033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b

Processes:

033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe

description	ioc	process
File opened (read-only)	\??\T:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\V:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\Y:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\Z:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\H:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\I:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\J:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\M:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\S:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\U:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\X:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\F:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\B:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\E:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\K:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\N:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\P:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\Q:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\A:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\L:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\O:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\R:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\W:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
File opened (read-only)	\??\G:	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

SystemSettings.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

3844 vssadmin.exe
3692 vssadmin.exe
3700 vssadmin.exe

pid	process
3844	vssadmin.exe
3692	vssadmin.exe
3700	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

firefox.exeSystemSettings.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	SystemSettings.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe

pid	process
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exevssvc.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3728	wmic.exe
Token: SeSecurityPrivilege	3728	wmic.exe
Token: SeTakeOwnershipPrivilege	3728	wmic.exe
Token: SeLoadDriverPrivilege	3728	wmic.exe
Token: SeSystemProfilePrivilege	3728	wmic.exe
Token: SeSystemtimePrivilege	3728	wmic.exe
Token: SeProfSingleProcessPrivilege	3728	wmic.exe
Token: SeIncBasePriorityPrivilege	3728	wmic.exe
Token: SeCreatePagefilePrivilege	3728	wmic.exe
Token: SeBackupPrivilege	3728	wmic.exe
Token: SeRestorePrivilege	3728	wmic.exe
Token: SeShutdownPrivilege	3728	wmic.exe
Token: SeDebugPrivilege	3728	wmic.exe
Token: SeSystemEnvironmentPrivilege	3728	wmic.exe
Token: SeRemoteShutdownPrivilege	3728	wmic.exe
Token: SeUndockPrivilege	3728	wmic.exe
Token: SeManageVolumePrivilege	3728	wmic.exe
Token: 33	3728	wmic.exe
Token: 34	3728	wmic.exe
Token: 35	3728	wmic.exe
Token: 36	3728	wmic.exe
Token: SeBackupPrivilege	744	vssvc.exe
Token: SeRestorePrivilege	744	vssvc.exe
Token: SeAuditPrivilege	744	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4000	wmic.exe
Token: SeSecurityPrivilege	4000	wmic.exe
Token: SeTakeOwnershipPrivilege	4000	wmic.exe
Token: SeLoadDriverPrivilege	4000	wmic.exe
Token: SeSystemProfilePrivilege	4000	wmic.exe
Token: SeSystemtimePrivilege	4000	wmic.exe
Token: SeProfSingleProcessPrivilege	4000	wmic.exe
Token: SeIncBasePriorityPrivilege	4000	wmic.exe
Token: SeCreatePagefilePrivilege	4000	wmic.exe
Token: SeBackupPrivilege	4000	wmic.exe
Token: SeRestorePrivilege	4000	wmic.exe
Token: SeShutdownPrivilege	4000	wmic.exe
Token: SeDebugPrivilege	4000	wmic.exe
Token: SeSystemEnvironmentPrivilege	4000	wmic.exe
Token: SeRemoteShutdownPrivilege	4000	wmic.exe
Token: SeUndockPrivilege	4000	wmic.exe
Token: SeManageVolumePrivilege	4000	wmic.exe
Token: 33	4000	wmic.exe
Token: 34	4000	wmic.exe
Token: 35	4000	wmic.exe
Token: 36	4000	wmic.exe
Token: SeIncreaseQuotaPrivilege	2092	wmic.exe
Token: SeSecurityPrivilege	2092	wmic.exe
Token: SeTakeOwnershipPrivilege	2092	wmic.exe
Token: SeLoadDriverPrivilege	2092	wmic.exe
Token: SeSystemProfilePrivilege	2092	wmic.exe
Token: SeSystemtimePrivilege	2092	wmic.exe
Token: SeProfSingleProcessPrivilege	2092	wmic.exe
Token: SeIncBasePriorityPrivilege	2092	wmic.exe
Token: SeCreatePagefilePrivilege	2092	wmic.exe
Token: SeBackupPrivilege	2092	wmic.exe
Token: SeRestorePrivilege	2092	wmic.exe
Token: SeShutdownPrivilege	2092	wmic.exe
Token: SeDebugPrivilege	2092	wmic.exe
Token: SeSystemEnvironmentPrivilege	2092	wmic.exe
Token: SeRemoteShutdownPrivilege	2092	wmic.exe
Token: SeUndockPrivilege	2092	wmic.exe
Token: SeManageVolumePrivilege	2092	wmic.exe
Token: 33	2092	wmic.exe
Token: 34	2092	wmic.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3260 firefox.exe
3260 firefox.exe
3260 firefox.exe
3260 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3260 firefox.exe
3260 firefox.exe
3260 firefox.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

firefox.exeSystemSettings.exe

pid process

3260 firefox.exe
4872 SystemSettings.exe

pid	process
3260	firefox.exe
3260	firefox.exe
3260	firefox.exe
3260	firefox.exe

pid	process
3260	firefox.exe
3260	firefox.exe
3260	firefox.exe

pid	process
3260	firefox.exe
4872	SystemSettings.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3016 wrote to memory of 3728	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	wmic.exe
PID 3016 wrote to memory of 3728	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	wmic.exe
PID 3016 wrote to memory of 3728	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	wmic.exe
PID 3016 wrote to memory of 3700	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	vssadmin.exe
PID 3016 wrote to memory of 3700	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	vssadmin.exe
PID 3016 wrote to memory of 3700	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	vssadmin.exe
PID 3016 wrote to memory of 4000	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	wmic.exe
PID 3016 wrote to memory of 4000	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	wmic.exe
PID 3016 wrote to memory of 4000	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	wmic.exe
PID 3016 wrote to memory of 3844	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	vssadmin.exe
PID 3016 wrote to memory of 3844	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	vssadmin.exe
PID 3016 wrote to memory of 3844	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	vssadmin.exe
PID 3016 wrote to memory of 2092	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	wmic.exe
PID 3016 wrote to memory of 2092	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	wmic.exe
PID 3016 wrote to memory of 2092	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	wmic.exe
PID 3016 wrote to memory of 3692	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	vssadmin.exe
PID 3016 wrote to memory of 3692	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	vssadmin.exe
PID 3016 wrote to memory of 3692	3016	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe	vssadmin.exe
PID 2208 wrote to memory of 3260	2208	firefox.exe	firefox.exe
PID 2208 wrote to memory of 3260	2208	firefox.exe	firefox.exe
PID 2208 wrote to memory of 3260	2208	firefox.exe	firefox.exe
PID 2208 wrote to memory of 3260	2208	firefox.exe	firefox.exe
PID 2208 wrote to memory of 3260	2208	firefox.exe	firefox.exe
PID 2208 wrote to memory of 3260	2208	firefox.exe	firefox.exe
PID 2208 wrote to memory of 3260	2208	firefox.exe	firefox.exe
PID 2208 wrote to memory of 3260	2208	firefox.exe	firefox.exe
PID 2208 wrote to memory of 3260	2208	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3692	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3692	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe
PID 3260 wrote to memory of 3776	3260	firefox.exe	firefox.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3016

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:3700

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:3844

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:3692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3260.0.938960621\1284522765" -parentBuildID 20200403170909 -prefsHandle 1496 -prefMapHandle 1488 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3260 "\\.\pipe\gecko-crash-server-pipe.3260" 1580 gpu
3⤵
PID:3692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3260.3.609094933\1335136079" -childID 1 -isForBrowser -prefsHandle 2308 -prefMapHandle 2264 -prefsLen 122 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3260 "\\.\pipe\gecko-crash-server-pipe.3260" 1496 tab
3⤵
PID:3776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3260.13.2100427919\244838590" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3468 -prefsLen 6979 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3260 "\\.\pipe\gecko-crash-server-pipe.3260" 3488 tab
3⤵
PID:4192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3260.20.520111439\1851346064" -childID 3 -isForBrowser -prefsHandle 4664 -prefMapHandle 4276 -prefsLen 7750 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3260 "\\.\pipe\gecko-crash-server-pipe.3260" 2772 tab
3⤵
PID:4632

C:\Program Files\Mozilla Firefox\uninstall\helper.exe
"C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser
3⤵
- Loads dropped DLL
PID:4728

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

T1112

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

5

Query Registry

3

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery