sality | d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232

Modify Existing Service

T1031

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3632-133-0x0000000000810000-0x000000000189E000-memory.dmp	upx
behavioral2/memory/3632-134-0x0000000000810000-0x000000000189E000-memory.dmp	upx
behavioral2/memory/3632-153-0x0000000000810000-0x000000000189E000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3196 regsvr32.exe
3196 regsvr32.exe
2844 regsvr32.exe

pid	process
3196	regsvr32.exe
3196	regsvr32.exe
2844	regsvr32.exe

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
File opened (read-only)	\??\E:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\J:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\M:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\T:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\X:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\Y:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\K:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\L:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\N:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\S:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\V:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\F:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\G:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\H:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\I:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\O:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\P:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\Q:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\R:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\U:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\W:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened (read-only)	\??\Z:	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description ioc process

File opened for modification C:\autorun.inf d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
File opened for modification	C:\autorun.inf	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Drops file in System32 directory 14 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\uninstall.bat	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\iWebOffice2003.ocx	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\LOGO.ico	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\iWebOffice2003.ocx	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\LOGO.ico	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\PDF417Manager.dll	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\rar.bmp	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\rar.bmp	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\readme.txt	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\setup.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\setup.bat	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\uninstall.bat	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\PDF417Manager.dll	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\readme.txt	cmd.exe

Drops file in Program Files directory 11 IoCs

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Drops file in Windows directory 1 IoCs

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.execmd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\ = "IiWebOffice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\TypeLib\ = "{D3C98026-41F8-40CA-BCAB-5A7B10328926}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3C98026-41F8-40CA-BCAB-5A7B10328926}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\InprocServer32\ = "C:\\Windows\\SysWow64\\ecologyplugin\\iWebOffice\\iWebOffice2003.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\ = "IPDF417Manager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3C98026-41F8-40CA-BCAB-5A7B10328926}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3C98026-41F8-40CA-BCAB-5A7B10328926}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\ = "IiWebOfficeEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\MiscStatus\1\ = "205201"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\TypeLib\ = "{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\Verb	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{869D767C-835B-4521-AB59-906D0AF6A74C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BarCodeManager.PDF417Manager.1\ = "PDF417Manager Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\TypeLib\ = "{D3C98026-41F8-40CA-BCAB-5A7B10328926}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.iWebOffice	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.iWebOffice\ = "iWebOffice Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BarCodeManager.DLL\AppID = "{869D767C-835B-4521-AB59-906D0AF6A74C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\VersionIndependentProgID\ = "BarCodeManager.PDF417Manager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3C98026-41F8-40CA-BCAB-5A7B10328926}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BarCodeManager.PDF417Manager\ = "PDF417Manager Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\TypeLib\ = "{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D3C98026-41F8-40CA-BCAB-5A7B10328926}\1.0\ = "iWebOffice2003 Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\InprocServer32\ = "C:\\Windows\\SysWow64\\ecologyplugin\\iWebOffice\\iWebOffice2003.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BarCodeManager.PDF417Manager\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\ = "BarCodeManager 1.0 ÀàÐÍ¿â"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.iWebOffice\Clsid\ = "{23739A7E-5741-4D1C-88D5-D50B18F7C347}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.OfficeAddins\Clsid\ = "{CBCDD82F-1447-4721-9313-934B9E5CB416}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\ProxyStubClsid32	regsvr32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4240 NOTEPAD.EXE

pid	process
4240	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

pid	process
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	pid	process
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
Token: SeDebugPrivilege	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.execmd.exe

description	pid	process	target process
PID 3632 wrote to memory of 800	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	fontdrvhost.exe
PID 3632 wrote to memory of 804	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	fontdrvhost.exe
PID 3632 wrote to memory of 1016	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	dwm.exe
PID 3632 wrote to memory of 2800	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	sihost.exe
PID 3632 wrote to memory of 2828	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	svchost.exe
PID 3632 wrote to memory of 2904	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhostw.exe
PID 3632 wrote to memory of 696	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 3632 wrote to memory of 3104	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	svchost.exe
PID 3632 wrote to memory of 3324	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	DllHost.exe
PID 3632 wrote to memory of 3420	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	StartMenuExperienceHost.exe
PID 3632 wrote to memory of 3488	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 3572	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	SearchApp.exe
PID 3632 wrote to memory of 3812	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 4708	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 3044	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 3632 wrote to memory of 3044	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 3632 wrote to memory of 3044	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 3044 wrote to memory of 3196	3044	cmd.exe	regsvr32.exe
PID 3044 wrote to memory of 3196	3044	cmd.exe	regsvr32.exe
PID 3044 wrote to memory of 3196	3044	cmd.exe	regsvr32.exe
PID 3044 wrote to memory of 2844	3044	cmd.exe	regsvr32.exe
PID 3044 wrote to memory of 2844	3044	cmd.exe	regsvr32.exe
PID 3044 wrote to memory of 2844	3044	cmd.exe	regsvr32.exe
PID 3044 wrote to memory of 4240	3044	cmd.exe	NOTEPAD.EXE
PID 3044 wrote to memory of 4240	3044	cmd.exe	NOTEPAD.EXE
PID 3044 wrote to memory of 4240	3044	cmd.exe	NOTEPAD.EXE
PID 3632 wrote to memory of 800	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	fontdrvhost.exe
PID 3632 wrote to memory of 804	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	fontdrvhost.exe
PID 3632 wrote to memory of 1016	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	dwm.exe
PID 3632 wrote to memory of 2800	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	sihost.exe
PID 3632 wrote to memory of 2828	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	svchost.exe
PID 3632 wrote to memory of 2904	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhostw.exe
PID 3632 wrote to memory of 696	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 3632 wrote to memory of 3104	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	svchost.exe
PID 3632 wrote to memory of 3324	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	DllHost.exe
PID 3632 wrote to memory of 3420	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	StartMenuExperienceHost.exe
PID 3632 wrote to memory of 3488	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 3572	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	SearchApp.exe
PID 3632 wrote to memory of 3812	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 4708	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 3044	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 3632 wrote to memory of 3044	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	cmd.exe
PID 3632 wrote to memory of 1436	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Conhost.exe
PID 3632 wrote to memory of 4240	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	NOTEPAD.EXE
PID 3632 wrote to memory of 4240	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	NOTEPAD.EXE
PID 3632 wrote to memory of 800	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	fontdrvhost.exe
PID 3632 wrote to memory of 804	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	fontdrvhost.exe
PID 3632 wrote to memory of 1016	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	dwm.exe
PID 3632 wrote to memory of 2800	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	sihost.exe
PID 3632 wrote to memory of 2828	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	svchost.exe
PID 3632 wrote to memory of 2904	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	taskhostw.exe
PID 3632 wrote to memory of 696	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Explorer.EXE
PID 3632 wrote to memory of 3104	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	svchost.exe
PID 3632 wrote to memory of 3324	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	DllHost.exe
PID 3632 wrote to memory of 3420	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	StartMenuExperienceHost.exe
PID 3632 wrote to memory of 3488	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 3572	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	SearchApp.exe
PID 3632 wrote to memory of 3812	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 4708	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 1436	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	Conhost.exe
PID 3632 wrote to memory of 800	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	fontdrvhost.exe
PID 3632 wrote to memory of 804	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	fontdrvhost.exe
PID 3632 wrote to memory of 1016	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	dwm.exe
PID 3632 wrote to memory of 2800	3632	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe	sihost.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe
"C:\Users\Admin\AppData\Local\Temp\d70fe2be98249d3eae1bb2826aa6f71205e40bd40442481c3ea92b0e8fbbc232.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "
3⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1436

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 C:\Windows\System32\ecologyplugin\iWebOffice\iWebOffice2003.ocx /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:3196

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 C:\Windows\System32\ecologyplugin\iWebOffice\PDF417Manager.dll /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2844

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\ecologyplugin\iWebOffice\readme.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:4240

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2828

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

Bypass User Account Control

T1088

Disabling Security Tools

Credential Access

Discovery

Query Registry

T1012

System Information Discovery