e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184

Analysis

max time kernel
160s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Size

1.1MB
MD5

499ba01975a4731e742c2e2b2c8ac6ea
SHA1

b522100522a0c7be32dd6787a7d25dd35be8845a
SHA256

e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184
SHA512

283ee7dfc0060812f920cc4c2a1951503a89fe77407ae8408acc2a6889156931bed9b750c9abc24d31926d2904c4dc128869ca42836f474f082a7745d2c09761
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\Qch58sQBexjRadnJtuo8XoXs49Npiu9G6ZhMCdNZo68QcvimcpH02.exe\" O"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\37ny8xzHx15wn6wRv8SeTZMdPPdR56V2vn6gQMWCNXqKe3yvlGRj.exe\" O"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\z3fbMzYpBvHmLwvRDUB1eKIaHhoeL0W92UNUBQ6vSZehwsEQZuE9bdeLo9qKVbp1.exe\" O"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Acrobat\\9.0\\c8mExBWL.exe\" O"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe

Executes dropped EXE 1 IoCs

pid	Process
828	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat

Loads dropped DLL 2 IoCs

pid	Process
1516	gpscript.exe
1516	gpscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\USER\.DEFAULT	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-19	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000405fe39def00d901	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Caches\\gmhzh8cKmFgkCVkc0vG7zxSCjaROKPj.exe\" O 2>NUL"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\hyphen-data\\G0h1dRKdyXwqiTrvurSuP.exe\" O"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-20	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\J6AIXJLC\\lG7EQxmrfDTLVj.exe\" O"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\ypeYCIZzGeLmZQ8sCyskYzAEH5SNI6ayZJ71hhVeVt670MnclTa902nfVG.exe\" O"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Network\\Connections\\nC1WiUMuUPWnT9SPYgnt9JzjfS.exe\" O"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\cueSGIJXjWXRrdt9hIiAXxn3k1ry2B.exe\" O"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\de-DE\\wvCTIOeXBqoXoT7M.exe\" O"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\iJ0mGkTrELltr.exe\" O 2>NUL"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\ojUAxrtA51szy3sTHR9lCimUkhnaQnvJ8imB.exe\" O"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\UyATiMbxW5Ev22oBuPPUolE7DkmKfGadPBqgQpG15FBGDwJXT8zQnTQT8kRpdrKM0JvOk.exe\" O 2>NUL"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\20\\K4V7nqAngbcGeNMXA.exe\" O 2>NUL"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000020a0c7b6ef00d901	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\SharePoint\\IT4Oscg8O9.exe\" O"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\Videos\\ObvifoXuYp2s8.exe\" O 2>NUL"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\A7InFuW3CPR0RCTyqtTFSSZC0Td6.exe\" O 2>NUL"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\MSDN\\mWRwBMSxt669PHsYSGYmZUWqZOkOdqFVdhg7GHJUK73OD6NwVpTRUlY1RBGwZ.exe\" O"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Saved Games\\iU90e7rHKXMu2u5OeSKYJokisLKbUdgFJyh0UiimsRxJtNyvT1eoY0.exe\" O 2>NUL"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\KKd0uw33Flly5uqxeiM2t7JbSnO5mNOUf41vbh.exe\" O 2>NUL"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\58\\Eqx4eaVrs4HFwKzwgKawT1UW77GXRg994JA4QNme6IRj7XzEIH248i6knK33wEtrz.exe\" O 2>NUL"	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\w6nT3KAeud5kgqBKz9K4u.exe\" O"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\SOFTWARE\Microsoft\Command Processor	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\History\\IbvETyqjxtoyenr7wAzmfYoPj7n4jtdVdheAc9.exe\" O 2>NUL"	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeBackupPrivilege	1900	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Token: SeRestorePrivilege	1900	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Token: SeShutdownPrivilege	1900	e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
Token: 33	1312	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1312	AUDIODG.EXE
Token: 33	1312	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1312	AUDIODG.EXE
Token: SeDebugPrivilege	828	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
Token: SeRestorePrivilege	828	MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 828	1516	gpscript.exe	32
PID 1516 wrote to memory of 828	1516	gpscript.exe	32
PID 1516 wrote to memory of 828	1516	gpscript.exe	32

C:\Users\Admin\AppData\Local\Temp\e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe
"C:\Users\Admin\AppData\Local\Temp\e9ee0a38a19922a3b10f9866490bb2833a929a45c34e3498922c3737c307d184.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:808

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1516
- C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat
  "C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat" 1
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Sets file execution options in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\ojUAxrtA51szy3sTHR9lCimUkhnaQnvJ8imB.exe

Filesize
1.4MB

MD5
36949d17e3ffcf23babb68a9fe699772

SHA1
41a2264b05e72a13d270cf8c02cd9113fb09ee4b

SHA256
b440481c34e71bad7c43482349151fcbf2557f49c7cdf93e44cfa8f9abfac909

SHA512
64d65bc7956d8ef8c8d0248d0ad2bd1c6dbd9ccadc13400a3c2878097bcb1fb9dffde5a19ffa9750182d97a0d080f83e8eb22ba2139642f5405a40c15253a999

Download Submit
C:\ProgramData\Microsoft\Network\Connections\nC1WiUMuUPWnT9SPYgnt9JzjfS.exe

Filesize
1.5MB

MD5
bce45f9e7117c0b6729b15da841e9dd7

SHA1
37ab2a0091736769de3b5f2e38673efd553c419e

SHA256
5f39cfe00191a81a338b88a6c009282306b1b3a940f0678026b29a70777d055d

SHA512
65fb7479429e22c0319ecff6ab2074cd08c2ce63780ba1fcb33e96bfc1cd9ae8586c9b8ae9feba4d1687de101656210721aa929ef568775dfe5917fb6c810539

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSScan\UyATiMbxW5Ev22oBuPPUolE7DkmKfGadPBqgQpG15FBGDwJXT8zQnTQT8kRpdrKM0JvOk.exe

Filesize
1.1MB

MD5
d155809052cef8b81e20e591697f1ca5

SHA1
a50586f2da58c0354bbcaf5f1b2662fd216d06b3

SHA256
dd37ae9b5acdccb76bbb5c1bd9b3d29c3a58f024f1335b73265082fc8f72bdc5

SHA512
bd7801a12e52211815fb7d0d57f8833d95e5e81ff5361fea73e06346f37f4aa619835c0076489b38537ee622d052cc1bf5502bd90890e20ce81d6c1d5d5e4979

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat

Filesize
1.7MB

MD5
b70e03498db910f1035be95beafe334a

SHA1
e820ef5523d065514ccc52a95149c2796338de23

SHA256
c323b9ea5dc4aeb052ca9cc9baf29008cfb52efe9637a94574bccc5e4e337956

SHA512
2a5e5bb446fb157c4afc92c6b3e018fbc3f305c69c17e8d656739a44856911cc97115033d888995c0caa287afa1be9153ae075a9a67fec150a40442be4dbabe5

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat

Filesize
1.7MB

MD5
b70e03498db910f1035be95beafe334a

SHA1
e820ef5523d065514ccc52a95149c2796338de23

SHA256
c323b9ea5dc4aeb052ca9cc9baf29008cfb52efe9637a94574bccc5e4e337956

SHA512
2a5e5bb446fb157c4afc92c6b3e018fbc3f305c69c17e8d656739a44856911cc97115033d888995c0caa287afa1be9153ae075a9a67fec150a40442be4dbabe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J6AIXJLC\lG7EQxmrfDTLVj.exe

Filesize
1.6MB

MD5
a73d4b1e77d4b1f3a3a04cca71329fe9

SHA1
bc101e6b0e32df96f285b97f05db7d98ef049bc3

SHA256
647329b9a5e83a726a206accc4d942268aa700d4510caf979006f64dcac765f9

SHA512
41102b84bada9d9fe5bb4d782ae83a28bf1e2378bd42ee00eb3e5f99f370820b850d4ff65f6d2b1fc1313e5395a0124ea288fb9a171582392775b57a5b184d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Gadgets\Qch58sQBexjRadnJtuo8XoXs49Npiu9G6ZhMCdNZo68QcvimcpH02.exe

Filesize
1.4MB

MD5
1bdf8c66e3c4670de0d5b780823ec6f8

SHA1
9d76dd93bd755fd50e9e6fb04822d2950416da5c

SHA256
dd7c7b1770166d17ea6fec58acf126b77b9b5f95df69f72c18773011e26d1357

SHA512
a8ebe00dd751b0256b0f160f9fb4f9d5d59ff86521475ba85371955c645f8d3ff2e1c226fda3ae9b2eca55c2a4a93d744364ae995b9e1d5c3ffc18db8cd8741b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\KKd0uw33Flly5uqxeiM2t7JbSnO5mNOUf41vbh.exe

Filesize
1.2MB

MD5
d067f5f367760b9d9941d348700d8ce2

SHA1
f2121d7581d6960f6bcdb9c54f930c8d390d971e

SHA256
d9b3d94e4986b669a186370e1ab7c101db3707258ea94138b6905f8abdf46ab2

SHA512
b3645c956908e6307fb58c49e63c428bfff410f032b4bfb3302ccdc6ba6df588a1d2ace8330a95102532996512779fe6581706ab20d1e77be93ebf7b80966179

Download Submit
C:\Users\Admin\Music\JDwG8Te3ofOvfv22gARaScBzF2rhp1OmWs9xRyOMxd.exe

Filesize
1.6MB

MD5
158c23d0972635117686039e0f850815

SHA1
ca39883346a61ac33a96dc2bd521bce732b76150

SHA256
50c249157cfd3cba376c4b8bd4946c6ef7248a67db9477282afed89d93325d3a

SHA512
9bb0325ad35a258e4dc5704e0a7c2cda43777dc0a250a0085f64ec82418495c2bfbd19074bf96ac6fdf0c0e5cfecd9e8ef5518c06b9f5a3fb9fc8b299417dcd7

Download Submit
C:\Users\Default\Videos\ObvifoXuYp2s8.exe

Filesize
1.4MB

MD5
d31109524a9b42ba012874c2d22f714b

SHA1
c78f9cc2694d871c376642f4389ea59ca445f203

SHA256
e25fb9954134ac1e3db6ba2dc498123de2f898ce2dc3726b2e28a08637749956

SHA512
4e7089d050fb4150fb0a96c40c12559827105195db3693622eef9cc11dd19ae7a5564c4b9ca4bbf1384677d44fa0fc26cbd4e38a3997b4fbd5cdaa4eba28d557

Download Submit
\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat

Filesize
1.7MB

MD5
b70e03498db910f1035be95beafe334a

SHA1
e820ef5523d065514ccc52a95149c2796338de23

SHA256
c323b9ea5dc4aeb052ca9cc9baf29008cfb52efe9637a94574bccc5e4e337956

SHA512
2a5e5bb446fb157c4afc92c6b3e018fbc3f305c69c17e8d656739a44856911cc97115033d888995c0caa287afa1be9153ae075a9a67fec150a40442be4dbabe5

Download Submit
\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\MaqehRfRVuDHMqouQmZCixjfS1t4oGT58BSSDDiityxoQH11d.bat

Filesize
1.7MB

MD5
b70e03498db910f1035be95beafe334a

SHA1
e820ef5523d065514ccc52a95149c2796338de23

SHA256
c323b9ea5dc4aeb052ca9cc9baf29008cfb52efe9637a94574bccc5e4e337956

SHA512
2a5e5bb446fb157c4afc92c6b3e018fbc3f305c69c17e8d656739a44856911cc97115033d888995c0caa287afa1be9153ae075a9a67fec150a40442be4dbabe5

Download Submit
memory/380-55-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

Filesize
8KB

Download
memory/828-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/828-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1516-68-0x0000000001040000-0x000000000106D000-memory.dmp

Filesize
180KB

Download
memory/1516-69-0x0000000001040000-0x000000000106D000-memory.dmp

Filesize
180KB

Download
memory/1516-76-0x0000000001040000-0x000000000106D000-memory.dmp

Filesize
180KB

Download
memory/1516-77-0x0000000001040000-0x000000000106D000-memory.dmp

Filesize
180KB

Download
memory/1900-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1900-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads