829578ed964e4efeb78499514a145cb2886dcc5ffb769c836981919e6d53949f

System Information Discovery

Processes:

deiUUj8mpdyf36k.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	deiUUj8mpdyf36k.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	deiUUj8mpdyf36k.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

deiUUj8mpdyf36k.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	deiUUj8mpdyf36k.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

deiUUj8mpdyf36k.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	deiUUj8mpdyf36k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	deiUUj8mpdyf36k.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

deiUUj8mpdyf36k.exe

description pid process target process

PID 2092 set thread context of 4644 2092 deiUUj8mpdyf36k.exe deiUUj8mpdyf36k.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

616 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

deiUUj8mpdyf36k.exepowershell.exe

pid process

2092 deiUUj8mpdyf36k.exe
2384 powershell.exe
2384 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

deiUUj8mpdyf36k.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2092 deiUUj8mpdyf36k.exe
Token: SeDebugPrivilege 2384 powershell.exe

description	pid	process	target process
PID 2092 set thread context of 4644	2092	deiUUj8mpdyf36k.exe	deiUUj8mpdyf36k.exe

pid	process
616	schtasks.exe

pid	process
2092	deiUUj8mpdyf36k.exe
2384	powershell.exe
2384	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2092	deiUUj8mpdyf36k.exe
Token: SeDebugPrivilege	2384	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

deiUUj8mpdyf36k.exedeiUUj8mpdyf36k.execmd.exe

description	pid	process	target process
PID 2092 wrote to memory of 616	2092	deiUUj8mpdyf36k.exe	schtasks.exe
PID 2092 wrote to memory of 616	2092	deiUUj8mpdyf36k.exe	schtasks.exe
PID 2092 wrote to memory of 616	2092	deiUUj8mpdyf36k.exe	schtasks.exe
PID 2092 wrote to memory of 4644	2092	deiUUj8mpdyf36k.exe	deiUUj8mpdyf36k.exe
PID 2092 wrote to memory of 4644	2092	deiUUj8mpdyf36k.exe	deiUUj8mpdyf36k.exe
PID 2092 wrote to memory of 4644	2092	deiUUj8mpdyf36k.exe	deiUUj8mpdyf36k.exe
PID 2092 wrote to memory of 4644	2092	deiUUj8mpdyf36k.exe	deiUUj8mpdyf36k.exe
PID 2092 wrote to memory of 4644	2092	deiUUj8mpdyf36k.exe	deiUUj8mpdyf36k.exe
PID 2092 wrote to memory of 4644	2092	deiUUj8mpdyf36k.exe	deiUUj8mpdyf36k.exe
PID 2092 wrote to memory of 4644	2092	deiUUj8mpdyf36k.exe	deiUUj8mpdyf36k.exe
PID 2092 wrote to memory of 4644	2092	deiUUj8mpdyf36k.exe	deiUUj8mpdyf36k.exe
PID 4644 wrote to memory of 5104	4644	deiUUj8mpdyf36k.exe	cmd.exe
PID 4644 wrote to memory of 5104	4644	deiUUj8mpdyf36k.exe	cmd.exe
PID 4644 wrote to memory of 5104	4644	deiUUj8mpdyf36k.exe	cmd.exe
PID 5104 wrote to memory of 2384	5104	cmd.exe	powershell.exe
PID 5104 wrote to memory of 2384	5104	cmd.exe	powershell.exe
PID 5104 wrote to memory of 2384	5104	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\deiUUj8mpdyf36k.exe
"C:\Users\Admin\AppData\Local\Temp\deiUUj8mpdyf36k.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WxXWXfzHXGJW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78D9.tmp"
2⤵
- Creates scheduled task(s)
PID:616

C:\Users\Admin\AppData\Local\Temp\deiUUj8mpdyf36k.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\deiUUj8mpdyf36k.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\deiUUj8mpdyf36k.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

5

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

Peripheral Device Discovery