83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc

Analysis

max time kernel
195s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Size

876KB
MD5

cdd93f4862198433b63a0d20133b982b
SHA1

b9d6231821ab5d1a53386646c11081ae99f886ac
SHA256

83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc
SHA512

1769b0100d3b2a196819bf57ada35e618954dc7d0eea4c4d4ad2584ae31f2eb8ccacd759a710da4c3ba74508dc0a209ac079cd89e8fd14717c47e6978affed3e
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exeqXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\d8f0qAji93IBJpt.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\gLsHt6llx0q03Ibe.exe\" O"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\zZeMJYnh5ItztMLEEKnU0IF73VCHlKFntl8WzaRTlP1rMuTH8zwaAfS66YCC1HrMfdAdpn.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\saqazqiD1y6hukycAnjUQGzqDsP1PamYuB4j8vVtQBeSHcFreqJEtaviN.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe

Executes dropped EXE 1 IoCs

Processes:

qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat

pid process

1228 qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat

pid	process
1228	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1100 gpscript.exe
1100 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1100	gpscript.exe
1100	gpscript.exe

Modifies data under HKEY_USERS 60 IoCs

Processes:

gpscript.exeqXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b0365a91ed00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\LE8p9ucjB2CNPyQzUQtgRM0LUlZlzEXre940Lf.exe\" O 2>NUL"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\rL0a3gKgKTGH4JIwNCKpST.exe\" O"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\dozshqpt.default-release\\cache2\\entries\\MLvVhz5iM6MsA4MjlSuU0lYNHOlt7abDD.exe\" O"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\IdentityCRL\\o4b3N8Cd84ZhA3KzJOoyF1WJ1Y312O1rxPbq1gHDZyYW0Q1zb.exe\" O 2>NUL"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\nP5uOb00mX9A0RHc2kgUaF6BjYwqIvnLOI0opq3kQEdjGS886WcAtxUr3AJ33H9uR.exe\" O 2>NUL"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\O9qNWvn0KkrIvyBRbDeP3AR6LqYMGRiqGzGlB.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\fyYtHajsLikJFz5u9WXMUzvpszwnYoZreU6FgwH61XpvRBV2dKRUU8IHchFzIxnyjZX.exe\" O 2>NUL"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\XM4BNOMM\\GVS8gTyV5uOxHvZ5y9xUYBdUgAPKHAIp3MS.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\2jHdEYipJHIbz5KSMwBP4MNgVGSuv.exe\" O 2>NUL"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\10\\SzrP7uYHWw5C.exe\" O"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\S-1-5-19	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000009052a6b2ed00d901	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000030f1a3b2ed00d901	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\HqDtJ0aQ0qA3hXMH.exe\" O 2>NUL"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Ringtones\\c6oYwFYZRpy42e0w78Mb55ieJIKIMiSjBofdei7ZzaIwjnb1Xgwsu0LnLwIJqKV2crG.exe\" O 2>NUL"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Indexer\\CIjNf9UmavlptL4XpJTDp7UPABQrKag6VzcVKYr6R5pqbjZKj9MxHlV5FP.exe\" O"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\stBpth0czhv1LbL9R7I3Gvsv2y.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d092ebb0ed00d901	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\k4nwAZERXAvnWvhW5q2WJf50z5iMI808V42jRhwvUWGZSqmFKTTNcj0oklEXvudexkq.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\dozshqpt.default-release\\6CfsaTJydIfPPxWHAY752w0.exe\" O"	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\ja-JP\\C5E1Oqs9fBiMA0SQy4BzLocBr55THlNURZ.exe\" O 2>NUL"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\4Krqx1F74.exe\" O 2>NUL"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe

Modifies registry class 12 IoCs

Processes:

83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Pictures\\9TdXSzHAEWY96SWF5WpyxARpy7K4qJFI7jqw1CE3ycN2Sgf.exe\" O 2>NUL"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Command Processor	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\blob_storage\\CyXN7OIWGC3Eph1k3X5Gtydbug.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exeAUDIODG.EXEqXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat

description	pid	process
Token: SeBackupPrivilege	1308	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Token: SeRestorePrivilege	1308	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Token: SeShutdownPrivilege	1308	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Token: 33	1692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1692	AUDIODG.EXE
Token: 33	1692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1692	AUDIODG.EXE
Token: SeDebugPrivilege	1228	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Token: SeRestorePrivilege	1228	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1100 wrote to memory of 1228	1100	gpscript.exe	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
PID 1100 wrote to memory of 1228	1100	gpscript.exe	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
PID 1100 wrote to memory of 1228	1100	gpscript.exe	qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat

C:\Users\Admin\AppData\Local\Temp\83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
"C:\Users\Admin\AppData\Local\Temp\83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:668

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1228

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\RAC\PublishedData\4Krqx1F74.exe
Filesize
1.2MB

MD5
90fca0046f0ccb2df127b5423dcb4ddc

SHA1
a9e1f9170d79d6b2334a9bc785d925d65b05ee18

SHA256
d50eae0e3cf5b8f79f450de16bb0f46cb7a1a3173fba38a8417e6145692b841c

SHA512
965f2b8c2ec416bf50431521f2c3f0e60d6a7a617e457e7f6d818a1046501f143dd021d6daa80740a441d161228f7342830b191e7dc3b6b8f4dd2fb2dbd6f63b

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\fr-FR\HSuZYwqSqdCeaDzTup1lSgTWEZ8gWD3tOgrAZdawyTe4Zi9HuocZAPblQCFbXiCg3CFb4.exe
Filesize
1.3MB

MD5
251cfd884e23c9e2591111862e9f0ead

SHA1
26919ba4eb573b03327585f0d8bd08f2d7b9d4ff

SHA256
2d8a3e8b40852416afbc0c6ac809d64a5c6e3071c1664be3224c486d2fab256f

SHA512
b8b7fb3de53edae23933ffad8043f1b0621a5644eb402ce683b49396178912c31b152fb9e4480609d34eb208ca95c4149de7282d6105d47024b0080f0348527c

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\ja-JP\C5E1Oqs9fBiMA0SQy4BzLocBr55THlNURZ.exe
Filesize
1.0MB

MD5
9c25be57440faa5a24fb38ef1f9935a2

SHA1
5df6ddfc5f7a29bdd9ef5dacf1c3a99aa0e83d62

SHA256
7aacd8f631c3bc1ca48cfe3fade35ba25cf85ece3725ad7ccf3824103f7c3ab5

SHA512
d944cc5f0abfec559bdd06467803795b6e040bfe291c27e6d5aaa5dd5fd4b430be0d571ac2e3b622d6ee5efdc43b2ceaf100be319204468ec1ec4900ea52ed71

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\nP5uOb00mX9A0RHc2kgUaF6BjYwqIvnLOI0opq3kQEdjGS886WcAtxUr3AJ33H9uR.exe
Filesize
1.5MB

MD5
3e7c33f05db0b97e848cfadd0d85258d

SHA1
b433a2eeff7067e19a7b6bde59d0e3851baa7ba8

SHA256
e092934ed01ada5a99d8d3422638aed662c7e0276bdbb5086ee868c9427a702e

SHA512
9908f062f79700a746fcac35d111d1572a5c7ee890da998411c91061f52b66f3b0b5146e3d4779c628edf75faa22ec603a8131abc477c651b5b02975a014f4e5

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\k4nwAZERXAvnWvhW5q2WJf50z5iMI808V42jRhwvUWGZSqmFKTTNcj0oklEXvudexkq.exe
Filesize
1.4MB

MD5
55159be45fe74b15ff2b33dab152dfe3

SHA1
737321d5073f7beac368aaad1370aea5b8740c34

SHA256
b22d8f79932d69b7791214976695ae08b02eaa91848f8a46f8e89bdcfa34e471

SHA512
142a878b052eb399b41cb8bb8dd83c40b263a1327b071011feec2cfe7114fbce61c12f58c4ee08cc63a62d761c0778ab3121f8b4d32bfb1742a7e9b16b3d0e3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Filesize
996KB

MD5
9c758b6012aaaeec2c2e56dd7db64858

SHA1
6157ab8e6f8988545edca03cb1b563393987c65a

SHA256
cea5a0c6b9635337990f013ebc31f32917a2d26d34ad6f05f09911e9dffb6d1c

SHA512
1fede6874e9bd6517caa85666809eb8ac16bb509e7f90d335da7e528b06a593576d296df1c9e698527502ce30bfbecfee0fcbadc0bc5b979e4aa6e96e872894e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Filesize
996KB

MD5
9c758b6012aaaeec2c2e56dd7db64858

SHA1
6157ab8e6f8988545edca03cb1b563393987c65a

SHA256
cea5a0c6b9635337990f013ebc31f32917a2d26d34ad6f05f09911e9dffb6d1c

SHA512
1fede6874e9bd6517caa85666809eb8ac16bb509e7f90d335da7e528b06a593576d296df1c9e698527502ce30bfbecfee0fcbadc0bc5b979e4aa6e96e872894e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XM4BNOMM\GVS8gTyV5uOxHvZ5y9xUYBdUgAPKHAIp3MS.exe
Filesize
1.6MB

MD5
7b7562f5f153500971d7c201d32c8dfb

SHA1
9fcaf59bbfc1386143ed60357bbb6e88b468769f

SHA256
bec6e56754eefea874c85cf9b013c41304e0ec8a6ebbe0b23b19e41b951adfde

SHA512
b5f915da45494fe57c85c7d26ef3c790a198eea80b8dd1f3d5b930e5f590bbd9b984416b97b58ebe43224a0ffcf7aaa75d205f10b8f5556df56dabdcbedfc8bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\saqazqiD1y6hukycAnjUQGzqDsP1PamYuB4j8vVtQBeSHcFreqJEtaviN.exe
Filesize
1.6MB

MD5
5877177ef969ea457a91fa7d5b4b862f

SHA1
a349575d745381b817150cc7282bb513b0a58c2d

SHA256
28ce9da30aa78f487ef12da5fca5ca4d128ac6e58bc3e30939090411e4055a51

SHA512
eb3eccb060877ebaac514836bbac4ddc70a75b965ee1cd5db24c8a98605c00a49b1e968f837a5902fab0880cc364a4774bca7991fca78c66021e06faaf030e52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\stBpth0czhv1LbL9R7I3Gvsv2y.exe
Filesize
958KB

MD5
3e6d33e1e20dced02684c9c069a1adec

SHA1
f3b5c58841492b3cfd7488b41d5054ab2b5f6cdf

SHA256
05b0a308acf628347cdf800b6f1dfe8f4fee80a3cf7cf392962406d20017f0fe

SHA512
d256be2081d6eb1b590b3460788e5c214bead74ad6d13316a3821934261c7386c977146aff21c2488b8b4bd2990a3c6f836d781f099d4eef34b238ddaa2fdaca

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Filesize
996KB

MD5
9c758b6012aaaeec2c2e56dd7db64858

SHA1
6157ab8e6f8988545edca03cb1b563393987c65a

SHA256
cea5a0c6b9635337990f013ebc31f32917a2d26d34ad6f05f09911e9dffb6d1c

SHA512
1fede6874e9bd6517caa85666809eb8ac16bb509e7f90d335da7e528b06a593576d296df1c9e698527502ce30bfbecfee0fcbadc0bc5b979e4aa6e96e872894e

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\qXuw8goqeCwbmWxMoqxvnaNo4BbmOh0f8Fz3BJHNWKAAU5IKh.bat
Filesize
996KB

MD5
9c758b6012aaaeec2c2e56dd7db64858

SHA1
6157ab8e6f8988545edca03cb1b563393987c65a

SHA256
cea5a0c6b9635337990f013ebc31f32917a2d26d34ad6f05f09911e9dffb6d1c

SHA512
1fede6874e9bd6517caa85666809eb8ac16bb509e7f90d335da7e528b06a593576d296df1c9e698527502ce30bfbecfee0fcbadc0bc5b979e4aa6e96e872894e

Download Submit
memory/268-55-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1100-71-0x0000000000E20000-0x0000000000E4D000-memory.dmp

Filesize
180KB

Download
memory/1100-70-0x0000000000E20000-0x0000000000E4D000-memory.dmp

Filesize
180KB

Download
memory/1100-76-0x0000000000E20000-0x0000000000E4D000-memory.dmp

Filesize
180KB

Download
memory/1100-77-0x0000000000E20000-0x0000000000E4D000-memory.dmp

Filesize
180KB

Download
memory/1228-72-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1228-62-0x0000000000000000-mapping.dmp

Download
memory/1228-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1308-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1308-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads