sality | d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232

Modify Existing Service

T1031

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/904-55-0x00000000006A0000-0x000000000172E000-memory.dmp	upx
behavioral1/memory/904-57-0x00000000006A0000-0x000000000172E000-memory.dmp	upx
behavioral1/memory/904-83-0x00000000006A0000-0x000000000172E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

240 regsvr32.exe
524 regsvr32.exe

pid	process
240	regsvr32.exe
524	regsvr32.exe

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
File opened (read-only)	\??\F:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\I:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\K:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\P:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\U:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\H:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\O:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\S:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\V:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\Z:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\J:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\L:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\T:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\R:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\W:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\X:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\E:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\G:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\M:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\N:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\Q:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\Y:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description ioc process

File opened for modification C:\autorun.inf d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
File opened for modification	C:\autorun.inf	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Drops file in System32 directory 14 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\LOGO.ico	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\LOGO.ico	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\readme.txt	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\setup.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\uninstall.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\iWebOffice2003.ocx	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\PDF417Manager.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\PDF417Manager.dll	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\rar.bmp	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\rar.bmp	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\setup.bat	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\iWebOffice2003.ocx	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\readme.txt	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\uninstall.bat	cmd.exe

Drops file in Program Files directory 5 IoCs

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Drops file in Windows directory 1 IoCs

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3C98026-41F8-40CA-BCAB-5A7B10328926}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ecologyplugin\\iWebOffice\\iWebOffice2003.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\TypeLib\ = "{D3C98026-41F8-40CA-BCAB-5A7B10328926}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\ = "IPDF417Manager"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\TypeLib\ = "{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\TypeLib\ = "{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\ = "IiWebOffice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\TypeLib\ = "{D3C98026-41F8-40CA-BCAB-5A7B10328926}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\ecologyplugin\\iWebOffice\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3C98026-41F8-40CA-BCAB-5A7B10328926}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\Verb\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\ = "IiWebOffice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BarCodeManager.PDF417Manager\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.iWebOffice\ = "iWebOffice Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.OfficeAddins\Clsid\ = "{CBCDD82F-1447-4721-9313-934B9E5CB416}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\TypeLib\ = "{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{869D767C-835B-4521-AB59-906D0AF6A74C}\ = "BarCodeManager"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\ = "PDF417Manager Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3C98026-41F8-40CA-BCAB-5A7B10328926}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.OfficeAddins\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BarCodeManager.DLL\AppID = "{869D767C-835B-4521-AB59-906D0AF6A74C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\TypeLib\ = "{D3C98026-41F8-40CA-BCAB-5A7B10328926}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.OfficeAddins	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{869D767C-835B-4521-AB59-906D0AF6A74C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BarCodeManager.PDF417Manager	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3C98026-41F8-40CA-BCAB-5A7B10328926}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\ProgID\ = "iWebOffice2003.iWebOffice"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BarCodeManager.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BarCodeManager.PDF417Manager.1	regsvr32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

960 NOTEPAD.EXE

pid	process
960	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

pid	process
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	pid	process
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.execmd.exe

description	pid	process	target process
PID 904 wrote to memory of 1120	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhost.exe
PID 904 wrote to memory of 1164	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Dwm.exe
PID 904 wrote to memory of 1188	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 904 wrote to memory of 1208	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 904 wrote to memory of 1208	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 904 wrote to memory of 1208	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 904 wrote to memory of 1208	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 904 wrote to memory of 1208	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 904 wrote to memory of 1208	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 904 wrote to memory of 1208	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 1208 wrote to memory of 240	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 240	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 240	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 240	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 240	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 240	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 240	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 524	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 524	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 524	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 524	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 524	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 524	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 524	1208	cmd.exe	regsvr32.exe
PID 1208 wrote to memory of 960	1208	cmd.exe	NOTEPAD.EXE
PID 1208 wrote to memory of 960	1208	cmd.exe	NOTEPAD.EXE
PID 1208 wrote to memory of 960	1208	cmd.exe	NOTEPAD.EXE
PID 1208 wrote to memory of 960	1208	cmd.exe	NOTEPAD.EXE
PID 904 wrote to memory of 1120	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhost.exe
PID 904 wrote to memory of 1164	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Dwm.exe
PID 904 wrote to memory of 1188	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 904 wrote to memory of 1208	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 904 wrote to memory of 1208	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 904 wrote to memory of 2040	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	conhost.exe
PID 904 wrote to memory of 960	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	NOTEPAD.EXE
PID 904 wrote to memory of 960	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	NOTEPAD.EXE
PID 904 wrote to memory of 1120	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhost.exe
PID 904 wrote to memory of 1164	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Dwm.exe
PID 904 wrote to memory of 1188	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 904 wrote to memory of 2040	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	conhost.exe
PID 904 wrote to memory of 1120	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhost.exe
PID 904 wrote to memory of 1164	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Dwm.exe
PID 904 wrote to memory of 1188	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 904 wrote to memory of 2040	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	conhost.exe
PID 904 wrote to memory of 1120	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhost.exe
PID 904 wrote to memory of 1164	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Dwm.exe
PID 904 wrote to memory of 1188	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 904 wrote to memory of 2040	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	conhost.exe
PID 904 wrote to memory of 1120	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhost.exe
PID 904 wrote to memory of 1164	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Dwm.exe
PID 904 wrote to memory of 1188	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 904 wrote to memory of 2040	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	conhost.exe
PID 904 wrote to memory of 1120	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhost.exe
PID 904 wrote to memory of 1164	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Dwm.exe
PID 904 wrote to memory of 1188	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 904 wrote to memory of 2040	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	conhost.exe
PID 904 wrote to memory of 1120	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhost.exe
PID 904 wrote to memory of 1164	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Dwm.exe
PID 904 wrote to memory of 1188	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 904 wrote to memory of 2040	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	conhost.exe
PID 904 wrote to memory of 1120	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhost.exe
PID 904 wrote to memory of 1164	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Dwm.exe
PID 904 wrote to memory of 1188	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 904 wrote to memory of 2040	904	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	conhost.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
"C:\Users\Admin\AppData\Local\Temp\d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "
3⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 C:\Windows\System32\ecologyplugin\iWebOffice\iWebOffice2003.ocx /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:240

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 C:\Windows\System32\ecologyplugin\iWebOffice\PDF417Manager.dll /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:524

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\ecologyplugin\iWebOffice\readme.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:960

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1517026120-284113391-18648207503601887681421646208-89683538-212758149-1297953913"
1⤵
PID:2040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

Bypass User Account Control

T1088

Disabling Security Tools