elysiumstealer | a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

Peripheral Device Discovery

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.ipify.org
103 ip-api.com

flow	ioc
28	api.ipify.org
103	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

3964 Setup.exe

pid	process
3964	Setup.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

B6E2.tmp.exeC0CA61A12E4C8B38.exe

description	pid	process	target process
PID 3444 set thread context of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 4016 set thread context of 588	4016	C0CA61A12E4C8B38.exe	firefox.exe

Drops file in Windows directory 2 IoCs

Processes:

multitimer.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

B6E2.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	B6E2.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	B6E2.tmp.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2940 taskkill.exe
2128 taskkill.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

file.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe

pid	process
2940	taskkill.exe
2128	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exeSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3844 PING.EXE
2868 PING.EXE
356 PING.EXE

pid	process
3844	PING.EXE
2868	PING.EXE
356	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

file.exeB6E2.tmp.exe1615018419288.exemultitimer.exe

pid	process
3972	file.exe
3972	file.exe
1184	B6E2.tmp.exe
1184	B6E2.tmp.exe
3972	file.exe
3972	file.exe
3972	file.exe
3972	file.exe
3972	file.exe
3972	file.exe
2116	1615018419288.exe
2116	1615018419288.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe
1508	multitimer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

file.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3972	file.exe
Token: SeShutdownPrivilege	4060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4060	msiexec.exe
Token: SeSecurityPrivilege	2220	msiexec.exe
Token: SeCreateTokenPrivilege	4060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4060	msiexec.exe
Token: SeLockMemoryPrivilege	4060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4060	msiexec.exe
Token: SeMachineAccountPrivilege	4060	msiexec.exe
Token: SeTcbPrivilege	4060	msiexec.exe
Token: SeSecurityPrivilege	4060	msiexec.exe
Token: SeTakeOwnershipPrivilege	4060	msiexec.exe
Token: SeLoadDriverPrivilege	4060	msiexec.exe
Token: SeSystemProfilePrivilege	4060	msiexec.exe
Token: SeSystemtimePrivilege	4060	msiexec.exe
Token: SeProfSingleProcessPrivilege	4060	msiexec.exe
Token: SeIncBasePriorityPrivilege	4060	msiexec.exe
Token: SeCreatePagefilePrivilege	4060	msiexec.exe
Token: SeCreatePermanentPrivilege	4060	msiexec.exe
Token: SeBackupPrivilege	4060	msiexec.exe
Token: SeRestorePrivilege	4060	msiexec.exe
Token: SeShutdownPrivilege	4060	msiexec.exe
Token: SeDebugPrivilege	4060	msiexec.exe
Token: SeAuditPrivilege	4060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4060	msiexec.exe
Token: SeChangeNotifyPrivilege	4060	msiexec.exe
Token: SeRemoteShutdownPrivilege	4060	msiexec.exe
Token: SeUndockPrivilege	4060	msiexec.exe
Token: SeSyncAgentPrivilege	4060	msiexec.exe
Token: SeEnableDelegationPrivilege	4060	msiexec.exe
Token: SeManageVolumePrivilege	4060	msiexec.exe
Token: SeImpersonatePrivilege	4060	msiexec.exe
Token: SeCreateGlobalPrivilege	4060	msiexec.exe
Token: SeCreateTokenPrivilege	4060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4060	msiexec.exe
Token: SeLockMemoryPrivilege	4060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4060	msiexec.exe
Token: SeMachineAccountPrivilege	4060	msiexec.exe
Token: SeTcbPrivilege	4060	msiexec.exe
Token: SeSecurityPrivilege	4060	msiexec.exe
Token: SeTakeOwnershipPrivilege	4060	msiexec.exe
Token: SeLoadDriverPrivilege	4060	msiexec.exe
Token: SeSystemProfilePrivilege	4060	msiexec.exe
Token: SeSystemtimePrivilege	4060	msiexec.exe
Token: SeProfSingleProcessPrivilege	4060	msiexec.exe
Token: SeIncBasePriorityPrivilege	4060	msiexec.exe
Token: SeCreatePagefilePrivilege	4060	msiexec.exe
Token: SeCreatePermanentPrivilege	4060	msiexec.exe
Token: SeBackupPrivilege	4060	msiexec.exe
Token: SeRestorePrivilege	4060	msiexec.exe
Token: SeShutdownPrivilege	4060	msiexec.exe
Token: SeDebugPrivilege	4060	msiexec.exe
Token: SeAuditPrivilege	4060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4060	msiexec.exe
Token: SeChangeNotifyPrivilege	4060	msiexec.exe
Token: SeRemoteShutdownPrivilege	4060	msiexec.exe
Token: SeUndockPrivilege	4060	msiexec.exe
Token: SeSyncAgentPrivilege	4060	msiexec.exe
Token: SeEnableDelegationPrivilege	4060	msiexec.exe
Token: SeManageVolumePrivilege	4060	msiexec.exe
Token: SeImpersonatePrivilege	4060	msiexec.exe
Token: SeCreateGlobalPrivilege	4060	msiexec.exe
Token: SeCreateTokenPrivilege	4060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4060	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4060 msiexec.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exefirefox.exe1615018419288.exe

pid process

3964 Setup.exe
4016 C0CA61A12E4C8B38.exe
1140 C0CA61A12E4C8B38.exe
588 firefox.exe
2116 1615018419288.exe

pid	process
4060	msiexec.exe

pid	process
3964	Setup.exe
4016	C0CA61A12E4C8B38.exe
1140	C0CA61A12E4C8B38.exe
588	firefox.exe
2116	1615018419288.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

keygen-step-4.exefile.exeB6E2.tmp.execmd.exeSetup.exemsiexec.execmd.exeInstall.exeaskinstall20.execmd.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	pid	process	target process
PID 644 wrote to memory of 3972	644	keygen-step-4.exe	file.exe
PID 644 wrote to memory of 3972	644	keygen-step-4.exe	file.exe
PID 644 wrote to memory of 3972	644	keygen-step-4.exe	file.exe
PID 3972 wrote to memory of 3444	3972	file.exe	B6E2.tmp.exe
PID 3972 wrote to memory of 3444	3972	file.exe	B6E2.tmp.exe
PID 3972 wrote to memory of 3444	3972	file.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3444 wrote to memory of 1184	3444	B6E2.tmp.exe	B6E2.tmp.exe
PID 3972 wrote to memory of 2456	3972	file.exe	cmd.exe
PID 3972 wrote to memory of 2456	3972	file.exe	cmd.exe
PID 3972 wrote to memory of 2456	3972	file.exe	cmd.exe
PID 644 wrote to memory of 3964	644	keygen-step-4.exe	Setup.exe
PID 644 wrote to memory of 3964	644	keygen-step-4.exe	Setup.exe
PID 644 wrote to memory of 3964	644	keygen-step-4.exe	Setup.exe
PID 2456 wrote to memory of 356	2456	cmd.exe	PING.EXE
PID 2456 wrote to memory of 356	2456	cmd.exe	PING.EXE
PID 2456 wrote to memory of 356	2456	cmd.exe	PING.EXE
PID 3964 wrote to memory of 4060	3964	Setup.exe	msiexec.exe
PID 3964 wrote to memory of 4060	3964	Setup.exe	msiexec.exe
PID 3964 wrote to memory of 4060	3964	Setup.exe	msiexec.exe
PID 2220 wrote to memory of 1040	2220	msiexec.exe	MsiExec.exe
PID 2220 wrote to memory of 1040	2220	msiexec.exe	MsiExec.exe
PID 2220 wrote to memory of 1040	2220	msiexec.exe	MsiExec.exe
PID 3964 wrote to memory of 4016	3964	Setup.exe	C0CA61A12E4C8B38.exe
PID 3964 wrote to memory of 4016	3964	Setup.exe	C0CA61A12E4C8B38.exe
PID 3964 wrote to memory of 4016	3964	Setup.exe	C0CA61A12E4C8B38.exe
PID 3964 wrote to memory of 1140	3964	Setup.exe	C0CA61A12E4C8B38.exe
PID 3964 wrote to memory of 1140	3964	Setup.exe	C0CA61A12E4C8B38.exe
PID 3964 wrote to memory of 1140	3964	Setup.exe	C0CA61A12E4C8B38.exe
PID 3964 wrote to memory of 2236	3964	Setup.exe	cmd.exe
PID 3964 wrote to memory of 2236	3964	Setup.exe	cmd.exe
PID 3964 wrote to memory of 2236	3964	Setup.exe	cmd.exe
PID 644 wrote to memory of 420	644	keygen-step-4.exe	Install.exe
PID 644 wrote to memory of 420	644	keygen-step-4.exe	Install.exe
PID 2236 wrote to memory of 3844	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 3844	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 3844	2236	cmd.exe	PING.EXE
PID 420 wrote to memory of 3920	420	Install.exe	multitimer.exe
PID 420 wrote to memory of 3920	420	Install.exe	multitimer.exe
PID 644 wrote to memory of 3152	644	keygen-step-4.exe	askinstall20.exe
PID 644 wrote to memory of 3152	644	keygen-step-4.exe	askinstall20.exe
PID 644 wrote to memory of 3152	644	keygen-step-4.exe	askinstall20.exe
PID 3152 wrote to memory of 2100	3152	askinstall20.exe	cmd.exe
PID 3152 wrote to memory of 2100	3152	askinstall20.exe	cmd.exe
PID 3152 wrote to memory of 2100	3152	askinstall20.exe	cmd.exe
PID 2100 wrote to memory of 2128	2100	cmd.exe	taskkill.exe
PID 2100 wrote to memory of 2128	2100	cmd.exe	taskkill.exe
PID 2100 wrote to memory of 2128	2100	cmd.exe	taskkill.exe
PID 1140 wrote to memory of 1444	1140	C0CA61A12E4C8B38.exe	cmd.exe
PID 1140 wrote to memory of 1444	1140	C0CA61A12E4C8B38.exe	cmd.exe
PID 1140 wrote to memory of 1444	1140	C0CA61A12E4C8B38.exe	cmd.exe
PID 4016 wrote to memory of 588	4016	C0CA61A12E4C8B38.exe	firefox.exe
PID 4016 wrote to memory of 588	4016	C0CA61A12E4C8B38.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Roaming\B6E2.tmp.exe
"C:\Users\Admin\AppData\Roaming\B6E2.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Roaming\B6E2.tmp.exe
"C:\Users\Admin\AppData\Roaming\B6E2.tmp.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:356

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4060

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:588

C:\Users\Admin\AppData\Roaming\1615018419288.exe
"C:\Users\Admin\AppData\Roaming\1615018419288.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615018419288.txt"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
4⤵
PID:1444

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
4⤵
PID:3928

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:3844

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:420

C:\Users\Admin\AppData\Local\Temp\RV6LWKHMKR\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RV6LWKHMKR\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3920

C:\Users\Admin\AppData\Local\Temp\RV6LWKHMKR\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RV6LWKHMKR\multitimer.exe" 1 3.1615014609.60432ad178d3e 101
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3276

C:\Users\Admin\AppData\Local\Temp\RV6LWKHMKR\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RV6LWKHMKR\multitimer.exe" 2 3.1615014609.60432ad178d3e
5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Users\Admin\AppData\Local\Temp\rexdlui5nds\sc2g51bjz4w.exe
"C:\Users\Admin\AppData\Local\Temp\rexdlui5nds\sc2g51bjz4w.exe" /VERYSILENT
6⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\is-IBKHV.tmp\sc2g51bjz4w.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IBKHV.tmp\sc2g51bjz4w.tmp" /SL5="$501FA,870426,780800,C:\Users\Admin\AppData\Local\Temp\rexdlui5nds\sc2g51bjz4w.exe" /VERYSILENT
7⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\fwg4rqsqsyq\vict.exe
"C:\Users\Admin\AppData\Local\Temp\fwg4rqsqsyq\vict.exe" /VERYSILENT /id=535
6⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\5eumbox4php\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\5eumbox4php\safebits.exe" /S /pubid=1 /subid=451
6⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\1fg1wtnyle5\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\1fg1wtnyle5\Setup3310.exe" /Verysilent /subid=577
6⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\is-V7GP9.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V7GP9.tmp\Setup3310.tmp" /SL5="$1025E,802346,56832,C:\Users\Admin\AppData\Local\Temp\1fg1wtnyle5\Setup3310.exe" /Verysilent /subid=577
7⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\dxyhtjscpl1\furzu3sxd23.exe
"C:\Users\Admin\AppData\Local\Temp\dxyhtjscpl1\furzu3sxd23.exe" testparams
6⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:2128

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2320

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
2⤵
PID:3944

C:\ProgramData\184729.1
"C:\ProgramData\184729.1"
3⤵
PID:1208

C:\ProgramData\7894830.86
"C:\ProgramData\7894830.86"
3⤵
PID:2208

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
4⤵
PID:4220

C:\ProgramData\5482195.60
"C:\ProgramData\5482195.60"
3⤵
PID:3872

C:\ProgramData\8679945.95
"C:\ProgramData\8679945.95"
3⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe"
2⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:4600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A03EECE348CA1003A148840C7D4C85AD C
2⤵
- Loads dropped DLL
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

System Information Discovery

Peripheral Device Discovery