82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282

Analysis

max time kernel
58s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Size

696KB
MD5

74ff689cb6c92f1ef8dab70a306d9caa
SHA1

4b35aa7cbc3abf4b17fca14d32729cbb93616a40
SHA256

82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282
SHA512

5971faee3b6d67fac9a0810adc31bd6210a4d074d02d026a8c5a9979fc6b80b49a41bbc9681e8d3a25201f6a9a55c19d95fcc546012f64a3ce1a136a67e75584
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Qcd2fhWJLTIN7.cmd

description pid process target process

PID 1636 created 584 1636 Qcd2fhWJLTIN7.cmd svchost.exe

description	pid	process	target process
PID 1636 created 584	1636	Qcd2fhWJLTIN7.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Qcd2fhWJLTIN7.cmd82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\YI2I2hpiLST3CufJ7.exe\" O"	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\RAC\\RgQJ513WXrQj69cJ7AF2ngTGNOlUhSFz.exe\" O"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\KXXZESdim6It0bCvQTLs2f0RrJZw5D4wPfoMZjrVrBZQfjHFTa.exe\" O"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\uKxdSIqbj6SFMw66kUSCoshRhayH7cepYVmEahMwgMXw.exe\" O"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Qcd2fhWJLTIN7.cmd

Executes dropped EXE 2 IoCs

Processes:

Qcd2fhWJLTIN7.cmdQcd2fhWJLTIN7.cmd

pid process

1636 Qcd2fhWJLTIN7.cmd
1928 Qcd2fhWJLTIN7.cmd

pid	process
1636	Qcd2fhWJLTIN7.cmd
1928	Qcd2fhWJLTIN7.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Qcd2fhWJLTIN7.cmdQcd2fhWJLTIN7.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	Qcd2fhWJLTIN7.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeQcd2fhWJLTIN7.cmd

pid process

1732 gpscript.exe
1732 gpscript.exe
1636 Qcd2fhWJLTIN7.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1732	gpscript.exe
1732	gpscript.exe
1636	Qcd2fhWJLTIN7.cmd

Modifies data under HKEY_USERS 59 IoCs

Processes:

82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exeQcd2fhWJLTIN7.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cby9KwXJ.exe\" O"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\KWt4OcY81bgsRnxXZqNjB17B.exe\" O"	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\eHome\\qOppO6Gnk9IwjHp07p.exe\" O"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\K2K3v6uIsg6jhytuUpLPkpQAtdAsKNctukBmYihZP4ZL.exe\" O"	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\au9ni2dm.default-release\\cache2\\rG7s6eKTFCQZVKtrDGzHlIzUMDYaOd3W9GWq82grwcWeI9.exe\" O 2>NUL"	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\oL8Mm8q3r2rXqhmcjvg654Jr3TohpR9NCbwIKPyBq.exe\" O 2>NUL"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\38\\mOEGnbyXy8eoMu2nkA6QYjE2sW642w5.exe\" O"	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\5XMuNGNcypvhgzXYKdnrhT8ly5tEOCcO1l.exe\" O 2>NUL"	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SSkgY6u48NbJLH2HX.exe\" O 2>NUL"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\coc2BUEWLUYkGKG8Q8IZBP6wyifv0wDdxUPb.exe\" O 2>NUL"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\24\\rpWkCBJKk.exe\" O"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\55\\Eevc1B8iZqcjtapyPiJjSxyQJtzcqK3cTcGAM8dgq.exe\" O 2>NUL"	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ja-JP\\fEYVSy61xsLqEQG2rPhh0FnnEqb5PmCRrlbsdTf9fiLBR9iF0dNlTCuGeVD7HeRzqvttA5w.exe\" O"	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\DSDoOqjfPifRGOwGAfIWVAZ4KO9tGoPB0GD3EoaI8r6cCn.exe\" O 2>NUL"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-19	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\\du6SxFSMQ06KHRQU1QSJst2LHTmMcfpXAqYsP3kYNZofppLImin8pUbGaQ5bhIXT7ZAKri.exe\" O"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c040b59aec00d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Favorites\\Emw3JPfJ48NOzOzMORbPxn1cVCjp1gHCuQVOgXvgQXDSNX9oklO9Ax3KGv7jO03GO9uWA.exe\" O"	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\.DEFAULT	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	Qcd2fhWJLTIN7.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000060b59b9fec00d901	Qcd2fhWJLTIN7.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-20	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\kWmLbRg6saEnBHu1FvdJvRGcahCFQkAF25QroVq.exe\" O 2>NUL"	Qcd2fhWJLTIN7.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\vcRuntimeAdditional_x86\\pjGqANjYT54kGCQBuEx6cwJpZXAPvLKq1t85K0xr9biGUQeKZvccd.exe\" O 2>NUL"	Qcd2fhWJLTIN7.cmd

Modifies registry class 12 IoCs

Processes:

82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\TsGLv8xJ47FhBUujpalmJhMvanDsXj.exe\" O"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\SOFTWARE\Microsoft\Command Processor	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\34\\KXRVDc3iVBrTgYc9qVQuOgfTLPDYxNFhjC3HvA83OFlyAuGwO01Dg4OOD54Sl.exe\" O 2>NUL"	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Qcd2fhWJLTIN7.cmd

pid process

1928 Qcd2fhWJLTIN7.cmd
1928 Qcd2fhWJLTIN7.cmd

pid	process
1928	Qcd2fhWJLTIN7.cmd
1928	Qcd2fhWJLTIN7.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exeAUDIODG.EXEQcd2fhWJLTIN7.cmdQcd2fhWJLTIN7.cmd

description	pid	process
Token: SeBackupPrivilege	1416	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Token: SeRestorePrivilege	1416	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Token: SeShutdownPrivilege	1416	82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
Token: 33	1088	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1088	AUDIODG.EXE
Token: 33	1088	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1088	AUDIODG.EXE
Token: SeDebugPrivilege	1636	Qcd2fhWJLTIN7.cmd
Token: SeRestorePrivilege	1636	Qcd2fhWJLTIN7.cmd
Token: SeDebugPrivilege	1928	Qcd2fhWJLTIN7.cmd
Token: SeRestorePrivilege	1928	Qcd2fhWJLTIN7.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeQcd2fhWJLTIN7.cmd

description	pid	process	target process
PID 1732 wrote to memory of 1636	1732	gpscript.exe	Qcd2fhWJLTIN7.cmd
PID 1732 wrote to memory of 1636	1732	gpscript.exe	Qcd2fhWJLTIN7.cmd
PID 1732 wrote to memory of 1636	1732	gpscript.exe	Qcd2fhWJLTIN7.cmd
PID 1636 wrote to memory of 1928	1636	Qcd2fhWJLTIN7.cmd	Qcd2fhWJLTIN7.cmd
PID 1636 wrote to memory of 1928	1636	Qcd2fhWJLTIN7.cmd	Qcd2fhWJLTIN7.cmd
PID 1636 wrote to memory of 1928	1636	Qcd2fhWJLTIN7.cmd	Qcd2fhWJLTIN7.cmd

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:584

C:\ProgramData\Microsoft\Vault\Qcd2fhWJLTIN7.cmd
"C:\ProgramData\Microsoft\Vault\Qcd2fhWJLTIN7.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Users\Admin\AppData\Local\Temp\82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe
"C:\Users\Admin\AppData\Local\Temp\82bf7ca11bce0cee91de2203901f11a5510532ce79e4584550a72bee0eca8282.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:328

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1732

C:\ProgramData\Microsoft\Vault\Qcd2fhWJLTIN7.cmd
"C:\ProgramData\Microsoft\Vault\Qcd2fhWJLTIN7.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\sG1gljz7naW71RdBieb9pafBCCxd8t9krjcudFQCi3.cmd
Filesize
1.5MB

MD5
071791c095ab8abeebe69c4195a3ff7e

SHA1
f7963a2b28f7a3d5f07cadd690599774f4bebd69

SHA256
cd19066878796a12bf458e9087a0dc62b2f4c6c82a485211fceaee2cb42f8da3

SHA512
1b16d8ab73725ec900b15333e73c3f59c7c4a8848bc67578365b6ada4d845571be232f2971c10962e337751a075329d1f33daf128806e3919bddbc954f285773

Download Submit
C:\ProgramData\Microsoft\RAC\PublishedData\coc2BUEWLUYkGKG8Q8IZBP6wyifv0wDdxUPb.exe
Filesize
1.3MB

MD5
4d8b709a6efa7c63c9af662404ba9c78

SHA1
59d89a7721048646c1241a02d4fe91109313d572

SHA256
a0716e821358123fcd43189fdc0055231e7e172f087a45b14694e7cb764930d1

SHA512
cb853f67f3645c4f995f514d19d54e6afc3f94e95bba3fe7b35f935c6ec98e3b50db58e43ca4942b7cf31f5130f3102b1bce1286c47ab45ee96e7e06a35ee5bc

Download Submit
C:\ProgramData\Microsoft\Vault\Qcd2fhWJLTIN7.cmd
Filesize
1.0MB

MD5
ca51e4e1c9c63ea2033c1c3fb22eea77

SHA1
ecee8d1b80f62374a08f6173a4dcd5cc212cf5f4

SHA256
9697a787d0bd3b5167466f9c5a93d3dbc22f04a31f11bbb64d1b232df8393116

SHA512
b50ee19fd23e7256aa782a6e497283f3ccee4cffdc8da1bcb0eb337c7c7c19dee8702715496826dd8c1fe12a096901ab1318847fb9be78c9b6e871b4e531d43b

Download Submit
C:\ProgramData\Microsoft\Vault\Qcd2fhWJLTIN7.cmd
Filesize
1.0MB

MD5
ca51e4e1c9c63ea2033c1c3fb22eea77

SHA1
ecee8d1b80f62374a08f6173a4dcd5cc212cf5f4

SHA256
9697a787d0bd3b5167466f9c5a93d3dbc22f04a31f11bbb64d1b232df8393116

SHA512
b50ee19fd23e7256aa782a6e497283f3ccee4cffdc8da1bcb0eb337c7c7c19dee8702715496826dd8c1fe12a096901ab1318847fb9be78c9b6e871b4e531d43b

Download Submit
C:\ProgramData\Microsoft\Vault\Qcd2fhWJLTIN7.cmd
Filesize
1.0MB

MD5
ca51e4e1c9c63ea2033c1c3fb22eea77

SHA1
ecee8d1b80f62374a08f6173a4dcd5cc212cf5f4

SHA256
9697a787d0bd3b5167466f9c5a93d3dbc22f04a31f11bbb64d1b232df8393116

SHA512
b50ee19fd23e7256aa782a6e497283f3ccee4cffdc8da1bcb0eb337c7c7c19dee8702715496826dd8c1fe12a096901ab1318847fb9be78c9b6e871b4e531d43b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\f8qPO8qua3QO.exe
Filesize
848KB

MD5
856ada532f86c5a5e6d216018c10e4aa

SHA1
7aff2bf6c12ad740860b049156c0c9993b56fc60

SHA256
80fcdf5b50f66e3d3987d32a785fd9fe227088124bcc1a7169ede3d3d50b45b1

SHA512
f26e2399c3add4fb1db4d377d2bd000b42224872415711499adc36dc93eb4f294d64714ac782c438c722489a2dda51b0c329b85ef2d5c1b9f7549fc7423e139b

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\du6SxFSMQ06KHRQU1QSJst2LHTmMcfpXAqYsP3kYNZofppLImin8pUbGaQ5bhIXT7ZAKri.exe
Filesize
1.1MB

MD5
c21f46973ab841af5957f1420f853faf

SHA1
6449c456d1103e17948a5bc0c1fa69df9c343a1d

SHA256
ee58ad2b6c4042b2955370d66966599eff835af494f83db567414e90f8a3dec9

SHA512
f2e00045c1fa3b4f5cd71f3179f82392b689c8638203ef53ef10c53c5066610efa02b1cd422edd6d32af2bf79a786921252bdb19c6f64cfe8046a5ff839a58cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\rpWkCBJKk.exe
Filesize
751KB

MD5
53020cda0fa85e510837be5b008bfacb

SHA1
cef9294efeff61d35e900fe95e29d582a3504b33

SHA256
4451221186c29300a16bc3140ec85ea4ed196a6944076d784c66d7e277f52ad6

SHA512
39fe6ab118ee84f2238f74d62b3b15684dd6151947d86ed228fee2021d4e1691a85f0b421a402a98bc213da0f7c869d9bf137c1eb90a4f692c2c97bb1797d7b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cby9KwXJ.exe
Filesize
839KB

MD5
cc3f1a0292ce5decebda679c311be4a2

SHA1
a13bdb13db6ac99e0ffeebb5885ae9da4860d6fe

SHA256
49bf5448fd7e1483dcf5d5ca6c5ab331b5e6b8f555d10b39a776c99015ea70b4

SHA512
64d35b1926983a1a0a2fafae29b3a0eee3334cde3973fca12e405fa86f98133cd54f4f0df6608881db05d43fb120fc11e6630716afbdfb4788843d45090504c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FileTypePolicies\oL8Mm8q3r2rXqhmcjvg654Jr3TohpR9NCbwIKPyBq.exe
Filesize
1.1MB

MD5
1695715dcae178faaad2a0877e699aa7

SHA1
4b057f118ee22b731f5b9df27c8699faa256d07c

SHA256
378a790a5ddcbf2bb77c977ad859cd9170ebefc3b6f2e74e3c34f2013d5380e7

SHA512
d46ec99f9c24dba1ea860233186d64919f04f5d6097396814a6835e75ba39eac0fc0e8864f5911816f4e24742c2910f11b6feb5082cd0204d9212596bd29d139

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\gjwVow059ryxd5iEZdABjD5b3zJMXdMyGkwfShq8sNHzFwcnPcNiZFPcItR.exe
Filesize
1.7MB

MD5
d8bb4f9287a2accf61cba220e81a2a43

SHA1
abd24491291b425d678da53f1ff2bb4b033c70a9

SHA256
b8cd5f091a0a94b34782a94fe4977c1684ca3d2eebce824328063c90027ce80d

SHA512
198206723c4eebc3100d908f1805e546d49f8ca032ed59e02787d90c166912be56c832035f2f26623b75be6af69efe52688660870f9d8e9671de509d9f5b15ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSkgY6u48NbJLH2HX.exe
Filesize
1.1MB

MD5
343db515c25a5a86af411e4991da7b90

SHA1
77c9926039afcefbc5678eb85aaaf0baf574bba2

SHA256
53bc1b2814f259fdc80d2e5033ad060075dc7908cd4b537822053fd32f2cdc16

SHA512
592d216c21cb92e62a9a199f9e88d483d8361076aaa9b2c9857696a57d2c40368b6e041cf68af751a949f17a0257b1b2fda4a5acd2d06d08d0292c998d8d1cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\KXXZESdim6It0bCvQTLs2f0RrJZw5D4wPfoMZjrVrBZQfjHFTa.exe
Filesize
783KB

MD5
32d30b02ee5cca0002022f92d5185389

SHA1
517924840c6682d781015ad0e0f5ffaaeb26a3b8

SHA256
a775a8aec8187d246af67ddd2d1b8209d87b84de999d942275f3bf9fb2841e9a

SHA512
0e64f7b24b37aa66b40a53c84cba6ef85d84892baeaec4a629ec92f125a2a2eb6b77f9f78125e9f68f558e490aaaae28014cf9cb4afe67fc28318f7191637d30

Download Submit
\ProgramData\Microsoft\Vault\Qcd2fhWJLTIN7.cmd
Filesize
1.0MB

MD5
ca51e4e1c9c63ea2033c1c3fb22eea77

SHA1
ecee8d1b80f62374a08f6173a4dcd5cc212cf5f4

SHA256
9697a787d0bd3b5167466f9c5a93d3dbc22f04a31f11bbb64d1b232df8393116

SHA512
b50ee19fd23e7256aa782a6e497283f3ccee4cffdc8da1bcb0eb337c7c7c19dee8702715496826dd8c1fe12a096901ab1318847fb9be78c9b6e871b4e531d43b

Download Submit
\ProgramData\Microsoft\Vault\Qcd2fhWJLTIN7.cmd
Filesize
1.0MB

MD5
ca51e4e1c9c63ea2033c1c3fb22eea77

SHA1
ecee8d1b80f62374a08f6173a4dcd5cc212cf5f4

SHA256
9697a787d0bd3b5167466f9c5a93d3dbc22f04a31f11bbb64d1b232df8393116

SHA512
b50ee19fd23e7256aa782a6e497283f3ccee4cffdc8da1bcb0eb337c7c7c19dee8702715496826dd8c1fe12a096901ab1318847fb9be78c9b6e871b4e531d43b

Download Submit
\ProgramData\Microsoft\Vault\Qcd2fhWJLTIN7.cmd
Filesize
1.0MB

MD5
ca51e4e1c9c63ea2033c1c3fb22eea77

SHA1
ecee8d1b80f62374a08f6173a4dcd5cc212cf5f4

SHA256
9697a787d0bd3b5167466f9c5a93d3dbc22f04a31f11bbb64d1b232df8393116

SHA512
b50ee19fd23e7256aa782a6e497283f3ccee4cffdc8da1bcb0eb337c7c7c19dee8702715496826dd8c1fe12a096901ab1318847fb9be78c9b6e871b4e531d43b

Download Submit
memory/1416-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1416-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1580-55-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/1636-62-0x0000000000000000-mapping.dmp

Download
memory/1636-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1636-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1732-65-0x0000000000C40000-0x0000000000C6D000-memory.dmp

Filesize
180KB

Download
memory/1732-64-0x0000000000C40000-0x0000000000C6D000-memory.dmp

Filesize
180KB

Download
memory/1928-77-0x0000000000000000-mapping.dmp

Download
memory/1928-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1928-83-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads