23941194fd9

Download Submit
memory/1004-55-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

Filesize
8KB

Download
memory/1584-75-0x0000000000D10000-0x0000000000D3D000-memory.dmp

Filesize
180KB

Download
memory/1584-68-0x0000000000D10000-0x0000000000D3D000-memory.dmp

Filesize
180KB

Download
memory/1884-69-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1884-62-0x0000000000000000-mapping.dmp

Download
memory/1884-76-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1932-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1932-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads