djvu | 3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

sotema_5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sotema_5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	sotema_5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sotema_5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sotema_5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sotema_5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sotema_5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sotema_5.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 90044 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	90044	rundll32.exe

RedLine payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1004-181-0x00000000003D0000-0x00000000003F0000-memory.dmp	family_redline
behavioral1/memory/1004-182-0x0000000000AE0000-0x0000000000AFE000-memory.dmp	family_redline
behavioral1/memory/912-186-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/912-187-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/912-188-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/912-189-0x0000000000417F26-mapping.dmp	family_redline
behavioral1/memory/912-191-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/912-193-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/4008-248-0x0000000000F80000-0x0000000000FCC000-memory.dmp	family_redline
behavioral1/memory/4008-250-0x0000000002820000-0x000000000286A000-memory.dmp	family_redline
behavioral1/memory/8136-255-0x0000000001250000-0x000000000129A000-memory.dmp	family_redline
behavioral1/memory/19572-256-0x0000000004B20000-0x0000000004B6C000-memory.dmp	family_redline
behavioral1/memory/19572-257-0x0000000004CC0000-0x0000000004D0A000-memory.dmp	family_redline
behavioral1/memory/8136-258-0x0000000002BE0000-0x0000000002C28000-memory.dmp	family_redline
behavioral1/memory/89856-323-0x0000000000422136-mapping.dmp	family_redline
behavioral1/memory/89856-327-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

q0Fwz_T4LAQz8dJyhaB9EYa9.exe_4LnBsM0yrD2L7htiErLE234.exehOMV9OgAUpAdsm8TepfvssZO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	q0Fwz_T4LAQz8dJyhaB9EYa9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	_4LnBsM0yrD2L7htiErLE234.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	hOMV9OgAUpAdsm8TepfvssZO.exe

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1900-270-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1868-374-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

ASPack v2.12-2.42 16 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

Processes:

setup_install.exesotema_2.exesotema_3.exesotema_5.exesotema_1.exesotema_6.exesotema_8.exesotema_7.exesotema_8.tmpsotema_7.exeo8hCzaJO_nvNn2S4l695jM56.exeWiYlAWDMp3O16UhDq2ibSu_F.exe8pDynfzqHl__bhXEAFvPp7s5.exeCUs5OwdfQUHr1yxQ4TAjuz36.exeVoADIiy5peyln9TEiuEJxjhi.exeInstall.exeVoADIiy5peyln9TEiuEJxjhi.exeInstall.exe72dk2O80Vq8pPGW6BobPkRCm.exeCBQ60RWEniy_p3meA_xzy0bK.exePRg1GKzNP8Cbe7NJuqXTQmMj.exe_4LnBsM0yrD2L7htiErLE234.exehOMV9OgAUpAdsm8TepfvssZO.exeq0Fwz_T4LAQz8dJyhaB9EYa9.exeCBQ60RWEniy_p3meA_xzy0bK.exe

pid	process
1728	setup_install.exe
1060	sotema_2.exe
556	sotema_3.exe
1644	sotema_5.exe
1124	sotema_1.exe
1004	sotema_6.exe
304	sotema_8.exe
1552	sotema_7.exe
1544	sotema_8.tmp
912	sotema_7.exe
1496	o8hCzaJO_nvNn2S4l695jM56.exe
1660	WiYlAWDMp3O16UhDq2ibSu_F.exe
1060	8pDynfzqHl__bhXEAFvPp7s5.exe
1764	CUs5OwdfQUHr1yxQ4TAjuz36.exe
804	VoADIiy5peyln9TEiuEJxjhi.exe
2096	Install.exe
2148	VoADIiy5peyln9TEiuEJxjhi.exe
2276	Install.exe
2352	72dk2O80Vq8pPGW6BobPkRCm.exe
2320	CBQ60RWEniy_p3meA_xzy0bK.exe
2376	PRg1GKzNP8Cbe7NJuqXTQmMj.exe
4008	_4LnBsM0yrD2L7htiErLE234.exe
8136	hOMV9OgAUpAdsm8TepfvssZO.exe
19572	q0Fwz_T4LAQz8dJyhaB9EYa9.exe
17380	CBQ60RWEniy_p3meA_xzy0bK.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1900-270-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1868-374-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 7 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

q0Fwz_T4LAQz8dJyhaB9EYa9.exeInstall.exe_4LnBsM0yrD2L7htiErLE234.exehOMV9OgAUpAdsm8TepfvssZO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	q0Fwz_T4LAQz8dJyhaB9EYa9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	_4LnBsM0yrD2L7htiErLE234.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	_4LnBsM0yrD2L7htiErLE234.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hOMV9OgAUpAdsm8TepfvssZO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hOMV9OgAUpAdsm8TepfvssZO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	q0Fwz_T4LAQz8dJyhaB9EYa9.exe

Loads dropped DLL 64 IoCs

Processes:

3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exesetup_install.execmd.execmd.execmd.execmd.exesotema_2.exesotema_3.exesotema_5.execmd.execmd.execmd.exesotema_8.exesotema_6.exesotema_7.exesotema_8.tmpWerFault.exesotema_7.exeWerFault.exe8pDynfzqHl__bhXEAFvPp7s5.exeWiYlAWDMp3O16UhDq2ibSu_F.exeCUs5OwdfQUHr1yxQ4TAjuz36.exe

pid	process
1212	3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe
1212	3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe
1212	3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe
1728	setup_install.exe
1728	setup_install.exe
1728	setup_install.exe
1728	setup_install.exe
1728	setup_install.exe
1728	setup_install.exe
1728	setup_install.exe
1728	setup_install.exe
428	cmd.exe
428	cmd.exe
1304	cmd.exe
1304	cmd.exe
792	cmd.exe
1812	cmd.exe
1060	sotema_2.exe
1060	sotema_2.exe
556	sotema_3.exe
556	sotema_3.exe
1644	sotema_5.exe
1644	sotema_5.exe
1256	cmd.exe
1256	cmd.exe
1096	cmd.exe
1780	cmd.exe
1780	cmd.exe
304	sotema_8.exe
304	sotema_8.exe
1004	sotema_6.exe
1004	sotema_6.exe
1552	sotema_7.exe
1552	sotema_7.exe
304	sotema_8.exe
1544	sotema_8.tmp
1544	sotema_8.tmp
1544	sotema_8.tmp
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
1060	sotema_2.exe
1552	sotema_7.exe
912	sotema_7.exe
912	sotema_7.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
1644	sotema_5.exe
1644	sotema_5.exe
1644	sotema_5.exe
1644	sotema_5.exe
1644	sotema_5.exe
1644	sotema_5.exe
1644	sotema_5.exe
1644	sotema_5.exe
1644	sotema_5.exe
1060	8pDynfzqHl__bhXEAFvPp7s5.exe
1060	8pDynfzqHl__bhXEAFvPp7s5.exe
1660	WiYlAWDMp3O16UhDq2ibSu_F.exe
1660	WiYlAWDMp3O16UhDq2ibSu_F.exe
1764	CUs5OwdfQUHr1yxQ4TAjuz36.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

89880 icacls.exe
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 34.142.181.181

pid	process
89880	icacls.exe

description	ioc
Destination IP	34.142.181.181

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

VoADIiy5peyln9TEiuEJxjhi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6d849bcc-6ed6-450f-9049-24ae9953a7da\\VoADIiy5peyln9TEiuEJxjhi.exe\" --AutoStart"	VoADIiy5peyln9TEiuEJxjhi.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

_4LnBsM0yrD2L7htiErLE234.exehOMV9OgAUpAdsm8TepfvssZO.exeq0Fwz_T4LAQz8dJyhaB9EYa9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_4LnBsM0yrD2L7htiErLE234.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hOMV9OgAUpAdsm8TepfvssZO.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	q0Fwz_T4LAQz8dJyhaB9EYa9.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ipinfo.io
27 ipinfo.io
118 api.2ip.ua
128 api.2ip.ua
153 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

_4LnBsM0yrD2L7htiErLE234.exehOMV9OgAUpAdsm8TepfvssZO.exeq0Fwz_T4LAQz8dJyhaB9EYa9.exe

pid process

4008 _4LnBsM0yrD2L7htiErLE234.exe
8136 hOMV9OgAUpAdsm8TepfvssZO.exe
19572 q0Fwz_T4LAQz8dJyhaB9EYa9.exe

flow	ioc
26	ipinfo.io
27	ipinfo.io
118	api.2ip.ua
128	api.2ip.ua
153	ip-api.com

pid	process
4008	_4LnBsM0yrD2L7htiErLE234.exe
8136	hOMV9OgAUpAdsm8TepfvssZO.exe
19572	q0Fwz_T4LAQz8dJyhaB9EYa9.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

sotema_7.exeVoADIiy5peyln9TEiuEJxjhi.exe

description	pid	process	target process
PID 1552 set thread context of 912	1552	sotema_7.exe	sotema_7.exe
PID 804 set thread context of 2148	804	VoADIiy5peyln9TEiuEJxjhi.exe	VoADIiy5peyln9TEiuEJxjhi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

908 1728 WerFault.exe setup_install.exe
840 556 WerFault.exe sotema_3.exe

pid	pid_target	process	target process
908	1728	WerFault.exe	setup_install.exe
840	556	WerFault.exe	sotema_3.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

sotema_2.exeCUs5OwdfQUHr1yxQ4TAjuz36.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CUs5OwdfQUHr1yxQ4TAjuz36.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CUs5OwdfQUHr1yxQ4TAjuz36.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CUs5OwdfQUHr1yxQ4TAjuz36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

90016 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2780 timeout.exe

pid	process
90016	schtasks.exe

pid	process
2780	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

276 taskkill.exe

pid	process
276	taskkill.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

sotema_5.exeVoADIiy5peyln9TEiuEJxjhi.exesotema_3.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sotema_5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	VoADIiy5peyln9TEiuEJxjhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sotema_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sotema_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sotema_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sotema_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VoADIiy5peyln9TEiuEJxjhi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sotema_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sotema_5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sotema_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sotema_5.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 131 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	131	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sotema_2.exeCUs5OwdfQUHr1yxQ4TAjuz36.exe

pid	process
1060	sotema_2.exe
1060	sotema_2.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1764	CUs5OwdfQUHr1yxQ4TAjuz36.exe
1764	CUs5OwdfQUHr1yxQ4TAjuz36.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sotema_2.exeCUs5OwdfQUHr1yxQ4TAjuz36.exe

pid process

1060 sotema_2.exe
1764 CUs5OwdfQUHr1yxQ4TAjuz36.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

sotema_7.exesotema_6.exe

description	pid	process
Token: SeDebugPrivilege	912	sotema_7.exe
Token: SeDebugPrivilege	1004	sotema_6.exe
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1232
1232
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1232
1232

pid	process
1232
1232

pid	process
1232
1232

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exesetup_install.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1212 wrote to memory of 1728	1212	3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe	setup_install.exe
PID 1212 wrote to memory of 1728	1212	3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe	setup_install.exe
PID 1212 wrote to memory of 1728	1212	3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe	setup_install.exe
PID 1212 wrote to memory of 1728	1212	3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe	setup_install.exe
PID 1212 wrote to memory of 1728	1212	3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe	setup_install.exe
PID 1212 wrote to memory of 1728	1212	3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe	setup_install.exe
PID 1212 wrote to memory of 1728	1212	3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe	setup_install.exe
PID 1728 wrote to memory of 792	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 792	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 792	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 792	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 792	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 792	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 792	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 428	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 428	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 428	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 428	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 428	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 428	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 428	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1052	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1052	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1052	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1052	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1052	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1052	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1052	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1812	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1812	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1812	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1812	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1812	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1812	1728	setup_install.exe	cmd.exe
PID 1728 wrote to memory of 1812	1728	setup_install.exe	cmd.exe
PID 428 wrote to memory of 1060	428	cmd.exe	sotema_2.exe
PID 428 wrote to memory of 1060	428	cmd.exe	sotema_2.exe
PID 428 wrote to memory of 1060	428	cmd.exe	sotema_2.exe
PID 428 wrote to memory of 1060	428	cmd.exe	sotema_2.exe
PID 428 wrote to memory of 1060	428	cmd.exe	sotema_2.exe
PID 428 wrote to memory of 1060	428	cmd.exe	sotema_2.exe
PID 428 wrote to memory of 1060	428	cmd.exe	sotema_2.exe
PID 1304 wrote to memory of 556	1304	cmd.exe	sotema_3.exe
PID 1304 wrote to memory of 556	1304	cmd.exe	sotema_3.exe
PID 1304 wrote to memory of 556	1304	cmd.exe	sotema_3.exe
PID 1304 wrote to memory of 556	1304	cmd.exe	sotema_3.exe
PID 1304 wrote to memory of 556	1304	cmd.exe	sotema_3.exe
PID 1304 wrote to memory of 556	1304	cmd.exe	sotema_3.exe
PID 1304 wrote to memory of 556	1304	cmd.exe	sotema_3.exe
PID 792 wrote to memory of 1124	792	cmd.exe	sotema_1.exe
PID 792 wrote to memory of 1124	792	cmd.exe	sotema_1.exe
PID 792 wrote to memory of 1124	792	cmd.exe	sotema_1.exe
PID 792 wrote to memory of 1124	792	cmd.exe	sotema_1.exe
PID 792 wrote to memory of 1124	792	cmd.exe	sotema_1.exe
PID 792 wrote to memory of 1124	792	cmd.exe	sotema_1.exe
PID 792 wrote to memory of 1124	792	cmd.exe	sotema_1.exe
PID 1728 wrote to memory of 1256	1728	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe
"C:\Users\Admin\AppData\Local\Temp\3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_1.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_1.exe
sotema_1.exe
4⤵
- Executes dropped EXE
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_3.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_3.exe
sotema_3.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 972
5⤵
- Loads dropped DLL
- Program crash
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_2.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_2.exe
sotema_2.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_5.exe
3⤵
- Loads dropped DLL
PID:1812

C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_5.exe
sotema_5.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1644

C:\Users\Admin\Documents\o8hCzaJO_nvNn2S4l695jM56.exe
"C:\Users\Admin\Documents\o8hCzaJO_nvNn2S4l695jM56.exe"
5⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\Documents\8pDynfzqHl__bhXEAFvPp7s5.exe
"C:\Users\Admin\Documents\8pDynfzqHl__bhXEAFvPp7s5.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\Yhncm6z3ScbXiiMU\Cleaner.exe"
6⤵
PID:89960

C:\Users\Admin\AppData\Local\Temp\Yhncm6z3ScbXiiMU\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Yhncm6z3ScbXiiMU\Cleaner.exe"
7⤵
PID:90024

C:\Users\Admin\Documents\WiYlAWDMp3O16UhDq2ibSu_F.exe
"C:\Users\Admin\Documents\WiYlAWDMp3O16UhDq2ibSu_F.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660

C:\Users\Admin\AppData\Local\Temp\7zS198A.tmp\Install.exe
.\Install.exe
6⤵
- Executes dropped EXE
PID:2096

C:\Users\Admin\AppData\Local\Temp\7zS2981.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates system info in registry
PID:2276

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:89948

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:90064

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
10⤵
PID:89960

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
9⤵
PID:90068

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
10⤵
PID:240

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
10⤵
PID:1736

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gKsVsiJXw" /SC once /ST 01:58:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
8⤵
- Creates scheduled task(s)
PID:90016

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gKsVsiJXw"
8⤵
PID:1736

C:\Users\Admin\Documents\CUs5OwdfQUHr1yxQ4TAjuz36.exe
"C:\Users\Admin\Documents\CUs5OwdfQUHr1yxQ4TAjuz36.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1764

C:\Users\Admin\Documents\VoADIiy5peyln9TEiuEJxjhi.exe
"C:\Users\Admin\Documents\VoADIiy5peyln9TEiuEJxjhi.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:804

C:\Users\Admin\Documents\VoADIiy5peyln9TEiuEJxjhi.exe
"C:\Users\Admin\Documents\VoADIiy5peyln9TEiuEJxjhi.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:2148

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6d849bcc-6ed6-450f-9049-24ae9953a7da" /deny *S-1-1-0:(OI)(CI)(DE,DC)
7⤵
- Modifies file permissions
PID:89880

C:\Users\Admin\Documents\CBQ60RWEniy_p3meA_xzy0bK.exe
"C:\Users\Admin\Documents\CBQ60RWEniy_p3meA_xzy0bK.exe"
5⤵
- Executes dropped EXE
PID:2320

C:\Users\Admin\Documents\CBQ60RWEniy_p3meA_xzy0bK.exe
"C:\Users\Admin\Documents\CBQ60RWEniy_p3meA_xzy0bK.exe" -h
6⤵
- Executes dropped EXE
PID:17380

C:\Users\Admin\Documents\72dk2O80Vq8pPGW6BobPkRCm.exe
"C:\Users\Admin\Documents\72dk2O80Vq8pPGW6BobPkRCm.exe"
5⤵
- Executes dropped EXE
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:89856

C:\Users\Admin\Documents\PRg1GKzNP8Cbe7NJuqXTQmMj.exe
"C:\Users\Admin\Documents\PRg1GKzNP8Cbe7NJuqXTQmMj.exe"
5⤵
- Executes dropped EXE
PID:2376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" Ô/c taskkill /im PRg1GKzNP8Cbe7NJuqXTQmMj.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\PRg1GKzNP8Cbe7NJuqXTQmMj.exe" & del C:\PrograData\*.dll & exit
6⤵
PID:21904

C:\Windows\SysWOW64\taskkill.exe
taskkill /im PRg1GKzNP8Cbe7NJuqXTQmMj.exe /f
7⤵
- Kills process with taskkill
PID:276

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:2780

C:\Users\Admin\Documents\_4LnBsM0yrD2L7htiErLE234.exe
"C:\Users\Admin\Documents\_4LnBsM0yrD2L7htiErLE234.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4008

C:\Users\Admin\Documents\hOMV9OgAUpAdsm8TepfvssZO.exe
"C:\Users\Admin\Documents\hOMV9OgAUpAdsm8TepfvssZO.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8136

C:\Users\Admin\Documents\q0Fwz_T4LAQz8dJyhaB9EYa9.exe
"C:\Users\Admin\Documents\q0Fwz_T4LAQz8dJyhaB9EYa9.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:19572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_4.exe
3⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_4.exe
sotema_4.exe
4⤵
PID:90104

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_6.exe
3⤵
- Loads dropped DLL
PID:1256

C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_6.exe
sotema_6.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_7.exe
3⤵
- Loads dropped DLL
PID:1780

C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_7.exe
sotema_7.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1552

C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_7.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_7.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_8.exe
3⤵
- Loads dropped DLL
PID:1096

C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_8.exe
sotema_8.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304

C:\Users\Admin\AppData\Local\Temp\is-RHK2L.tmp\sotema_8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RHK2L.tmp\sotema_8.tmp" /SL5="$A0154,161510,77824,C:\Users\Admin\AppData\Local\Temp\7zSCB4C9FFB\sotema_8.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 420
3⤵
- Loads dropped DLL
- Program crash
PID:908

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:1648

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WspService
1⤵
PID:1552

C:\Windows\system32\taskeng.exe
taskeng.exe {F4F5F2E7-AFD4-40BE-A0F0-F9571A34D848} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
PID:2572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery