asyncrat | 5a755c3fa92a24bae2d0d3fc1e2a743ed11e159f3327aeb685f8118823453a59

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fineeest_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fineeest_.exe

Deletes itself 1 IoCs

pid	Process
1964	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000100000001ab6c-191.dat	themida
behavioral2/files/0x000100000001ab6c-198.dat	themida
behavioral2/memory/512-211-0x0000000001110000-0x0000000001111000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	DAA7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	DAA7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\setuplauncher = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\setuplauncher.exe\""	DD58.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fineeest_.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\ef40b4615d1ffed76b2bee77e41bcb49\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\ef40b4615d1ffed76b2bee77e41bcb49\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\ef40b4615d1ffed76b2bee77e41bcb49\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	PryntVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\ef40b4615d1ffed76b2bee77e41bcb49\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\ef40b4615d1ffed76b2bee77e41bcb49\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\ef40b4615d1ffed76b2bee77e41bcb49\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\ef40b4615d1ffed76b2bee77e41bcb49\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	PryntVirus.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\G:	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	geoiptool.com
47	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
512	Fineeest_.exe
4792	DD58.exe
4792	DD58.exe
4792	DD58.exe
4792	DD58.exe
4792	DD58.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 604 set thread context of 3844	604	d4d66258546efbcc87356f6ecfa0e925.exe	77
PID 2148 set thread context of 4792	2148	DD58.exe	130

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-48.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-hover_32.svg	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\11c.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\ui-strings.js.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML	services.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\MedTile.scale-125.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.payfast290.1C6-C03-693	services.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeWideTile.scale-100_contrast-black.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-200.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-20_altform-unplated_contrast-white.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\AppxSignature.p7x	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\Star-Club_icon.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ps_60x42.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar	services.exe
File created	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-400.png	services.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60_altform-unplated.png	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\ExcelCapabilities.json.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-US.Calendar.model	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-disabled_32.svg.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\CenterView.scale-140.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_CS-CZ.respack	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2210_24x24x32.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\mmm.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\WideTile.scale-100.png	services.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-gb\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ge_60x42.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-150.png	services.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar.payfast290.1C6-C03-693	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui	services.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\MedTile.scale-125.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7205_48x48x32.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview-hover.svg	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml.payfast290.1C6-C03-693	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4d66258546efbcc87356f6ecfa0e925.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4d66258546efbcc87356f6ecfa0e925.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4d66258546efbcc87356f6ecfa0e925.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PryntVirus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PryntVirus.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4704	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1584	vssadmin.exe
2248	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	DAA7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DAA7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3844	d4d66258546efbcc87356f6ecfa0e925.exe
3844	d4d66258546efbcc87356f6ecfa0e925.exe
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1964	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
3844	d4d66258546efbcc87356f6ecfa0e925.exe
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found
1964	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	DAA7.exe
Token: SeDebugPrivilege	2656	DAA7.exe
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeIncreaseQuotaPrivilege	768	WMIC.exe
Token: SeSecurityPrivilege	768	WMIC.exe
Token: SeTakeOwnershipPrivilege	768	WMIC.exe
Token: SeLoadDriverPrivilege	768	WMIC.exe
Token: SeSystemProfilePrivilege	768	WMIC.exe
Token: SeSystemtimePrivilege	768	WMIC.exe
Token: SeProfSingleProcessPrivilege	768	WMIC.exe
Token: SeIncBasePriorityPrivilege	768	WMIC.exe
Token: SeCreatePagefilePrivilege	768	WMIC.exe
Token: SeBackupPrivilege	768	WMIC.exe
Token: SeRestorePrivilege	768	WMIC.exe
Token: SeShutdownPrivilege	768	WMIC.exe
Token: SeDebugPrivilege	768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	768	WMIC.exe
Token: SeRemoteShutdownPrivilege	768	WMIC.exe
Token: SeUndockPrivilege	768	WMIC.exe
Token: SeManageVolumePrivilege	768	WMIC.exe
Token: 33	768	WMIC.exe
Token: 34	768	WMIC.exe
Token: 35	768	WMIC.exe
Token: 36	768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2904	WMIC.exe
Token: SeSecurityPrivilege	2904	WMIC.exe
Token: SeTakeOwnershipPrivilege	2904	WMIC.exe
Token: SeLoadDriverPrivilege	2904	WMIC.exe
Token: SeSystemProfilePrivilege	2904	WMIC.exe
Token: SeSystemtimePrivilege	2904	WMIC.exe
Token: SeProfSingleProcessPrivilege	2904	WMIC.exe
Token: SeIncBasePriorityPrivilege	2904	WMIC.exe
Token: SeCreatePagefilePrivilege	2904	WMIC.exe
Token: SeBackupPrivilege	2904	WMIC.exe
Token: SeRestorePrivilege	2904	WMIC.exe
Token: SeShutdownPrivilege	2904	WMIC.exe
Token: SeDebugPrivilege	2904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2904	WMIC.exe
Token: SeRemoteShutdownPrivilege	2904	WMIC.exe
Token: SeUndockPrivilege	2904	WMIC.exe
Token: SeManageVolumePrivilege	2904	WMIC.exe
Token: 33	2904	WMIC.exe
Token: 34	2904	WMIC.exe
Token: 35	2904	WMIC.exe
Token: 36	2904	WMIC.exe
Token: SeBackupPrivilege	1656	vssvc.exe
Token: SeRestorePrivilege	1656	vssvc.exe
Token: SeAuditPrivilege	1656	vssvc.exe
Token: SeShutdownPrivilege	1964	Process not Found
Token: SeCreatePagefilePrivilege	1964	Process not Found
Token: SeIncreaseQuotaPrivilege	2904	WMIC.exe
Token: SeSecurityPrivilege	2904	WMIC.exe
Token: SeTakeOwnershipPrivilege	2904	WMIC.exe
Token: SeLoadDriverPrivilege	2904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	768	WMIC.exe
Token: SeSystemProfilePrivilege	2904	WMIC.exe
Token: SeSystemtimePrivilege	2904	WMIC.exe
Token: SeSecurityPrivilege	768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2904	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4792	DD58.exe
4792	DD58.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1964	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 3844	604	d4d66258546efbcc87356f6ecfa0e925.exe	77
PID 604 wrote to memory of 3844	604	d4d66258546efbcc87356f6ecfa0e925.exe	77
PID 604 wrote to memory of 3844	604	d4d66258546efbcc87356f6ecfa0e925.exe	77
PID 604 wrote to memory of 3844	604	d4d66258546efbcc87356f6ecfa0e925.exe	77
PID 604 wrote to memory of 3844	604	d4d66258546efbcc87356f6ecfa0e925.exe	77
PID 604 wrote to memory of 3844	604	d4d66258546efbcc87356f6ecfa0e925.exe	77
PID 1964 wrote to memory of 2208	1964	Process not Found	79
PID 1964 wrote to memory of 2208	1964	Process not Found	79
PID 1964 wrote to memory of 2656	1964	Process not Found	80
PID 1964 wrote to memory of 2656	1964	Process not Found	80
PID 1964 wrote to memory of 2656	1964	Process not Found	80
PID 1964 wrote to memory of 2148	1964	Process not Found	81
PID 1964 wrote to memory of 2148	1964	Process not Found	81
PID 1964 wrote to memory of 2148	1964	Process not Found	81
PID 1964 wrote to memory of 2108	1964	Process not Found	82
PID 1964 wrote to memory of 2108	1964	Process not Found	82
PID 1964 wrote to memory of 2108	1964	Process not Found	82
PID 1964 wrote to memory of 2108	1964	Process not Found	82
PID 1964 wrote to memory of 3332	1964	Process not Found	83
PID 1964 wrote to memory of 3332	1964	Process not Found	83
PID 1964 wrote to memory of 3332	1964	Process not Found	83
PID 1964 wrote to memory of 4000	1964	Process not Found	84
PID 1964 wrote to memory of 4000	1964	Process not Found	84
PID 1964 wrote to memory of 4000	1964	Process not Found	84
PID 1964 wrote to memory of 4000	1964	Process not Found	84
PID 1964 wrote to memory of 3260	1964	Process not Found	85
PID 1964 wrote to memory of 3260	1964	Process not Found	85
PID 1964 wrote to memory of 3260	1964	Process not Found	85
PID 1964 wrote to memory of 3524	1964	Process not Found	86
PID 1964 wrote to memory of 3524	1964	Process not Found	86
PID 1964 wrote to memory of 3524	1964	Process not Found	86
PID 1964 wrote to memory of 3524	1964	Process not Found	86
PID 2656 wrote to memory of 3096	2656	DAA7.exe	87
PID 2656 wrote to memory of 3096	2656	DAA7.exe	87
PID 2656 wrote to memory of 3096	2656	DAA7.exe	87
PID 2656 wrote to memory of 3176	2656	DAA7.exe	88
PID 2656 wrote to memory of 3176	2656	DAA7.exe	88
PID 2656 wrote to memory of 3176	2656	DAA7.exe	88
PID 2656 wrote to memory of 3176	2656	DAA7.exe	88
PID 2656 wrote to memory of 3176	2656	DAA7.exe	88
PID 2656 wrote to memory of 3176	2656	DAA7.exe	88
PID 1964 wrote to memory of 2900	1964	Process not Found	89
PID 1964 wrote to memory of 2900	1964	Process not Found	89
PID 1964 wrote to memory of 2900	1964	Process not Found	89
PID 1964 wrote to memory of 3356	1964	Process not Found	90
PID 1964 wrote to memory of 3356	1964	Process not Found	90
PID 1964 wrote to memory of 3356	1964	Process not Found	90
PID 1964 wrote to memory of 3356	1964	Process not Found	90
PID 1964 wrote to memory of 1856	1964	Process not Found	91
PID 1964 wrote to memory of 1856	1964	Process not Found	91
PID 1964 wrote to memory of 1856	1964	Process not Found	91
PID 1964 wrote to memory of 1756	1964	Process not Found	92
PID 1964 wrote to memory of 1756	1964	Process not Found	92
PID 1964 wrote to memory of 1756	1964	Process not Found	92
PID 1964 wrote to memory of 1756	1964	Process not Found	92
PID 3096 wrote to memory of 1476	3096	services.exe	93
PID 3096 wrote to memory of 1476	3096	services.exe	93
PID 3096 wrote to memory of 1476	3096	services.exe	93
PID 3096 wrote to memory of 2060	3096	services.exe	94
PID 3096 wrote to memory of 2060	3096	services.exe	94
PID 3096 wrote to memory of 2060	3096	services.exe	94
PID 3096 wrote to memory of 3696	3096	services.exe	96
PID 3096 wrote to memory of 3696	3096	services.exe	96
PID 3096 wrote to memory of 3696	3096	services.exe	96

C:\Users\Admin\AppData\Local\Temp\d4d66258546efbcc87356f6ecfa0e925.exe
"C:\Users\Admin\AppData\Local\Temp\d4d66258546efbcc87356f6ecfa0e925.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:604
- C:\Users\Admin\AppData\Local\Temp\d4d66258546efbcc87356f6ecfa0e925.exe
  "C:\Users\Admin\AppData\Local\Temp\d4d66258546efbcc87356f6ecfa0e925.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3844

C:\Users\Admin\AppData\Local\Temp\D9EB.exe
C:\Users\Admin\AppData\Local\Temp\D9EB.exe
1⤵
- Executes dropped EXE
PID:2208
- C:\Users\Admin\AppData\Local\Temp\Fineeest_.exe
  "C:\Users\Admin\AppData\Local\Temp\Fineeest_.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:512
- C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe
  "C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    PID:4376
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4436
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:4500
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:4556
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4704
- C:\Users\Admin\AppData\Local\Temp\1000 hq.exe
  "C:\Users\Admin\AppData\Local\Temp\1000 hq.exe"
  2⤵
  - Executes dropped EXE
  PID:768

C:\Users\Admin\AppData\Local\Temp\DAA7.exe
C:\Users\Admin\AppData\Local\Temp\DAA7.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:1476
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3900
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:3460
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2904
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2248
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:404
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3176

C:\Users\Admin\AppData\Local\Temp\DD58.exe
C:\Users\Admin\AppData\Local\Temp\DD58.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2148
- C:\Users\Admin\AppData\Local\Temp\DD58.exe
  C:\Users\Admin\AppData\Local\Temp\DD58.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\DD58.exe
  C:\Users\Admin\AppData\Local\Temp\DD58.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:4792

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2108

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4000

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3260

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3524

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3356

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Roaming\ceavehh
C:\Users\Admin\AppData\Roaming\ceavehh
1⤵
- Executes dropped EXE
PID:4964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery