b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942

Analysis

max time kernel
140s
max time network
127s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Size

452KB
MD5

df92baa5776224b51b9720c65fe51af3
SHA1

c5a4caea6e99064497683feb0f88749b0a93b933
SHA256

b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942
SHA512

85d00d9e41d8c29b6c3697cbfabca09d2b1099a85cf76cc042a18d6db2ee01a1e6d8eae42b1e4f70403174ff1d8c35fc40413b6c16a04e5639365cefb929e860
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

description pid process target process

PID 1032 created 600 1032 rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe svchost.exe

description	pid	process	target process
PID 1032 created 600	1032	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exerubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\nFYu1ABLyO1yD15d3KwwTsA6G.exe\" O"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing\\cEzDkW3qAJyRJRrhNFN.exe\" O"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\zoTOtD8eUpnKqgfE5VS1MqImdIPbGV3itdXzrHX0qx.exe\" O"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\etU6jqTHqoIOQVjBs87rRwS6BpgxSJLT3ABOc5yy.exe\" O"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe

Executes dropped EXE 2 IoCs

Processes:

rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exerubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

pid process

1032 rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
1184 rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

pid	process
1032	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
1184	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exerubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

Loads dropped DLL 3 IoCs

Processes:

gpscript.exerubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

pid process

768 gpscript.exe
768 gpscript.exe
1032 rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
768	gpscript.exe
768	gpscript.exe
1032	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exerubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\cMqQpiUWFtHPYJOukQpoakipro7mqEKf1R9xBapEWZaLMa0CBJEVmvc4NCJl7c66fSeKgrE.exe\" O 2>NUL"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\.DEFAULT	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\es-ES\\eYOelQiPCxEpWcOcbyObGMeqhQWKgSSxHimTQSctJ21FYenQ0DOfY.exe\" O"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\5zxb119vySkDgLTvaIGYjCuGmH97kfY1391JX57Gj6DtpXu8kMaLRw2TvDv6cHcwdVc9uQ.exe\" O"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000303011f4eb00d901	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\eHome\\SlpZLMGPhptAfnG6e51Mn5jh5PY39iq0C3O61yeYfRmpuoLKZGCqkTDW.exe\" O 2>NUL"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\c4Hh7rgHhP9FTb7MDkEtP90f1vTAtNRHhbNCtKnYHE1NwXlgB9.exe\" O"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\fr9c6MldJ9kFICfB6nLkhEdfSpecOvYenfQ9gHyhlXlvAfikNKNhdZCLRYlG07.exe\" O 2>NUL"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\packages\\vcRuntimeAdditional_amd64\\ETfwlE9fcqJ0cdNvvC29GJFEWUJLD.exe\" O"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000070b85cefeb00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Videos\\Sample Videos\\O8yI0MmfLt3GpFCgyGIKEnthRY22xlfS0H6m.exe\" O 2>NUL"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\X5n9RGHmFJBWnbPL4Mv2ZRgtGdsK0JUiLw7kS4MX2JLnGYtj3O.exe\" O 2>NUL"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Data\\LevelDB\\USARPv9sTidfjicmunVqyVwUfnLSeeZu7pYI4.exe\" O"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\Re5eKkbBVsZHT5t2R5sGHyod9sZH.exe\" O"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\7479uXFnmIgVpjAGyVQGCw6F.exe\" O 2>NUL"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\MtwXnT8325syQzDW26gcgvZu9vmimstReWH6JYq4.exe\" O"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-20	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Floc\\Q3ApHQpO8Yj7JfAHSLvZ.exe\" O 2>NUL"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\qjvXfcWEXxMl8K3EI3JpTOz4scMjzYmryItGJAv3b84L9vxWBVHbuhcRF92qO03.exe\" O 2>NUL"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-19	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\31\\sQnwDhiPibtZMiZzuONi98oXiV.exe\" O 2>NUL"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\AupDSEx0hqCnOPu85MEgI3RTAokjYCC7mzeVX0SWXFW1N5T0u.exe\" O"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\69Id1t1igMSlpjv8OA6Zj2zwiqTPAyf3CFILIbCM8.exe\" O"	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

Modifies registry class 12 IoCs

Processes:

b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\mO5BQLxEkc9BcRYEZ7FjH4FqlK3Sn8FHehDiqzADymungazNuGirTxJI7P3xuKz.exe\" O 2>NUL"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\gU3bscE8GKBEi8KBmQ3BfH7UJCdrRTKbE6E9hMlTPKGiEhJkX2d.exe\" O"	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Command Processor	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

pid process

1184 rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
1184 rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

pid	process
1184	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
1184	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exeAUDIODG.EXErubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exerubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

description	pid	process
Token: SeBackupPrivilege	1632	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Token: SeRestorePrivilege	1632	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Token: SeShutdownPrivilege	1632	b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
Token: 33	1724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1724	AUDIODG.EXE
Token: 33	1724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1724	AUDIODG.EXE
Token: SeDebugPrivilege	1032	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Token: SeRestorePrivilege	1032	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Token: SeDebugPrivilege	1184	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Token: SeRestorePrivilege	1184	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exerubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

description	pid	process	target process
PID 768 wrote to memory of 1032	768	gpscript.exe	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
PID 768 wrote to memory of 1032	768	gpscript.exe	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
PID 768 wrote to memory of 1032	768	gpscript.exe	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
PID 1032 wrote to memory of 1184	1032	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
PID 1032 wrote to memory of 1184	1032	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
PID 1032 wrote to memory of 1184	1032	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe	rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe

C:\Users\Admin\AppData\Local\Temp\b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
"C:\Users\Admin\AppData\Local\Temp\b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600

C:\Users\Public\rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
"C:\Users\Public\rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:876

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Public\rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
"C:\Users\Public\rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\c4Hh7rgHhP9FTb7MDkEtP90f1vTAtNRHhbNCtKnYHE1NwXlgB9.exe
Filesize
631KB

MD5
54cc724ee8ccd9b37625c07eb5049b46

SHA1
eb6a5623f623a98033438a20c5639eb18ad6b64e

SHA256
cb47dfcffa5b2d50e1ec0845466de87c7e96328891165319c4600f238dcfaf33

SHA512
726c7e5ef4d32d82a5db496aab7540fec8ba35dad82af6e89aeb3537fbea3bc2a30a592215de484320f87e9a907526a06718b98f7f5fd835f9efafe0eba41d90

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\nFYu1ABLyO1yD15d3KwwTsA6G.exe
Filesize
817KB

MD5
d8461d4594c7dbbcfd937ca4e0189efb

SHA1
d9ea7b409f51b0f7acf77e5a4b37525c4363f514

SHA256
fa3fe00eef55c523b3525fff0c13f8b5dc866b4de751859b5148c40f5a5342ea

SHA512
048769e7ec385910e573ceed0bee3f413fcd95f2ab781e2f069ba74c7a6655d40c35326841f48a749e9e37e648154646adaecd23ae6ba5440dcac7a800ecda5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\sQnwDhiPibtZMiZzuONi98oXiV.exe
Filesize
703KB

MD5
6661bfc336af85baa75a962a80ce17ba

SHA1
ed2a9b2a18f1468c7f1fd6510324c2e7a37b0de4

SHA256
45670834d40bed130d143e0981f7ed287740d7b10235a534990929e978d7f2e1

SHA512
e88df5db1718eb37721f6502a119d5a3ccc4bf9149f7b83224349cfc10764eb73dd54b287e9aef9a24ed7adafe369fff3b6c1883119d112b8d8c6fad7a4e6d22

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\yPWFJNB4aA7rdqCbBAmBlNHmVS0dxxIVKMka7r05QLcKg28JboZUSy.bat
Filesize
1.3MB

MD5
b250fab18b2cec19eb97e6c200fab4e5

SHA1
e74a084369f862abaf0a52c6375d720fb6d5c725

SHA256
342e68f540d17ebabd19073bf0f6d74d91c9fe5b85b0a3f811b412e0d23fdd51

SHA512
78b2e8207b40de7ca2d3954b2588f14bef79b7a36abd7c48fb7011bd7d3d28fbbb7629df20033df65467397c2070237c30cef778dee7b7cc80fcf8a9b80953b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\cheJ4tlDEOlGpHWbRzNjDUjOAoBSM9QdKUaKKcMqbed9Ge4O.exe
Filesize
749KB

MD5
de065d8958e5c6a1e5324b5ae730f66d

SHA1
539df30c0d38e7e9920e0a183f43fd64fc886912

SHA256
a8a86457ec0e4adebef608c358aa73b607f69f56b174708ffc03f5cb615f8f62

SHA512
49008e799dbecf273c6d73bca7aa0d86988bcdac942d2fc40c70eaeaf03a4a2b549e38e5030e7ce51fd25d90404ec00b76e57a0f75c0b46ce02f27815b9787b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\USARPv9sTidfjicmunVqyVwUfnLSeeZu7pYI4.exe
Filesize
780KB

MD5
8baf95a63432f1b97047827dd52893aa

SHA1
c4498fe9bde60a44a74c135d8035ea7102999585

SHA256
43d5ab636fa6e27570f5f31b04d401cc13d86b62d66679c29e2b3bbf3b6f3795

SHA512
a8bacdc0e5b065983e1d2e887f3a4e7aec4d2f15aa7914c8f632de9435ee626fb4424bf7e11d28633cda7b56256b7ae75f0bc77b31504454123ec59e32c6309c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\cMqQpiUWFtHPYJOukQpoakipro7mqEKf1R9xBapEWZaLMa0CBJEVmvc4NCJl7c66fSeKgrE.exe
Filesize
844KB

MD5
551393aa311e0d59b81431bbc94b1856

SHA1
e67f6cccde8e28886910608a64b44a34128198af

SHA256
41b5c6a72320f97af62a1860512a873b4314ed770bd7e0ddfb73055b827ee3d4

SHA512
d69da7931b8b9b539b5aa356f296e356214cbc5b07172258945c5202f4634824783ee74c8af25b509333eb0f88cd20655962666c86f65d44d56bd6dc78580c51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\X7v4LaSDl6inu02QWotPpHRp6J4U.bat
Filesize
1.1MB

MD5
4fb817591402ea7f24544a0ad771d6d1

SHA1
0f87b2c6ffbf1620bef969451de87d1f2ee7fae9

SHA256
afb524ad1c23b541c5fe7bdc02b0c4e353b2841967f4c478c889dca4db65e574

SHA512
88f7273ac378bdf57dbde80196ae1095307ab1a00e3315d33bc5692111a2f9ccf302a56d172bd08a17943f3a74225ad97261abcb2dfd4ae77eb3aeed6cba3b34

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\AupDSEx0hqCnOPu85MEgI3RTAokjYCC7mzeVX0SWXFW1N5T0u.exe
Filesize
663KB

MD5
d20e0ae1b62966280fcf8f35a98650e5

SHA1
5118825a3321ef2b61437ccb336635bdc1287bc2

SHA256
38134bbc62f3b71a1346836e5eced8a09738c558b982c7650d7cc4b04ac0012d

SHA512
8b2612bad61b0d7b02b83cae1e78607dcedac8343078a4c234930020ecbbae8cea68cfc9c408a3b468ff5d8ea6f7e9c9bf332bc6e63ae205f1648814e596de59

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\7479uXFnmIgVpjAGyVQGCw6F.exe
Filesize
555KB

MD5
8181c1e68201cf7755d77b0c6ee04e14

SHA1
c570b9235cc26897f03bb266b7b7f3393c866268

SHA256
8bd2ec3e3f117938674be04867698831cd4a4955aab702d7ebe90bfee71447ac

SHA512
24989fe77aecbd7261c18cfaf74d0de2bc4e60251171fa0410b24d1f28d665653b0c6932d6b13dce648db0f62429ead6b1064ae675f1368fdcd172e5f086e1b9

Download Submit
C:\Users\Public\rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Filesize
657KB

MD5
64b8055fec3ca022f681e09089268e84

SHA1
51a684a9882d313e6c0808e7162fbde02c8bc785

SHA256
0834a1fdcb9818316508fcbec3f6e5f91cfebf8704a23fada6669b79766f7ed9

SHA512
921614818258fdcfe9dc77b766da09c6a45af1858ea8578f33c20d3ba4bd88240c1113c1cc6bea201bbb44e9c1ffeebeb388bd5e6a48ce4811a171dc0d8ecc56

Download Submit
C:\Users\Public\rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Filesize
657KB

MD5
64b8055fec3ca022f681e09089268e84

SHA1
51a684a9882d313e6c0808e7162fbde02c8bc785

SHA256
0834a1fdcb9818316508fcbec3f6e5f91cfebf8704a23fada6669b79766f7ed9

SHA512
921614818258fdcfe9dc77b766da09c6a45af1858ea8578f33c20d3ba4bd88240c1113c1cc6bea201bbb44e9c1ffeebeb388bd5e6a48ce4811a171dc0d8ecc56

Download Submit
C:\Users\Public\rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Filesize
657KB

MD5
64b8055fec3ca022f681e09089268e84

SHA1
51a684a9882d313e6c0808e7162fbde02c8bc785

SHA256
0834a1fdcb9818316508fcbec3f6e5f91cfebf8704a23fada6669b79766f7ed9

SHA512
921614818258fdcfe9dc77b766da09c6a45af1858ea8578f33c20d3ba4bd88240c1113c1cc6bea201bbb44e9c1ffeebeb388bd5e6a48ce4811a171dc0d8ecc56

Download Submit
\Users\Public\rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Filesize
657KB

MD5
64b8055fec3ca022f681e09089268e84

SHA1
51a684a9882d313e6c0808e7162fbde02c8bc785

SHA256
0834a1fdcb9818316508fcbec3f6e5f91cfebf8704a23fada6669b79766f7ed9

SHA512
921614818258fdcfe9dc77b766da09c6a45af1858ea8578f33c20d3ba4bd88240c1113c1cc6bea201bbb44e9c1ffeebeb388bd5e6a48ce4811a171dc0d8ecc56

Download Submit
\Users\Public\rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Filesize
657KB

MD5
64b8055fec3ca022f681e09089268e84

SHA1
51a684a9882d313e6c0808e7162fbde02c8bc785

SHA256
0834a1fdcb9818316508fcbec3f6e5f91cfebf8704a23fada6669b79766f7ed9

SHA512
921614818258fdcfe9dc77b766da09c6a45af1858ea8578f33c20d3ba4bd88240c1113c1cc6bea201bbb44e9c1ffeebeb388bd5e6a48ce4811a171dc0d8ecc56

Download Submit
\Users\Public\rubDcKs9IvZPRWtRnjgt5556HtjiDpvxP5b.exe
Filesize
657KB

MD5
64b8055fec3ca022f681e09089268e84

SHA1
51a684a9882d313e6c0808e7162fbde02c8bc785

SHA256
0834a1fdcb9818316508fcbec3f6e5f91cfebf8704a23fada6669b79766f7ed9

SHA512
921614818258fdcfe9dc77b766da09c6a45af1858ea8578f33c20d3ba4bd88240c1113c1cc6bea201bbb44e9c1ffeebeb388bd5e6a48ce4811a171dc0d8ecc56

Download Submit
memory/768-76-0x0000000000F30000-0x0000000000F5D000-memory.dmp

Filesize
180KB

Download
memory/768-77-0x0000000000F30000-0x0000000000F5D000-memory.dmp

Filesize
180KB

Download
memory/768-64-0x0000000000F30000-0x0000000000F5D000-memory.dmp

Filesize
180KB

Download
memory/768-65-0x0000000000F30000-0x0000000000F5D000-memory.dmp

Filesize
180KB

Download
memory/960-55-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1032-62-0x0000000000000000-mapping.dmp

Download
memory/1032-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1032-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1032-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1184-80-0x0000000000000000-mapping.dmp

Download
memory/1184-85-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads