General
Target

intelsoftwareassetmanagerservice.exe

Filesize

3MB

Completed

20-05-2022 12:28

Task

behavioral2

Score
1/10
MD5

5bdebce7118d30a387fec0f9329c5437

SHA1

83a66c54772017c6fa0e243bcf5bbfebd2c29518

SHA256

b8f8ddaba5754af65c9b7c762d69e1b2bd3702307c41589977759d813bf78635

SHA256

96676730f1529972ee7f6582d43d856ffeed4706d26042c961ed14598eb03c0be410c1fe4d993b5a2eb594a7de0eba5b9004c713e29ae7e932947beda1de80b4

Malware Config
Signatures 6

Filter: none

Defense Evasion
  • Modifies Internet Explorer settings
    explorer.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Toolbarexplorer.exe
  • Modifies registry class
    explorer.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shellexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRUexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffffexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settingsexplorer.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    3904NOTEPAD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    explorer.exe

    Reported IOCs

    pidprocess
    2128explorer.exe
  • Suspicious use of AdjustPrivilegeToken
    svchost.exeexplorer.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeManageVolumePrivilege4240svchost.exe
    Token: SeShutdownPrivilege2128explorer.exe
    Token: SeCreatePagefilePrivilege2128explorer.exe
  • Suspicious use of FindShellTrayWindow
    explorer.exe

    Reported IOCs

    pidprocess
    2128explorer.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\intelsoftwareassetmanagerservice.exe
    "C:\Users\Admin\AppData\Local\Temp\intelsoftwareassetmanagerservice.exe"
    PID:4948
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ShowSplit.txt
    Opens file in notepad (likely ransom note)
    PID:3904
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    PID:4120
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    PID:1852
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k UnistackSvcGroup
    Suspicious use of AdjustPrivilegeToken
    PID:4240
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    PID:2364
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
    Modifies Internet Explorer settings
    Modifies registry class
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    PID:2128
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/4240-130-0x000001D114E40000-0x000001D114E50000-memory.dmp

                        • memory/4240-131-0x000001D114F40000-0x000001D114F50000-memory.dmp