26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80

Analysis

max time kernel
149s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Size

1.9MB
MD5

c6511b788cc04d044adfc4c2ccb42851
SHA1

0b130417b6974177879d26b49908ed5891787992
SHA256

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80
SHA512

64533253f21810a325a9926a59f90bcac79dedaa96ab550306d6cc67baad07ea775de1f532564331115ebb23742aab2bce49ba298b3f10f331a6ba3ca2c4a326
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exejLWxRKUA6E5lwPCipLtTDrXgqD.bat

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\hSbBfNz3KdbHSDh6N6NOaR68ihd6EbmL3sLW.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\1tuYFuVYKCxB1jgO9yKNYi2zUOpudexNMu.exe\" O"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\\9wkiKDyJ7B.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\datareporting\\archived\\2022-08\\MDAWzLWw1UwoLoBINy8Sj3IEEHFEmcvbgl3heHRyeA8ZeK.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe

Executes dropped EXE 1 IoCs

Processes:

jLWxRKUA6E5lwPCipLtTDrXgqD.bat

pid process

1968 jLWxRKUA6E5lwPCipLtTDrXgqD.bat

pid	process
1968	jLWxRKUA6E5lwPCipLtTDrXgqD.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jLWxRKUA6E5lwPCipLtTDrXgqD.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	jLWxRKUA6E5lwPCipLtTDrXgqD.bat

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1200 gpscript.exe
1200 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1200	gpscript.exe
1200	gpscript.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

jLWxRKUA6E5lwPCipLtTDrXgqD.bat26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\3LX6JxT0aEjoV0VqEeolDbTWh1kQa3VHm2hKaXz6mjxtCjbDdD9Yhl.exe\" O 2>NUL"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\7T3inalQqXzpL2i1DxceiBbQQu2iSbyC0QViOeqnRbPa9YrwlaJ9C9Ub.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\KKTkAa61ca2ZqQ1HR8XFo8ynQ3bufDdL42jiuv.exe\" O 2>NUL"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\IWu354DCFSUtc2rnZ4h571UfiFYbl6StvpfkEY1bZxCuS.exe\" O"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000203977aced00d901	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-19	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c0e5bb84ed00d901	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\MSTg9eiswUpWoRhWjOyzQIdhfvq2pXikWp6RxCTd.exe\" O"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Saved Games\\ZUzLalXDvimIKhORhav8cDNGZM0wYsIFEOpAsqsX07X6LJBZ4PGewM6gso1zSAO6jxeQzQ.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\BjvQVMtVEA.exe\" O"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\h3z1J4qRaKy2woBOqz2nf.exe\" O 2>NUL"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Upload\\Ju5RTDB1sma0BupXNqY1KEDfKtUNLUOfEQiJRTvlZLgSsXwCMMkdB5A4fr9njeJNtzsEM.exe\" O 2>NUL"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Rnfkbs4OIWWRnIOM9g7PUzrbs0GeRJ2Aylf1GhQU.exe\" O 2>NUL"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Burn\\ZecIQHFMHrMkG8bcMYx3SHKZdYG1U38EAKDi4IvfE50qmAk72W4xP.exe\" O 2>NUL"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\packages\\GeY0sncUtC8gSwDw8H3HOxiMEMCJDA5pISFAXpWY9B.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\5V1P9fpsdetvrg0RTD49Yrwz8hUkveMWhj7rj6QyfIUHi8vYRr0uKrvj.exe\" O 2>NUL"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\BCCkIBM4w0n6qDyrdrGZ6hNfVK2iyY2KMNaRTZWhFuShYtGSMt7uMfBVV.exe\" O"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\sXY6sqbIns6mq3rl.exe\" O"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\BrowserMetrics\\MeZq7b9xWNRGUR1XilbFHi89nWn.exe\" O 2>NUL"	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\48\\O2b7gKrluy3e3S.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\16\\uBJb90FWApSsI5hLAFVGENv8reNB.exe\" O 2>NUL"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe

Modifies registry class 12 IoCs

Processes:

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\umt8irmMjMhejnXP7BMWKS2kDgvjQvbmgRTM6iodpSVoChuNp0D3yq3aT.exe\" O"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Command Processor	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\ThirdPartyModuleList64\\M7ICvwmVn30GNzj3.exe\" O 2>NUL"	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exeAUDIODG.EXEjLWxRKUA6E5lwPCipLtTDrXgqD.bat

description	pid	process
Token: SeBackupPrivilege	688	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Token: SeRestorePrivilege	688	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Token: SeShutdownPrivilege	688	26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
Token: 33	2016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2016	AUDIODG.EXE
Token: 33	2016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2016	AUDIODG.EXE
Token: SeDebugPrivilege	1968	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Token: SeRestorePrivilege	1968	jLWxRKUA6E5lwPCipLtTDrXgqD.bat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1200 wrote to memory of 1968	1200	gpscript.exe	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
PID 1200 wrote to memory of 1968	1200	gpscript.exe	jLWxRKUA6E5lwPCipLtTDrXgqD.bat
PID 1200 wrote to memory of 1968	1200	gpscript.exe	jLWxRKUA6E5lwPCipLtTDrXgqD.bat

C:\Users\Admin\AppData\Local\Temp\26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe
"C:\Users\Admin\AppData\Local\Temp\26bc108d0576279befaf22603230ee92442b769ff05181bdde5d2ac288ad4e80.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x580
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:624

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Public\Favorites\jLWxRKUA6E5lwPCipLtTDrXgqD.bat
"C:\Users\Public\Favorites\jLWxRKUA6E5lwPCipLtTDrXgqD.bat" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1968

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\7T3inalQqXzpL2i1DxceiBbQQu2iSbyC0QViOeqnRbPa9YrwlaJ9C9Ub.exe
Filesize
3.4MB

MD5
f03153dcec199b2eb035e0aab0cffbae

SHA1
0fcdd057a7619846c0bc3f6b9d9e01705aaa3216

SHA256
66c4b28f5e0f1496af5e7feae4fd5131e8ac3ea4e0fed207081db3b67fa408f9

SHA512
5993f27faf7f7fbe782e8705b2ca23f094053ab6c7b8e0eb64ca30503212140c6e48f5201fe1e316e119dbc6b89ee2d8a25d6fe2a930a66ee79bc85a5f1a87a0

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\KKTkAa61ca2ZqQ1HR8XFo8ynQ3bufDdL42jiuv.exe
Filesize
3.4MB

MD5
e4812f0216c0f9d8e179f64b63873451

SHA1
4040f126fcf2d3564a3aced29706d1f7e89f6bb5

SHA256
2cd5f6a8bfe6d55cec37a26fb614a4f7b1e9a749da6ae6f1c64604a55febb01c

SHA512
92a99831c3bdfb8f064293f4e947b6ca8948628ee83ebbd6bf7ddcc7d385bfc840863a2970d23665c3e368411d9c4fb52928849f515153c392e6da0e907ad7be

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\h3z1J4qRaKy2woBOqz2nf.exe
Filesize
3.4MB

MD5
70bacfaa819c43a4d59f00a505025390

SHA1
c57f884b2902d13c2ae8ea7261adda40a2ba8ae9

SHA256
d6de1abdfd462cc1b9e4b3aa38cd0163a8545a82ca45e705cea2cb4c1ac75104

SHA512
fd12b10c3fe692853ac43318500fe2722aebe5237426ee6c5dbeac01ef8e75f32f99759af4a00626c8401094295760193a1a4a7b03427de6e14d242788ab6037

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\EqOGqnf1VkhqH7DMc09PT9HGLLXNNNm8jJa.exe
Filesize
3.7MB

MD5
afa7ce813d38305e2946b14d07c3f4d4

SHA1
d02449d051d1d5925847fe31e6f15388ed30027e

SHA256
bc21f3e4bf7df7fc19da77d8fda8c3ab56f371339084220627598c1dd0ae155c

SHA512
289a7290e1f3ec71c5398834fe910b3fdefb54d82f0837f05a56877d82a1ffe8cb66bc860af0f751175e5c4a570d734fc98850b530f915b54d004db7675a84c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\O2b7gKrluy3e3S.exe
Filesize
1.9MB

MD5
cb9815bcc717993cfef94747040a1a0c

SHA1
e380d8865af5ffe64e690d8fad67260c37c5de0f

SHA256
99a7ce2baccaa45f4c287ab5d6bd682b4de00d275e470b12b7fd0033262b886a

SHA512
0673da3dd933e21a85adfe9dc79b0e277f2e7540e9276ab1a80705e4ab0584d353d98f8fcd4f865239af46a37d35ebe1820349252a1fbcac872fd97bf6c09044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\ZecIQHFMHrMkG8bcMYx3SHKZdYG1U38EAKDi4IvfE50qmAk72W4xP.exe
Filesize
2.9MB

MD5
a55f7bde3592f42dbac5b7cfb83fcaa5

SHA1
ebfe12d54fc7d459db8c6f4eb588804c6ab5615a

SHA256
577e5a204aa67a16b4290050392083d269fa0885a4d7a71ef2d45a7f03efebe9

SHA512
aad9484ff60133be438ede7b7e08991c64559ae0f7217d167c7cc0ddee07c49589e11531ab48b3fe33702a587067e17f9a4c5a7e96f1581b476630212d860319

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\datareporting\archived\2022-08\MDAWzLWw1UwoLoBINy8Sj3IEEHFEmcvbgl3heHRyeA8ZeK.exe
Filesize
2.5MB

MD5
0509fbb1403a1ae76d39e96c877d4445

SHA1
93375c38064a5938036cadb7f9bbcdd37194279d

SHA256
7d8e6266ffd660f4335c11c13839eacdecb97603c39c29b9b348eed246974d0a

SHA512
0bcda0f3f398d23121cc53810edd456440a3122bb04e3de009c920bee2a48bd36d98110399ac3fc147b23399690c2b69ab48b44b38a5291493a74bb35984ca64

Download Submit
C:\Users\Default\Saved Games\ZUzLalXDvimIKhORhav8cDNGZM0wYsIFEOpAsqsX07X6LJBZ4PGewM6gso1zSAO6jxeQzQ.exe
Filesize
2.5MB

MD5
5c15fd2292500348eafb236ad2903426

SHA1
ea3556ea395fc10821c300a96abde4aca665dc43

SHA256
73389ac1c752de9a47042a0f36ea5bfc4378a16eb1b65cb0e99fc10aa0ce7754

SHA512
56c39b95cd407a380ceaf86dd396be0d2725927a9252f8cac9e0247289ec227278aa187b4b217e218b4ac3dce76ef295aa345790baf06cbb1729abe9ec8894de

Download Submit
C:\Users\Public\Favorites\jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Filesize
3.7MB

MD5
3276f24a20574b41741ed9588611eed4

SHA1
2b0476e72b1715ffa3841544982f2bfae84f7104

SHA256
f51b6fb4f5e415706abc43fd9b6cd6c329faf8c535765708004eb4a9109ff392

SHA512
d0c92f2e38cf5c5534dc2a17d38e7f35ef3c447ff94b47a9af0eda73668c33531fac8190ba723eba52b9cdb2bec00d1a88f76316a5398af1343ed28d2190b667

Download Submit
C:\Users\Public\Favorites\jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Filesize
3.7MB

MD5
3276f24a20574b41741ed9588611eed4

SHA1
2b0476e72b1715ffa3841544982f2bfae84f7104

SHA256
f51b6fb4f5e415706abc43fd9b6cd6c329faf8c535765708004eb4a9109ff392

SHA512
d0c92f2e38cf5c5534dc2a17d38e7f35ef3c447ff94b47a9af0eda73668c33531fac8190ba723eba52b9cdb2bec00d1a88f76316a5398af1343ed28d2190b667

Download Submit
\Users\Public\Favorites\jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Filesize
3.7MB

MD5
3276f24a20574b41741ed9588611eed4

SHA1
2b0476e72b1715ffa3841544982f2bfae84f7104

SHA256
f51b6fb4f5e415706abc43fd9b6cd6c329faf8c535765708004eb4a9109ff392

SHA512
d0c92f2e38cf5c5534dc2a17d38e7f35ef3c447ff94b47a9af0eda73668c33531fac8190ba723eba52b9cdb2bec00d1a88f76316a5398af1343ed28d2190b667

Download Submit
\Users\Public\Favorites\jLWxRKUA6E5lwPCipLtTDrXgqD.bat
Filesize
3.7MB

MD5
3276f24a20574b41741ed9588611eed4

SHA1
2b0476e72b1715ffa3841544982f2bfae84f7104

SHA256
f51b6fb4f5e415706abc43fd9b6cd6c329faf8c535765708004eb4a9109ff392

SHA512
d0c92f2e38cf5c5534dc2a17d38e7f35ef3c447ff94b47a9af0eda73668c33531fac8190ba723eba52b9cdb2bec00d1a88f76316a5398af1343ed28d2190b667

Download Submit
memory/688-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/688-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/952-56-0x000007FEFB801000-0x000007FEFB803000-memory.dmp

Filesize
8KB

Download
memory/1200-65-0x0000000000FB0000-0x0000000000FDD000-memory.dmp

Filesize
180KB

Download
memory/1968-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1968-62-0x0000000000000000-mapping.dmp

Download
memory/1968-75-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads