redline | f9dbecef2b9eb26fc0a32fdc9bd245f703cfa85e958d1e22fe3e3d0f088be5d8

System Information Discovery

Processes:

powershell.exexfhzfYhuwGA67gGOtGRlWeTl.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xfhzfYhuwGA67gGOtGRlWeTl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xfhzfYhuwGA67gGOtGRlWeTl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

PZbymWwqqSjnqyH644Uo_IaD.exeInstall.exef9dbecef2b9eb26fc0a32fdc9bd245f703cfa85e958d1e22fe3e3d0f088be5d8.exesotema_1.exesotema_7.exe9D8raoRqiC8FHJn_ccuCkk88.exenJrQvaWlmG5N_OUXvwcTlGQV.exew1jfbdL3dDQQQkbo30GAllsO.exee5BhVxoBwkStZKSSYBzeUr2Z.exeSuvawSBUnm6myU6DhFpq8i7u.exefASQVeg6paNe6mMwzpxTKxZV.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	PZbymWwqqSjnqyH644Uo_IaD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	f9dbecef2b9eb26fc0a32fdc9bd245f703cfa85e958d1e22fe3e3d0f088be5d8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sotema_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sotema_7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	9D8raoRqiC8FHJn_ccuCkk88.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	nJrQvaWlmG5N_OUXvwcTlGQV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	w1jfbdL3dDQQQkbo30GAllsO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	e5BhVxoBwkStZKSSYBzeUr2Z.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	SuvawSBUnm6myU6DhFpq8i7u.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	fASQVeg6paNe6mMwzpxTKxZV.exe

Loads dropped DLL 25 IoCs

Processes:

setup_install.exesotema_2.exesotema_5.tmprUNdlL32.eXe5fc4UC_Q2nCihToqDYwyzaMf.exee5BhVxoBwkStZKSSYBzeUr2Z.exePZbymWwqqSjnqyH644Uo_IaD.exe

pid	process
4080	setup_install.exe
4080	setup_install.exe
4080	setup_install.exe
4080	setup_install.exe
4080	setup_install.exe
4080	setup_install.exe
4080	setup_install.exe
4080	setup_install.exe
3476	sotema_2.exe
3016	sotema_5.tmp
3552	rUNdlL32.eXe
2088	5fc4UC_Q2nCihToqDYwyzaMf.exe
2088	5fc4UC_Q2nCihToqDYwyzaMf.exe
2504	e5BhVxoBwkStZKSSYBzeUr2Z.exe
2504	e5BhVxoBwkStZKSSYBzeUr2Z.exe
2704	PZbymWwqqSjnqyH644Uo_IaD.exe
2704	PZbymWwqqSjnqyH644Uo_IaD.exe
2088	5fc4UC_Q2nCihToqDYwyzaMf.exe
2088	5fc4UC_Q2nCihToqDYwyzaMf.exe
2088	5fc4UC_Q2nCihToqDYwyzaMf.exe
2088	5fc4UC_Q2nCihToqDYwyzaMf.exe
2088	5fc4UC_Q2nCihToqDYwyzaMf.exe
2088	5fc4UC_Q2nCihToqDYwyzaMf.exe
2088	5fc4UC_Q2nCihToqDYwyzaMf.exe
2088	5fc4UC_Q2nCihToqDYwyzaMf.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

w1jfbdL3dDQQQkbo30GAllsO.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	w1jfbdL3dDQQQkbo30GAllsO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	w1jfbdL3dDQQQkbo30GAllsO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe = "0"	w1jfbdL3dDQQQkbo30GAllsO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions	w1jfbdL3dDQQQkbo30GAllsO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Extensions\exe = "1"	w1jfbdL3dDQQQkbo30GAllsO.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

xfhzfYhuwGA67gGOtGRlWeTl.exew1jfbdL3dDQQQkbo30GAllsO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xfhzfYhuwGA67gGOtGRlWeTl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	w1jfbdL3dDQQQkbo30GAllsO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	w1jfbdL3dDQQQkbo30GAllsO.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

197 ipinfo.io
41 ip-api.com
42 ipinfo.io
43 ipinfo.io
196 ipinfo.io
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

e5BhVxoBwkStZKSSYBzeUr2Z.exebGJ2SVNJLRdo43lQGIK76mJs.exe663g5DjyM9rf6IWMkIz4Ho4g.exe

pid process

2504 e5BhVxoBwkStZKSSYBzeUr2Z.exe
2236 bGJ2SVNJLRdo43lQGIK76mJs.exe
1664 663g5DjyM9rf6IWMkIz4Ho4g.exe

flow	ioc
197	ipinfo.io
41	ip-api.com
42	ipinfo.io
43	ipinfo.io
196	ipinfo.io

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
2504	e5BhVxoBwkStZKSSYBzeUr2Z.exe
2236	bGJ2SVNJLRdo43lQGIK76mJs.exe
1664	663g5DjyM9rf6IWMkIz4Ho4g.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

powershell.exexfhzfYhuwGA67gGOtGRlWeTl.exeuJuPvGZN6v6hAgfUEJmSnlmm.exew1jfbdL3dDQQQkbo30GAllsO.exesotema_9.exe

description	pid	process	target process
PID 2468 set thread context of 2060	2468	powershell.exe	AppLaunch.exe
PID 1436 set thread context of 3768	1436	xfhzfYhuwGA67gGOtGRlWeTl.exe	AppLaunch.exe
PID 1676 set thread context of 4008	1676	uJuPvGZN6v6hAgfUEJmSnlmm.exe	uJuPvGZN6v6hAgfUEJmSnlmm.exe
PID 3892 set thread context of 3744	3892	w1jfbdL3dDQQQkbo30GAllsO.exe	w1jfbdL3dDQQQkbo30GAllsO.exe
PID 4896 set thread context of 4184	4896	sotema_9.exe	sotema_9.exe

Drops file in Windows directory 1 IoCs

Processes:

w1jfbdL3dDQQQkbo30GAllsO.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\66i2OKv6hdBe9X5H5.raw w1jfbdL3dDQQQkbo30GAllsO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\66i2OKv6hdBe9X5H5.raw	w1jfbdL3dDQQQkbo30GAllsO.exe

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4288	864	WerFault.exe	sotema_3.exe
3976	3552	WerFault.exe	rUNdlL32.eXe
4016	2900	WerFault.exe	z_4OXnoMaSTmR6pvnR_G41g5.exe
2084	2564	WerFault.exe	YV0oOUqgIDkvaeRVb3eoPOwV.exe
4888	3324	WerFault.exe	fASQVeg6paNe6mMwzpxTKxZV.exe
4680	2984	WerFault.exe	4puWYeVauuiw1_48ASFp8nhx.exe
1916	2564	WerFault.exe	YV0oOUqgIDkvaeRVb3eoPOwV.exe
2260	2900	WerFault.exe	z_4OXnoMaSTmR6pvnR_G41g5.exe
4260	2984	WerFault.exe	4puWYeVauuiw1_48ASFp8nhx.exe
3056	3324	WerFault.exe	fASQVeg6paNe6mMwzpxTKxZV.exe
1544	3324	WerFault.exe	fASQVeg6paNe6mMwzpxTKxZV.exe
4656	3324	WerFault.exe	fASQVeg6paNe6mMwzpxTKxZV.exe
1120	3324	WerFault.exe	fASQVeg6paNe6mMwzpxTKxZV.exe
2272	3324	WerFault.exe	fASQVeg6paNe6mMwzpxTKxZV.exe
4160	3324	WerFault.exe	fASQVeg6paNe6mMwzpxTKxZV.exe
4232	3324	WerFault.exe	fASQVeg6paNe6mMwzpxTKxZV.exe
5140	3324	WerFault.exe	fASQVeg6paNe6mMwzpxTKxZV.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

sotema_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

e5BhVxoBwkStZKSSYBzeUr2Z.exePZbymWwqqSjnqyH644Uo_IaD.exe5fc4UC_Q2nCihToqDYwyzaMf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e5BhVxoBwkStZKSSYBzeUr2Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e5BhVxoBwkStZKSSYBzeUr2Z.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PZbymWwqqSjnqyH644Uo_IaD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PZbymWwqqSjnqyH644Uo_IaD.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5fc4UC_Q2nCihToqDYwyzaMf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5fc4UC_Q2nCihToqDYwyzaMf.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5580 schtasks.exe
5328 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2196 timeout.exe
4024 timeout.exe
3808 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2496 tasklist.exe
5228 tasklist.exe

pid	process
5580	schtasks.exe
5328	schtasks.exe

pid	process
2196	timeout.exe
4024	timeout.exe
3808	timeout.exe

pid	process
2496	tasklist.exe
5228	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5172 taskkill.exe
2332 taskkill.exe
4700 taskkill.exe
Modifies registry class 1 IoCs

Processes:

sotema_1.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ sotema_1.exe

pid	process
5172	taskkill.exe
2332	taskkill.exe
4700	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sotema_1.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

sotema_3.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sotema_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sotema_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sotema_2.exejfiag3g_gg.exe

pid	process
3476	sotema_2.exe
3476	sotema_2.exe
5064	jfiag3g_gg.exe
5064	jfiag3g_gg.exe
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656
2656

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2656
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sotema_2.exe

pid process

3476 sotema_2.exe

pid	process
2656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sotema_6.exenJrQvaWlmG5N_OUXvwcTlGQV.exebGJ2SVNJLRdo43lQGIK76mJs.exe663g5DjyM9rf6IWMkIz4Ho4g.exe

description	pid	process
Token: SeDebugPrivilege	4116	sotema_6.exe
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeDebugPrivilege	3284	nJrQvaWlmG5N_OUXvwcTlGQV.exe
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeDebugPrivilege	2236	bGJ2SVNJLRdo43lQGIK76mJs.exe
Token: SeDebugPrivilege	1664	663g5DjyM9rf6IWMkIz4Ho4g.exe
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656
Token: SeShutdownPrivilege	2656
Token: SeCreatePagefilePrivilege	2656

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Sta.exe.pif

pid process

5536 Sta.exe.pif
2656
2656
5536 Sta.exe.pif
5536 Sta.exe.pif
2656
2656
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Sta.exe.pif

pid process

5536 Sta.exe.pif
5536 Sta.exe.pif
5536 Sta.exe.pif

pid	process
5536	Sta.exe.pif
2656
2656
5536	Sta.exe.pif
5536	Sta.exe.pif
2656
2656

pid	process
5536	Sta.exe.pif
5536	Sta.exe.pif
5536	Sta.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f9dbecef2b9eb26fc0a32fdc9bd245f703cfa85e958d1e22fe3e3d0f088be5d8.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesotema_5.exesotema_4.exe

description	pid	process	target process
PID 4184 wrote to memory of 4080	4184	f9dbecef2b9eb26fc0a32fdc9bd245f703cfa85e958d1e22fe3e3d0f088be5d8.exe	setup_install.exe
PID 4184 wrote to memory of 4080	4184	f9dbecef2b9eb26fc0a32fdc9bd245f703cfa85e958d1e22fe3e3d0f088be5d8.exe	setup_install.exe
PID 4184 wrote to memory of 4080	4184	f9dbecef2b9eb26fc0a32fdc9bd245f703cfa85e958d1e22fe3e3d0f088be5d8.exe	setup_install.exe
PID 4080 wrote to memory of 5056	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 5056	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 5056	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4244	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4244	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4244	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 3592	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 3592	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 3592	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4332	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4332	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4332	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4328	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4328	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4328	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4036	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4036	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4036	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 220	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 220	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 220	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4484	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4484	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4484	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4232	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4232	4080	setup_install.exe	cmd.exe
PID 4080 wrote to memory of 4232	4080	setup_install.exe	cmd.exe
PID 4036 wrote to memory of 4116	4036	cmd.exe	sotema_6.exe
PID 4036 wrote to memory of 4116	4036	cmd.exe	sotema_6.exe
PID 4244 wrote to memory of 3476	4244	cmd.exe	sotema_2.exe
PID 4244 wrote to memory of 3476	4244	cmd.exe	sotema_2.exe
PID 4244 wrote to memory of 3476	4244	cmd.exe	sotema_2.exe
PID 4328 wrote to memory of 4124	4328	cmd.exe	sotema_5.exe
PID 4328 wrote to memory of 4124	4328	cmd.exe	sotema_5.exe
PID 4328 wrote to memory of 4124	4328	cmd.exe	sotema_5.exe
PID 3592 wrote to memory of 864	3592	cmd.exe	sotema_3.exe
PID 3592 wrote to memory of 864	3592	cmd.exe	sotema_3.exe
PID 3592 wrote to memory of 864	3592	cmd.exe	sotema_3.exe
PID 4332 wrote to memory of 760	4332	cmd.exe	sotema_4.exe
PID 4332 wrote to memory of 760	4332	cmd.exe	sotema_4.exe
PID 4332 wrote to memory of 760	4332	cmd.exe	sotema_4.exe
PID 220 wrote to memory of 1176	220	cmd.exe	sotema_7.exe
PID 220 wrote to memory of 1176	220	cmd.exe	sotema_7.exe
PID 220 wrote to memory of 1176	220	cmd.exe	sotema_7.exe
PID 5056 wrote to memory of 4396	5056	cmd.exe	sotema_1.exe
PID 5056 wrote to memory of 4396	5056	cmd.exe	sotema_1.exe
PID 5056 wrote to memory of 4396	5056	cmd.exe	sotema_1.exe
PID 4484 wrote to memory of 2732	4484	cmd.exe	sotema_8.exe
PID 4484 wrote to memory of 2732	4484	cmd.exe	sotema_8.exe
PID 4484 wrote to memory of 2732	4484	cmd.exe	sotema_8.exe
PID 4232 wrote to memory of 4896	4232	cmd.exe	sotema_9.exe
PID 4232 wrote to memory of 4896	4232	cmd.exe	sotema_9.exe
PID 4232 wrote to memory of 4896	4232	cmd.exe	sotema_9.exe
PID 4124 wrote to memory of 3016	4124	sotema_5.exe	sotema_5.tmp
PID 4124 wrote to memory of 3016	4124	sotema_5.exe	sotema_5.tmp
PID 4124 wrote to memory of 3016	4124	sotema_5.exe	sotema_5.tmp
PID 760 wrote to memory of 740	760	sotema_4.exe	jfiag3g_gg.exe
PID 760 wrote to memory of 740	760	sotema_4.exe	jfiag3g_gg.exe
PID 760 wrote to memory of 740	760	sotema_4.exe	jfiag3g_gg.exe
PID 760 wrote to memory of 5064	760	sotema_4.exe	jfiag3g_gg.exe
PID 760 wrote to memory of 5064	760	sotema_4.exe	jfiag3g_gg.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

w1jfbdL3dDQQQkbo30GAllsO.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	w1jfbdL3dDQQQkbo30GAllsO.exe

C:\Users\Admin\AppData\Local\Temp\f9dbecef2b9eb26fc0a32fdc9bd245f703cfa85e958d1e22fe3e3d0f088be5d8.exe
"C:\Users\Admin\AppData\Local\Temp\f9dbecef2b9eb26fc0a32fdc9bd245f703cfa85e958d1e22fe3e3d0f088be5d8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_1.exe
sotema_1.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4396

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",setpwd
5⤵
- Loads dropped DLL
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 600
6⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_3.exe
sotema_3.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 932
5⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_2.exe
sotema_2.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_6.exe
sotema_6.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_5.exe
sotema_5.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124

C:\Users\Admin\AppData\Local\Temp\is-U205G.tmp\sotema_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U205G.tmp\sotema_5.tmp" /SL5="$D014C,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_5.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_4.exe
sotema_4.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:740

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_7.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_7.exe
sotema_7.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:1176

C:\Users\Admin\Documents\PZbymWwqqSjnqyH644Uo_IaD.exe
"C:\Users\Admin\Documents\PZbymWwqqSjnqyH644Uo_IaD.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:2704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im PZbymWwqqSjnqyH644Uo_IaD.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\PZbymWwqqSjnqyH644Uo_IaD.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:2308

C:\Windows\SysWOW64\taskkill.exe
taskkill /im PZbymWwqqSjnqyH644Uo_IaD.exe /f
7⤵
- Executes dropped EXE
- Kills process with taskkill
PID:4700

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:4024

C:\Users\Admin\Documents\fASQVeg6paNe6mMwzpxTKxZV.exe
"C:\Users\Admin\Documents\fASQVeg6paNe6mMwzpxTKxZV.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 624
6⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 664
6⤵
- Program crash
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 588
6⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 816
6⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1244
6⤵
- Program crash
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1292
6⤵
- Program crash
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1292
6⤵
- Program crash
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1284
6⤵
- Program crash
PID:4232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "fASQVeg6paNe6mMwzpxTKxZV.exe" /f & erase "C:\Users\Admin\Documents\fASQVeg6paNe6mMwzpxTKxZV.exe" & exit
6⤵
PID:3776

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "fASQVeg6paNe6mMwzpxTKxZV.exe" /f
7⤵
- Kills process with taskkill
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1304
6⤵
- Program crash
PID:5140

C:\Users\Admin\Documents\z_4OXnoMaSTmR6pvnR_G41g5.exe
"C:\Users\Admin\Documents\z_4OXnoMaSTmR6pvnR_G41g5.exe"
5⤵
- Executes dropped EXE
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 432
6⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 440
6⤵
- Program crash
PID:2260

C:\Users\Admin\Documents\5fc4UC_Q2nCihToqDYwyzaMf.exe
"C:\Users\Admin\Documents\5fc4UC_Q2nCihToqDYwyzaMf.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2088

C:\Users\Admin\Documents\bGJ2SVNJLRdo43lQGIK76mJs.exe
"C:\Users\Admin\Documents\bGJ2SVNJLRdo43lQGIK76mJs.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Users\Admin\Documents\e5BhVxoBwkStZKSSYBzeUr2Z.exe
"C:\Users\Admin\Documents\e5BhVxoBwkStZKSSYBzeUr2Z.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im e5BhVxoBwkStZKSSYBzeUr2Z.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\e5BhVxoBwkStZKSSYBzeUr2Z.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:4628

C:\Windows\SysWOW64\taskkill.exe
taskkill /im e5BhVxoBwkStZKSSYBzeUr2Z.exe /f
7⤵
- Kills process with taskkill
PID:2332

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:2196

C:\Users\Admin\Documents\4puWYeVauuiw1_48ASFp8nhx.exe
"C:\Users\Admin\Documents\4puWYeVauuiw1_48ASFp8nhx.exe"
5⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 464
6⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 472
6⤵
- Program crash
PID:4260

C:\Users\Admin\Documents\YV0oOUqgIDkvaeRVb3eoPOwV.exe
"C:\Users\Admin\Documents\YV0oOUqgIDkvaeRVb3eoPOwV.exe"
5⤵
- Executes dropped EXE
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 464
6⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 472
6⤵
- Program crash
PID:1916

C:\Users\Admin\Documents\0ReV9cd7U7C3aXbqGQ85tsEa.exe
"C:\Users\Admin\Documents\0ReV9cd7U7C3aXbqGQ85tsEa.exe"
5⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2060

C:\Users\Admin\Documents\9D8raoRqiC8FHJn_ccuCkk88.exe
"C:\Users\Admin\Documents\9D8raoRqiC8FHJn_ccuCkk88.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1400

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
6⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
6⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd
7⤵
PID:3352

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
8⤵
- Enumerates processes with tasklist
PID:2496

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
8⤵
PID:4900

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
8⤵
- Enumerates processes with tasklist
PID:5228

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
8⤵
PID:5260

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^wtwRMqjYMlcblhfrOaJNpOohYASICCRoGRaYHSofIqwzkvtDhVASceYjWNSjoDvlzhRaVdvWpzypNPwCvgcGwZMDTye$" Hai.xla
8⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pif
Sta.exe.pif V
8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5536

C:\Users\Admin\Documents\nJrQvaWlmG5N_OUXvwcTlGQV.exe
"C:\Users\Admin\Documents\nJrQvaWlmG5N_OUXvwcTlGQV.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Users\Admin\AppData\Local\Temp\bde44c43-8833-4969-84de-4e09e2ae496f.exe
"C:\Users\Admin\AppData\Local\Temp\bde44c43-8833-4969-84de-4e09e2ae496f.exe"
6⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe
"C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System policy modification
PID:3892

C:\Users\Admin\AppData\Local\Temp\39a0ee6a-49d8-4b25-9cc9-72770ebbfe0b\6211c00d-e343-4fc0-a134-7e8e324e1590.exe
"C:\Users\Admin\AppData\Local\Temp\39a0ee6a-49d8-4b25-9cc9-72770ebbfe0b\6211c00d-e343-4fc0-a134-7e8e324e1590.exe" /o /c "Windows-Defender" /r
6⤵
- Executes dropped EXE
PID:1060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
PID:2468

C:\Users\Admin\AppData\Local\Temp\39a0ee6a-49d8-4b25-9cc9-72770ebbfe0b\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\39a0ee6a-49d8-4b25-9cc9-72770ebbfe0b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\39a0ee6a-49d8-4b25-9cc9-72770ebbfe0b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
6⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\39a0ee6a-49d8-4b25-9cc9-72770ebbfe0b\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\39a0ee6a-49d8-4b25-9cc9-72770ebbfe0b\AdvancedRun.exe" /SpecialRun 4101d8 3808
7⤵
PID:4700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe" -Force
6⤵
- Executes dropped EXE
PID:2984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe" -Force
6⤵
PID:1500

C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe
"C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe"
6⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe
"C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe"
6⤵
- Executes dropped EXE
PID:1044

C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe
"C:\Users\Admin\Documents\w1jfbdL3dDQQQkbo30GAllsO.exe"
6⤵
- Executes dropped EXE
PID:3744

C:\Users\Admin\Documents\yTapUqGVcX3Z9KxoXbSrae7f.exe
"C:\Users\Admin\Documents\yTapUqGVcX3Z9KxoXbSrae7f.exe"
5⤵
- Executes dropped EXE
PID:1284

C:\Users\Admin\AppData\Local\Temp\7zS987F.tmp\Install.exe
.\Install.exe
6⤵
- Executes dropped EXE
PID:2152

C:\Users\Admin\AppData\Local\Temp\7zSA9E5.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:3856

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:5328

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:5372

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
10⤵
PID:5388

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
9⤵
PID:5308

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
10⤵
PID:5404

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
10⤵
PID:5420

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gAtmTlqsj" /SC once /ST 03:49:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
8⤵
- Creates scheduled task(s)
PID:5580

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gAtmTlqsj"
8⤵
PID:5676

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gAtmTlqsj"
8⤵
PID:1060

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 15:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\inWBoSu.exe\" j6 /site_id 525403 /S" /V1 /F
8⤵
- Creates scheduled task(s)
PID:5328

C:\Users\Admin\Documents\xfhzfYhuwGA67gGOtGRlWeTl.exe
"C:\Users\Admin\Documents\xfhzfYhuwGA67gGOtGRlWeTl.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3768

C:\Users\Admin\Documents\uJuPvGZN6v6hAgfUEJmSnlmm.exe
"C:\Users\Admin\Documents\uJuPvGZN6v6hAgfUEJmSnlmm.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1676

C:\Users\Admin\Documents\uJuPvGZN6v6hAgfUEJmSnlmm.exe
"C:\Users\Admin\Documents\uJuPvGZN6v6hAgfUEJmSnlmm.exe"
6⤵
- Executes dropped EXE
PID:4008

C:\Users\Admin\Documents\FkmnvmSy3cy2NREiRfT6L8xF.exe
"C:\Users\Admin\Documents\FkmnvmSy3cy2NREiRfT6L8xF.exe"
5⤵
- Executes dropped EXE
PID:740

C:\Users\Admin\Documents\rGlHN84g67IXkDVSrPBAnWhi.exe
"C:\Users\Admin\Documents\rGlHN84g67IXkDVSrPBAnWhi.exe"
5⤵
- Executes dropped EXE
PID:4020

C:\Users\Admin\Documents\663g5DjyM9rf6IWMkIz4Ho4g.exe
"C:\Users\Admin\Documents\663g5DjyM9rf6IWMkIz4Ho4g.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Users\Admin\Documents\quE2Nw4K0SMZdjuRmsp1bI5o.exe
"C:\Users\Admin\Documents\quE2Nw4K0SMZdjuRmsp1bI5o.exe"
5⤵
- Executes dropped EXE
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\quE2Nw4K0SMZdjuRmsp1bI5o.exe
6⤵
PID:6140

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
7⤵
PID:3032

C:\Users\Admin\Documents\SuvawSBUnm6myU6DhFpq8i7u.exe
"C:\Users\Admin\Documents\SuvawSBUnm6myU6DhFpq8i7u.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
6⤵
PID:4500

C:\Windows\SysWOW64\timeout.exe
timeout 45
7⤵
- Executes dropped EXE
- Delays execution with timeout.exe
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_9.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_9.exe
sotema_9.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4896

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_9.exe
C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_9.exe
5⤵
- Executes dropped EXE
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_8.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\7zS850B0EAD\sotema_8.exe
sotema_8.exe
4⤵
- Executes dropped EXE
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 864 -ip 864
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3552 -ip 3552
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3324 -ip 3324
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2900 -ip 2900
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2564 -ip 2564
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2984 -ip 2984
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2564 -ip 2564
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2984 -ip 2984
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2900 -ip 2900
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3324 -ip 3324
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3324 -ip 3324
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3324 -ip 3324
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3324 -ip 3324
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3324 -ip 3324
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3324 -ip 3324
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3324 -ip 3324
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3324 -ip 3324
1⤵
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5720

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5460

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery